Alexander created GUACAMOLE-1251:
------------------------------------
Summary: OpenID connect and #
Key: GUACAMOLE-1251
URL: https://issues.apache.org/jira/browse/GUACAMOLE-1251
Project: Guacamole
Issue Type: Bug
Components: guacamole-auth-openid
Affects Versions: 1.3.0
Environment: native
Reporter: Alexander
Attachments: 12345.zip
Hello!
I need help with OpenID
My project:
I need to provide users with access to remote desktops (RDP) via browser.
But I want to use standalone server like Gluu (the one that we are currently
using) or even better - Keycloak, so we won't have to use Guacamole for
authorization. I tested both of them, the result looks quite the same.
This is how I tested: I manually created a local account 'user1' on Gluu/KC (Is
there a necessary to have an account with the same login and password on
Guacamole? Or a new user will be created?)
I'm using Guacamole 1.2. I installed the extension as recommended here:
https://guacamole.apache.org/doc/gug/openid-auth.html
Also I found out there that 'implicit flow' is used.
Minimal parameters that must be specified:
openid-authorization-endpoint:
openid-jwks-endpoint:
openid-issuer:
openid-client-id:
openid-redirect-uri:
Ok, then i going to edit guacamole.properties
__________________________________________________________________________________________________
if I use Gluu
openid-authorization-endpoint: https://gluu.homelab/oxauth/restv1/authorize
openid-jwks-endpoint: https://gluu.homelab/oxauth/restv1/jwks
openid-issuer: https://gluu.homelab
openid-client-id: 64f2088d-d9f8-4742-906b-497219446e9f
openid-redirect-uri http://guac.homelab
on Gluu side
https://i.imgur.com/VSW17o7.png
OPENID CONNECT CLIENTS DETAILS
------------------------------
- Name: guac
- Client ID: 64f2088d-d9f8-4742-906b-497219446e9f
- Subject Type: pairwise
- ClientSecret: XXXXXXXXXXX
- Application Type: web
- Persist Client Authorizations: false
- Pre-Authorization: false
- Authentication method for the Token Endpoint: client_secret_jwt
- Logout Session Required: false
- Include Claims In Id Token: false
- Disabled: false
- Login Redirect URIs: [https://guac.homelab]
- Grant types: [implicit, authorization_code, client_credentials, refresh_token]
- Response types: [token, code, id_token]
__________________________________________________________________________________________________
if I use Keycloak
openid-authorization-endpoint:
http://kc.homelab/auth/realms/homelab/protocol/openid-connect/auth
openid-jwks-endpoint:
http://kc.homelab/auth/realms/homelab/protocol/openid-connect/certs
openid-issuer: http://kc.homelab/auth/realms/homelab
openid-client-id: guacamole
openid-redirect-uri: https://guac.homelab
on Keycloak side
https://i.imgur.com/EBti48h.png
set client id - guacamole
enable "Implicit Flow"
set Base url https://guac.homelab
__________________________________________________________________________________________________
Now setup is over. I open browser and try to go to https://guac.homelab
I enter login and password and get into the loop as it's shown in the videos:
https://youtu.be/OjwhCB9pjQw
https://youtu.be/1dbNnVKp6PA
Guacamole logs are attached below or available here:
https://dropmefiles.com/d2D95
Can you tell me what am I doing wrong?
My colleagues suggest that the problem could be in the character #, which is
used by Guacamole. Could it be the reason of the issue?
P.S.
I tried to connect other products via openid to KC/Gluu (open source crm) and
everything works just fine.
I found similar issue here:
https://www.reddit.com/r/homelab/comments/bukjbe/help_with_gluu_open_id_connect_to_guacamole/epdtj8k/
And the video that looks like mine:
https://i.imgur.com/MwWppLs.mp4
Thank you in advance!
Best regards
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
