Salatiel Filho created GUACAMOLE-1348:
-----------------------------------------
Summary: Guacamole OIDC can not login if 403 custom error page is
sent by the frontend
Key: GUACAMOLE-1348
URL: https://issues.apache.org/jira/browse/GUACAMOLE-1348
Project: Guacamole
Issue Type: Bug
Components: guacamole, guacamole-auth-openid
Affects Versions: 1.3.0
Reporter: Salatiel Filho
If one set guacamole ( 1.3.0 container) to authenticate using oidc, but there
is an external frontend that return nice custom error pages for code HTTP 403,
you will not be able to be redirected to the OIDC.
In my setup I have k8s ingress globally configured to return customized error
pages in case of 403,404,500,502 http error codes ( the code is still sent
correctly, just the page content will be different). When I try to access
guacamole, I get this on browser:
{code:java}
Error : An error has occurred and this action cannot be completed. If
the problem persists, please notify your system administrator or check
your system logs.
{code}
Container logs show:
{code:java}
[http-nio-8080-exec-2] DEBUG
o.a.g.r.auth.AuthenticationService - Anonymous authentication attempt
[http-nio-8080-exec-2] DEBUG
o.a.g.rest.RESTExceptionMapper - Client request rejected: Invalid
login.
{code}
If I override the guacamole ingress to not touch the 403 custom error page, I
am correctly redirected to the OIDC. ( Keycloak in my case )
{code:java}
# override global custom errors removing the 403 from the list
nginx.ingress.kubernetes.io/custom-http-errors: 404,500,503
{code}
Apparently guacamole *requires* that the 403 message returns the json:
{"message":"Invalid
login.","translatableMessage":...,"translatableMessage":\{"key":"LOGIN.INFO_OID_PENDING_REDIRECT","variables":null}}],"type":"INVALID_CREDENTIALS"}
If this is not considered a Bug I think it could be someplace in the
documentation.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
