Michael Jumper created GUACAMOLE-210:
----------------------------------------
Summary: OAuth2 authentication plugin
Key: GUACAMOLE-210
URL: https://issues.apache.org/jira/browse/GUACAMOLE-210
Project: Guacamole
Issue Type: New Feature
Components: guacamole-client
Reporter: Michael Jumper
{panel:bgColor=#FFFFEE}
*The description of this issue was copied from
[GUAC-1485|https://glyptodon.org/jira/browse/GUAC-1485], an issue in the JIRA
instance used by the Guacamole project prior to its acceptance into the Apache
Incubator.*
Comments, attachments, related issues, and history from prior to acceptance
*have not been copied* and can be found instead at the original issue.
{panel}
It would be nice if Guacamole had OAuth2 authentication plugin.
OAuth2 is wide spread in web technologies and Guacamole deserves to have its
implementation of the protocol.
My company had this use case and for now we are using a custom authentication
plugin because implementing a generic OAuth2 compatible Guacamole
authentication plugin presents some difficulties.
h1. RedirectURI doesn't work because of Angular anchor system
OAuth2 requires clients (Guacamole in our case) to register a redirect URI so
that the OAuth2 server could callback the application when the user has been
identify (or rejected) on its side. It also passes along some informations like
tokens or reason of failure as part of the URL. If we set the Guacamole index
URL as the redirect URI then this data never get passed along to the
authenticate plugin.
Such redirect URI cannot contain any pound sign (#) because this sign in a URI
is a delimiter after which data are not sent to the server on HTTP request. In
the case of Guacamole, the Angular frontend uses those local URI data to
determine which page to display.
Angular behavior cannot be easilly turned off and would lead to heaver code
changes and uncompatibility with older browser.
h1. Retrieve to connection list on authentication
Connection list is retrieved at user login. It doesn't make sense to expect the
OAuth server to give such list as it would not be generic enough.
Fortunatly, connection lists get merged between authentication plugins and this
OAuth plugin could be paired with another one which goal would just be to
provide the connection list.
h1. Token invalidation
Upon a successful authentication, the OAuth2 server will issued an auth token.
First, this token needs to be invalidated by Guacamole when user explicitly
disconnects.
Second, there is no way for Guacamole to know if a stored auth token is still
valid. Leaving the user to freely keep on using its Guacamole session even
thought the token has expired.
I am just leaving these though here so the Guacamole community could start an
discussion on this matter.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
