[
https://issues.apache.org/jira/browse/GUACAMOLE-805?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Jumper resolved GUACAMOLE-805.
--------------------------------------
Resolution: Fixed
Fix Version/s: 1.2.0
> OpenID authentication may redirect to IDP in a loop
> ---------------------------------------------------
>
> Key: GUACAMOLE-805
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-805
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole-auth-openid
> Affects Versions: 0.9.14, 1.0.0, 1.1.0
> Reporter: Michael Jumper
> Assignee: Michael Jumper
> Priority: Minor
> Fix For: 1.2.0
>
>
> As reported on the mailing list, there exist cases where Guacamole's OpenID
> support will redirect the user back to the IDP in a loop, despite the OpenID
> support being correctly configured and the IDP behaving correctly:
> * [Guacamole &
> OpenID|https://lists.apache.org/thread.html/cc0a9300086c55e25d59d73d025d6e0be07b42cc8903f4de1c1b48a5@%3Cuser.guacamole.apache.org%3E]
> (2018-12-06)
> * [Looping with
> Guacamole+Keycloak|https://lists.apache.org/thread.html/ef096a1e558b97c5f49fce0cdccaf97581e0c2344b799bdfd5984486@%3Cuser.guacamole.apache.org%3E]
> (2019-05-29)
> This is because current implementation of Guacamole support for OpenID
> assumes that the {{id_token}} parameter provided by the IDP will be the
> _first_ parameter in the URL, which is not guaranteed to be the case. If the
> IDP includes the {{id_token}} parameter elsewhere in the parameter list, the
> client erroneously redirects the user back to the IDP to obtain the
> {{id_token}} parameter that it believes is absent. This produces a redirect
> loop, with both the client and the IDP redirecting the user to each other.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
