James commented on GUACAMOLE-210:
[~mike.jumper] Is there a Jira to add OIDC "authorization code flow" support?
> Add support for SSO via OpenID Connect
> Key: GUACAMOLE-210
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-210
> Project: Guacamole
> Issue Type: New Feature
> Components: guacamole-client
> Reporter: Michael Jumper
> Assignee: Michael Jumper
> Priority: Major
> Fix For: 0.9.14
> *The description of this issue was copied from
> [GUAC-1485|https://glyptodon.org/jira/browse/GUAC-1485], an issue in the JIRA
> instance used by the Guacamole project prior to its acceptance into the
> Apache Incubator.*
> Comments, attachments, related issues, and history from prior to acceptance
> *have not been copied* and can be found instead at the original issue.
> It would be nice if Guacamole had OAuth2 authentication plugin.
> OAuth2 is wide spread in web technologies and Guacamole deserves to have its
> implementation of the protocol.
> My company had this use case and for now we are using a custom authentication
> plugin because implementing a generic OAuth2 compatible Guacamole
> authentication plugin presents some difficulties.
> h1. RedirectURI doesn't work because of Angular anchor system
> OAuth2 requires clients (Guacamole in our case) to register a redirect URI so
> that the OAuth2 server could callback the application when the user has been
> identify (or rejected) on its side. It also passes along some informations
> like tokens or reason of failure as part of the URL. If we set the Guacamole
> index URL as the redirect URI then this data never get passed along to the
> authenticate plugin.
> Such redirect URI cannot contain any pound sign (#) because this sign in a
> URI is a delimiter after which data are not sent to the server on HTTP
> request. In the case of Guacamole, the Angular frontend uses those local URI
> data to determine which page to display.
> Angular behavior cannot be easilly turned off and would lead to heaver code
> changes and uncompatibility with older browser.
> h1. Retrieve to connection list on authentication
> Connection list is retrieved at user login. It doesn't make sense to expect
> the OAuth server to give such list as it would not be generic enough.
> Fortunatly, connection lists get merged between authentication plugins and
> this OAuth plugin could be paired with another one which goal would just be
> to provide the connection list.
> h1. Token invalidation
> Upon a successful authentication, the OAuth2 server will issued an auth token.
> First, this token needs to be invalidated by Guacamole when user explicitly
> Second, there is no way for Guacamole to know if a stored auth token is still
> valid. Leaving the user to freely keep on using its Guacamole session even
> thought the token has expired.
> I am just leaving these though here so the Guacamole community could start an
> discussion on this matter.
This message was sent by Atlassian JIRA