Michael Jumper created GUACAMOLE-805:
----------------------------------------
Summary: OpenID authentication may redirect to IDP in a loop
Key: GUACAMOLE-805
URL: https://issues.apache.org/jira/browse/GUACAMOLE-805
Project: Guacamole
Issue Type: Bug
Components: guacamole-auth-openid
Affects Versions: 1.0.0, 0.9.14, 1.1.0
Reporter: Michael Jumper
As reported on the mailing list, there exist cases where Guacamole's OpenID
support will redirect the user back to the IDP in a loop, despite the OpenID
support being correctly configured and the IDP behaving correctly:
* [Guacamole &
OpenID|https://lists.apache.org/thread.html/cc0a9300086c55e25d59d73d025d6e0be07b42cc8903f4de1c1b48a5@%3Cuser.guacamole.apache.org%3E]
(2018-12-06)
* [Looping with
Guacamole+Keycloak|https://lists.apache.org/thread.html/ef096a1e558b97c5f49fce0cdccaf97581e0c2344b799bdfd5984486@%3Cuser.guacamole.apache.org%3E]
(2019-05-29)
This is because current implementation of Guacamole support for OpenID assumes
that the {{id_token}} parameter provided by the IDP will be the _first_
parameter in the URL, which is not guaranteed to be the case. If the IDP
includes the {{id_token}} parameter elsewhere in the parameter list, the client
erroneously redirects the user back to the IDP to obtain the {{id_token}}
parameter that it believes is absent. This produces a redirect loop, with both
the client and the IDP redirecting the user to each other.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
