On 2019/02/22 10:23:17, Nick Couchman <[email protected]> wrote:
> >
> > So far when i am trying to access guacamole i am getting the login screen
> > of keycloak, so the open id Module seems to work fine.
> > When i enter the user's credential to keycloak and i press login, i get
> > into a redirect Loop. In this loop keycloak is trying to do a POST request
> > to Guacamole and i keep getting invalid login response.More specifically
> > the content of response is :
> >
> > ,\"expected\":[{\"name\":\"id_token\",\"type\":\"GUAC_OPENID_TOKEN\",\"authorizationURI\":\"
> > http://10.0.2.7:8080/auth/realms/nodejs-example/protocol/openid-connect/auth?scope=openid+profile&response_type=id_token&client_id=Guacamole&redirect_uri=http%3A%2F%2F10.0.2.6%3A8080%2Fguacamole%2F%23%2F&nonce=4797kjoq9jdccrgboupkpv9sau\
> > <http://10.0.2.7:8080/auth/realms/nodejs-example/protocol/openid-connect/auth?scope=openid+profile&response_type=id_token&client_id=Guacamole&redirect_uri=http%3A%2F%2F10.0.2.6%3A8080%2Fguacamole%2F%23%2F&nonce=4797kjoq9jdccrgboupkpv9sau%5C>
> > "}]
> >
> >
> This is a shot in the dark, so to speak, because I'm not very familiar with
> OpenId, but the POST might be your issue. IIRC, Guacamole expects the
> redirect to be a GET, not a POST, and this may be why you're seeing the
> redirect loop. Is it possible to configure Keycloak to use a GET redirect
> instead of POST?
>
>
> >
> > After reading a bit about guacamole i tried to send credentials with
> > different names using Keylcoak mappers and even changed the
> > openid-username-claim-type on guacamole properties but still i haven't
> > managed to solve this problem. Also, i don't know if the user must be in
> > Guacamole postgres Database before the login from OpenId
> >
> >
> >
> No, the user doesn't need to be present in order for the login to succeed,
> although the user will need to be present in order to assign permissions.
>
> -Nick
> Hi NIck,
Thanks for your answer. You were right it is not a POST request but a GET
request that is coming from keycloak redirect, and it is bundled with the token
that contains the necessary informations.
After seeing some Guacamole logs i am verifying that guacamole cant read the
token that i am sending to it. I am using guacamole-auth-openid-1.0.0.jar
module for the Open Id adaptation.
There are a few things that i tried like changing the preferred_username
keycloak attribute to email using mappers in order to give the credentials to
guacamole as it is asked but still i think GUacame cant read the token that i
am sending.
Also another problem that i have is that i cant monitor the logs from the open
id module in GUACAMOLE .
I would really appreciate any suggestions for this issue. All threads that were
found in the internet are ending in the same place that i am with this
implementation.
Thanks in advance,
Konstantinos
