guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From craig.bloodworth@theinformationlab.co.uk <craig.bloodwo...@theinformationlab.co.uk>
Subject Re: OpenID Auth Not Redirecting
Date Mon, 08 Apr 2019 11:27:11 GMT
Awesome! Perfect solution. Thanks :-)

Can I suggest the docs are updated to reflect this requirement? It wasn't clear at all IMHO.

Craig

On 2019/04/06 18:48:08, Mike Jumper <mjumper@apache.org> wrote: 
> On Sat, Apr 6, 2019 at 11:14 AM Nick Couchman <vnick@apache.org> wrote:
> 
> > On Fri, Apr 5, 2019 at 10:05 AM Craig Bloodworth <
> > craig.bloodworth@theinformationlab.co.uk> wrote:
> >
> >> Maybe I'm not fully understanding how the OpenID extension should work,
> >> but I believe instead of logging in with the standard Guacamole client
> >> login screen the user should be forwarded to the OpenID Connect IdP (in
> >> this case Google) to authenticate and then be sent back to the Guacamole
> >> client. In the case of my implementation this redirect isn't happening.
> >>
> >> The extension is loaded:
> >>
> >> 09:00:44.048 [localhost-startStop-1] INFO
> >> o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is "/etc/guacamole".
> >> 09:00:45.357 [localhost-startStop-1] INFO
> >> o.a.g.extension.ExtensionModule - Extension "MySQL Authentication" loaded.
> >> 09:00:45.361 [localhost-startStop-1] INFO
> >> o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is "/etc/guacamole".
> >> 09:00:45.533 [localhost-startStop-1] INFO
> >> o.a.g.extension.ExtensionModule - Extension "OpenID Authentication
> >> Extension" loaded.
> >>
> >>
> > Anything else show, here, when you hit the login screen?
> >
> >
> >> And the guacamole.properties file is configured:
> >>
> >> openid-authorization-endpoint:
> >> https://accounts.google.com/o/oauth2/v2/auth
> >> openid-jwks-endpoint: https://www.googleapis.com/oauth2/v3/certs
> >> openid-issuer: https://accounts.google.com
> >> openid-client-id:
> >> xxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com
> >> openid-redirect-uri: https://servers.xxxxxxxxxxxxxxxx.co.uk
> >> openid-username-claim-type: email
> >> openid-scope: openid email profile
> >> openid-allowed-clock-skew: 60
> >> openid-max-token-validity: 300
> >> openid-max-nonce-validity: 10
> >>
> >> But only the standard login screen is shown. What am I missing?
> >>
> >> I've checked the browser console and there are no obvious errors other
> >> than the 403 error from /api/tokens which is triggered because I'm not
> >> logged in.
> >>
> >
> > Everything looks good to me, but I've never configured OpenID
> > authentication before, so I'm not entirely sure.  Maybe others on the list
> > will have more hints.
> >
> 
> The OpenID extension .jar will need to be renamed such that it is loaded
> before the MySQL extension .jar:
> 
> 000-guacamole-auth-openid.jar
> 001-guacamole-auth-jdbc-mysql.jar
> 
> As the MySQL extension is loading first, its request for username+password
> credentials is given priority over the OpenID extension's request for a
> token.
> 
> Related thought: it might be good to modify the OpenID extension to
> optionally add an arbitrary "Sign in with _____" button, rather than the
> current all-or-nothing approach.
> 
> - Mike
> 

Mime
View raw message