I am using encrypted-json authentication. Inside guac-auth/index.html this
is my updated code
```
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width,
initial-scale=1.0">
<title>Guacamole Authorization - My ASP.NET Application</title>
</head>
<body>
<h3>Verification is in progress, kindly wait </h3>
<!-- Display -->
<div id="display"></div>
<script src="jquery.js"></script>
<!-- Guacamole -->
<script type="text/javascript" src=
"/guacamole/guacamole-common-js/all.min.js"></script>
<script type="text/javascript">
function getQueryVariable( variable )
{
let query = window.location.search.substring( 1 );
let vars = query.split( "&" );
for ( let i = 0; i < vars.length; i++ )
{
let pair = vars[i].split( "=" );
if ( pair[0] == variable ) { return pair[1]; }
}
return ( false );
}
$( document ).ready( function ()
{
let guacServer = decodeURIComponent( getQueryVariable(
"guacserver" ) );
let connectionId = decodeURIComponent( getQueryVariable(
"connectionId" ) );
let connectionData = decodeURIComponent( getQueryVariable(
"connectionData" ) );
$.ajax( {
"url": guacServer + "/api/tokens",
"method": "POST",
"timeout": 0,
"headers": {
"Content-Type": "application/x-www-form-urlencoded"
},
"data": {
"data": connectionData
}
} ).done( function ( authData )
{
console.log( authData );
let authToken = authData.authToken;
// Get display div from document
var display = document.getElementById( "display" );
var headers = {
'Guacamole-Token': authToken
}
// Instantiate client, using a WebSocket tunnel for
communications.
var guac = new Guacamole.Client( new Guacamole.
HTTPTunnel( "https://108.143.201.3/guacamole/tunnel";, true, headers ) );
// var guac = new Guacamole.Client( new
Guacamole.WebSocketTunnel( "wss://108.143.201.3/guacamole/websocket-tunnel"
) );
// var guac = new Guacamole.Client( new
Guacamole.WebSocketTunnel( guacServer + '/websocket-tunnel' ) );
// Add client to display div
display.appendChild( guac.getDisplay().getElement() );
// Error handler
guac.onerror = function ( error )
{
console.error( error );
alert( error.message );
};
// Connect
// window.location.href = guacServer + '/#/client/' +
connectionId + "?token=" + authToken;
guac.connect( 'GUAC_ID=' + connectionId + '&GUAC_TYPE=c'
+ '&GUAC_DATA_SOURCE=json' );
// Disconnect on close
window.onunload = function ()
{
guac.disconnect();
}
// Mouse
var mouse = new Guacamole.Mouse( guac.getDisplay().
getElement() );
mouse.onmousedown =
mouse.onmouseup =
mouse.onmousemove = function ( mouseState )
{
guac.sendMouseState( mouseState );
};
// Keyboard
var keyboard = new Guacamole.Keyboard( document );
keyboard.onkeydown = function ( keysym )
{
guac.sendKeyEvent( 1, keysym );
};
keyboard.onkeyup = function ( keysym )
{
guac.sendKeyEvent( 0, keysym );
};
} ).fail( function ( data )
{
console.log( "error data: " + data );
alert( "Failed to authorize. Either token is expired or
connection parameter is corrupt" )
} );
} );
</script>
</body>
</html>
```
But this is not working. in logs, it is showing permission denied.
[image: image.png]
Is this error because of guacamole or some other issue?
On Sat, Mar 4, 2023 at 11:02 PM Michael Jumper <[email protected]> wrote:
> On Wed, Mar 1, 2023 at 8:16 PM Ankit Raibole <[email protected]>
> wrote:
>
> > Hello Dev team,
> >
> > My doubt is regarding passing the authToken in the header instead of
> query
> > parameters.
> > Currently, I am passing the authToken as query params like
> > "{guacServerURL}/#client/{connectionId}/token?{authToken}". and changing
> > the current window.location.href to this one and it works fine as VM i am
> > able to connect to the VM.
> > But now I want to pass it in headers, I referred to this PR:
> > https://github.com/apache/guacamole-client/pull/649 , and we can't send
> > headers in href or window.open. So i tried making GET call (used ajax,
> > fetch, XMLHTTP to pass the token in headers) for this URL and generating
> > the page with the response. But then it is not working as it gives 403.
> > How should i proceed?
> >
>
> You cannot pass the "Guacamole-Token" header in a request for static
> content and have that header have any impact on whether future requests to
> the REST API, etc. are properly authenticated.
>
> The webapp only reads tokens from the "token" query parameter or
> "Guacamole-Token" header from authenticated parts of the application: the
> REST API and tunnel endpoints. Everything else is static content
> implementing a single-page app that leverages JavaScript and the
> application's REST API for all dynamic functionality. When you pass the
> "token" query parameter to the UI portion of the application via the URL
> visible in the browser, that JavaScript is actually manually copying that
> token and using it for its REST and tunnel requests, hence why that works.
> It is not possible for JavaScript within the page to read HTTP headers
> involved in the GET request for that same page.
>
> - Mike
>
