James commented on GUACAMOLE-210:

[~mike.jumper] Is there a Jira to add OIDC "authorization code flow" support?



> Add support for SSO via OpenID Connect
> --------------------------------------
>                 Key: GUACAMOLE-210
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-210
>             Project: Guacamole
>          Issue Type: New Feature
>          Components: guacamole-client
>            Reporter: Michael Jumper
>            Assignee: Michael Jumper
>            Priority: Major
>             Fix For: 0.9.14
> {panel:bgColor=#FFFFEE}
> *The description of this issue was copied from 
> [GUAC-1485|https://glyptodon.org/jira/browse/GUAC-1485], an issue in the JIRA 
> instance used by the Guacamole project prior to its acceptance into the 
> Apache Incubator.*
> Comments, attachments, related issues, and history from prior to acceptance 
> *have not been copied* and can be found instead at the original issue.
> {panel}
> It would be nice if Guacamole had OAuth2 authentication plugin.
> OAuth2 is wide spread in web technologies and Guacamole deserves to have its 
> implementation of the protocol.
> My company had this use case and for now we are using a custom authentication 
> plugin because implementing a generic OAuth2 compatible Guacamole 
> authentication plugin presents some difficulties.
> h1. RedirectURI doesn't work because of Angular anchor system
> OAuth2 requires clients (Guacamole in our case) to register a redirect URI so 
> that the OAuth2 server could callback the application when the user has been 
> identify (or rejected) on its side. It also passes along some informations 
> like tokens or reason of failure as part of the URL. If we set the Guacamole 
> index URL as the redirect URI then this data never get passed along to the 
> authenticate plugin.
> Such redirect URI cannot contain any pound sign (#) because this sign in a 
> URI is a delimiter after which data are not sent to the server on HTTP 
> request. In the case of Guacamole, the Angular frontend uses those local URI 
> data to determine which page to display.
> Angular behavior cannot be easilly turned off and would lead to heaver code 
> changes and uncompatibility with older browser.
> h1. Retrieve to connection list on authentication
> Connection list is retrieved at user login. It doesn't make sense to expect 
> the OAuth server to give such list as it would not be generic enough.
> Fortunatly, connection lists get merged between authentication plugins and 
> this OAuth plugin could be paired with another one which goal would just be 
> to provide the connection list.
> h1. Token invalidation
> Upon a successful authentication, the OAuth2 server will issued an auth token.
> First, this token needs to be invalidated by Guacamole when user explicitly 
> disconnects.
> Second, there is no way for Guacamole to know if a stored auth token is still 
> valid. Leaving the user to freely keep on using its Guacamole session even 
> thought the token has expired.
> I am just leaving these though here so the Guacamole community could start an 
> discussion on this matter.

This message was sent by Atlassian JIRA

Reply via email to