[
https://issues.apache.org/jira/browse/GUACAMOLE-560?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17335717#comment-17335717
]
Brian Marsh commented on GUACAMOLE-560:
---------------------------------------
Just commenting to help folks out if they (like me) come across this while
trying to get OIDC / Guacamole working.
You can try adding `?state=foobarbaz` to the end of the
`openid-authorization-endpoint` URL.
> Include "state" parameter in OpenID Connect authorization request
> -----------------------------------------------------------------
>
> Key: GUACAMOLE-560
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-560
> Project: Guacamole
> Issue Type: Wish
> Components: guacamole-auth-openid
> Reporter: Dave Smith
> Assignee: Nick Couchman
> Priority: Trivial
>
> {quote}i've tried to get this setup. Unfortunately it seems Okta insist (even
> with Single Page App (SPA)) to have state field in the POST even if (when
> using SPA) it's not actually used. The guacamole client just goes in a
> redirect loop with error in URL visible of "invalid state".
>
> With SPA the state parameter can even be some random letters, but must be
> there. Using OIDCDebugger.com gleans this:{quote}
> {quote}
> error=invalid_request
> error_description=The authentication request has an invalid 'state'
> parameter.
>
> yet by adding a bunch of x's to the state parameter..
>
> i get a much more positive response:
> state=xxxxxxxxxxxxx
> id_token=eyJraWQiOiI0NlpNbjlZZG5HQ1AxMGhDUWs5VWtvc2ljUmltTURJRDBBbVh1dWhHUUhrIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIwMHUxMDAxNnVwUzhFaENuMjJwNyIsInZlciI6MSwiaXNzIjoiaHR0cHM6Ly9hdG9zbXBjYXdzLm9rdGEuY29tIiwiYXVkIjoiMG9hMTIzZG8weXNibFN4dUoycDciLCJpYXQiOjE1MjQ3NTQwOTUsImV4cCI6MTUyNDc1NzY5NSwianRpIjoiSUQuRmZGYzFpZlA2VG
>
> I'd kindly ask that state could be added as an optional parameter to the guac
> properties file.{quote}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
