[jira] [Commented] (GUACAMOLE-805) OpenID authentication may redirect to IDP in a loop

Michael Jumper (JIRA) Mon, 03 Jun 2019 08:56:21 -0700


    [ 
https://issues.apache.org/jira/browse/GUACAMOLE-805?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16854742#comment-16854742
 ]


Michael Jumper commented on GUACAMOLE-805:
------------------------------------------

{quote}
When is this planned to be released? I'm asking because I am unable to use 
OpenID because of this bug in current versions. This wouldn't get pushed up to 
a patch version at all?
{quote}

Unfortunately, this question was posted in two places, forking the discussion. 
The damage is done, and the repost of the question is where the discussion took 
root. If anyone comes across the above and wishes to see the rest of things 
please see below:

https://github.com/apache/guacamole-client/pull/407#issuecomment-498236286

> OpenID authentication may redirect to IDP in a loop
> ---------------------------------------------------
>
>                 Key: GUACAMOLE-805
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-805
>             Project: Guacamole
>          Issue Type: Bug
>          Components: guacamole-auth-openid
>    Affects Versions: 0.9.14, 1.0.0, 1.1.0
>            Reporter: Michael Jumper
>            Assignee: Michael Jumper
>            Priority: Minor
>             Fix For: 1.2.0
>
>
> As reported on the mailing list, there exist cases where Guacamole's OpenID 
> support will redirect the user back to the IDP in a loop, despite the OpenID 
> support being correctly configured and the IDP behaving correctly:
> * [Guacamole & 
> OpenID|https://lists.apache.org/thread.html/cc0a9300086c55e25d59d73d025d6e0be07b42cc8903f4de1c1b48a5@%3Cuser.guacamole.apache.org%3E]
>  (2018-12-06)
> * [Looping with 
> Guacamole+Keycloak|https://lists.apache.org/thread.html/ef096a1e558b97c5f49fce0cdccaf97581e0c2344b799bdfd5984486@%3Cuser.guacamole.apache.org%3E]
>  (2019-05-29)
> This is because current implementation of Guacamole support for OpenID 
> assumes that the {{id_token}} parameter provided by the IDP will be the 
> _first_ parameter in the URL, which is not guaranteed to be the case. If the 
> IDP includes the {{id_token}} parameter elsewhere in the parameter list, the 
> client erroneously redirects the user back to the IDP to obtain the 
> {{id_token}} parameter that it believes is absent. This produces a redirect 
> loop, with both the client and the IDP redirecting the user to each other.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (GUACAMOLE-805) OpenID authentication may redirect to IDP in a loop

Reply via email to