I had issues with 1.0.0 (endless redirect loops) but pulling latest or applying the updates that Mike Jumper had listed in a separate branch ( https://github.com/mike-jumper/guacamole-client/tree/openid-token/extensions) for the extension helped me. You can also just build the extension from HEAD and that is currently working for me.
Possibly related: In a dev environment I had an issue with Tomcat not trusting the self-generated CA/cert that was being used by keycloak. In prod I don't have that issue. I suspect that adding a self-signed cert to a truststore and adding that to Tomcat may fix that problem but not sure. Ultimately the lack of sign-out (related to an open issue for openid and other extensions) is a hindrance to using this extension in a production environment. Remember you'll also need a user in the db via the jdbc extension (or usermappings file, etc.) for openid to match them with the user presented via the token generated by keycloak. Currently, you can't auto-create a user with this extension. Finally, if you're caught in a redirect loop, Chrome wasn't helpful for me as the ERR page it displays clears the network view in dev tools. Firefox doesn't suffer from that problem. GL On 2019/02/26 12:02:11, [email protected] <[email protected]> wrote: > > > On 2019/02/25 18:54:44, Nick Couchman <[email protected]> wrote: > > > >> > > > Thanks for your answer. You were right it is not a POST request but a GET> > > > request that is coming from keycloak redirect, and it is bundled with the> > > > token that contains the necessary informations.> > > >> > > > After seeing some Guacamole logs i am verifying that guacamole cant read> > > > the token that i am sending to it. I am using> > > > guacamole-auth-openid-1.0.0.jar module for the Open Id adaptation.> > > >> > > > There are a few things that i tried like changing the preferred_username> > > > keycloak attribute to email using mappers in order to give the credentials> > > > to guacamole as it is asked but still i think GUacame cant read the token> > > > that i am sending.> > > >> > > > Also another problem that i have is that i cant monitor the logs from the> > > > open id module in GUACAMOLE .> > > >> > > > I would really appreciate any suggestions for this issue. All threads that> > > > were found in the internet are ending in the same place that i am with this> > > > implementation.> > > >> > > >> > > A couple of things I can think of:> > > - Might try setting DEBUG logging for Guacamole client and see if anything> > > else useful is logged:> > > http://guacamole.apache.org/doc/gug/configuring-guacamole.html#webapp-logging> > > - The OpenID module only supports the Implicit Flow, and not the> > > Authentication (Basic) Flow. If Keycloak does not implement or accept the> > > Implicit Flow, but expects Authentication Flow, you may be hitting an issue> > > with that.> > > > > > -Nick> > > > > Hi Nick thanks for your feedpack, I have already enabled implicit flow. I am trying to use logs in order to loate the actual problem . I am using centos7 for both guacamole and keycloak. Even though i have edited logback.xml and set it to trace accord to https://guacamole.apache.org/doc/gug/configuring-guacamole.html , i cant get back any trace in centos 7 in /var/log/messages or in catalina.out. > > Do you have any experience with logging on guacamole ??Any tip is appreciated.> > > Thanks in advance > > Konstantinos> > >
