[
https://issues.apache.org/jira/browse/GUACAMOLE-742?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16831187#comment-16831187
]
Michael Jumper commented on GUACAMOLE-742:
------------------------------------------
{quote}
This is definitely Guacamole's problem.
{quote}
No, it would ultimately be up to the system handling that MFA to expose to
Guacamole the nature of the challenge/response in progress. In this case,
assuming RADIUS, I don't think there is actually any way for the MFA system to
report that to Guacamole. If RADIUS does provide a way for such an MFA solution
to expose that out-of-band confirmation is underway, then yes.
In the general case, I don't think some sort of configuration option like
"assume out-of-band confirmation" would be a reasonable change on the Guacamole
side. You could certainly implement an extension which fits your use case. This
sort of out-of-band MFA is what the Duo extension does, for example, via
relying on an external service to confirm that out-of-band process has
completed. If that MFA solution is commonly used, such an extension could be a
good addition to the set of extensions already part of guacamole-client.
{quote}
Yes I agree the delay to whatever MFA you're using is the cause, but Guacamole
should at least display a message saying something like "Please wait" at least.
Currently users get a blank empty screen until they hit 'approve' on their
mobile devices. This causes them to hit refresh or try entering their
credentials again etc causing a lot of confusion for them.
{quote}
With the changes recently merged, users will not see an empty screen.
{quote}
If you've added some sort of message to say 'please wait' regardless of the
auth mechanism used then I'm interested to see how you handle the code entry
text box for those MFA users that have opted for the code via text option once
they've entered their credentials.
{quote}
The auth mechanism is much more generalized than that. There's no set of
messages to which we add additional messages, nor specific text boxes, nor for
that matter a login screen. Everything that you see during the login process is
driven by data received from the REST API in response to failed auth attempts.
When the login screen initially appears, what actually happens is:
# Upon visiting Guacamole, the JavaScript part of things makes an
authentication attempt with the credentials it already has (either nothing or
the token from an older session)
# When this fails, it is because an extension explicitly rejects the data
submitted by throwing an exception. That exception will also contain the
information necessary to describe the form of credentials expected, typically a
username and password.
# With the REST API returning an auth failure and data describing the desired
credentials, a prompt requesting those credentials appears (the login screen).
More on this below.
{quote}
If what I'm thinking you've done is correct, then when any auth option other
than Radius is used the user probably won't see any message as the auth will
have happened quick enough for it to not be seen.
{quote}
I'm not sure what you're referring to here. Why would auth happen too quickly?
Authentication within Guacamole is handled through a central API. That API
provides for:
* Declaring that the credentials provided (which may be non) are invalid, and
requesting arbitrary credentials (which results in a login prompt rendering
fields for those credentials)
* Declaring that the credentials provider _might_ be sufficient, but a
determination cannot be made until additional credentials are given (which
results in a login continuation prompt rendering _those_fields)
* Accepting the union of all credentials provided and authenticating the user.
For similarly something generic like RADIUS, further challenge/response pairs
after that initial attempt fall under that second category and are handled with
that mechanism. To my knowledge, there is nothing within RADIUS
challenge/response that allows the challenge to be completed out-of-band.
Nothing within the Guacamole extension API would inherently prevent doing this,
but I don't think RADIUS as a mechanism allows for it. You would need to
implement an extension specific to your method.
If you have more questions on how auth is handled within Guacamole, the best
place for that would be the [email protected] mailing list.
> Display feedback while waiting for login
> ----------------------------------------
>
> Key: GUACAMOLE-742
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-742
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole
> Reporter: Leigh Bennett
> Assignee: Michael Jumper
> Priority: Trivial
> Fix For: 1.2.0
>
>
> This request is more of a 'nice to have' than anything else. Just something
> I noticed myself and a couple of users have mentioned but after we enter our
> login credentials and hit enter the screen just sits and waits. For users
> that have opted for a code via text its not a problem as we are shown a nice
> little box to enter the code whilst we wait for the text message. This of
> course indicates to the user to that their credentials have been accepted so
> they wait. But for those users that have the push notification app they're
> not actually told anything is happening, so they end up retrying their
> credentials or refreshing the page until they eventually realise their phone
> is going nuts with auth pushes. Eventually they get in of course.
> It would be really nice to have a message that simply displays 'please wait'
> or 'please wait for secondary authentication'. Something along those lines,
> or if its not too much trouble to detect the type of auth then something that
> says 'please check your phone/device' to make it a bit more obvious for these
> poor users using MFA.
> Thank you!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
