[
https://issues.apache.org/jira/browse/GUACAMOLE-1348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17344785#comment-17344785
]
Mike Jumper commented on GUACAMOLE-1348:
----------------------------------------
Hello [~salatiel],
Guacamole uses a REST API for all functionality, including login. Configuring a
reverse proxy to eat those responses will prevent Guacamole from accessing its
own REST API, including the data needed to generate the login page.
As you suggest, this is not a bug - you will need to configure your reverse
proxy to _not_ do this for Guacamole's REST API endpoints.
Beware also that this would break all web applications relying on REST APIs for
their functionality, not just Guacamole. This sort of override would only work
for a web application that relies purely on server-side generation of HTML. In
the case of a web application with a REST API, the contents of the API
responses are not what is presented to the user.
The same thing goes for blocking HTTP methods like {{DELETE}} and {{PUT}} -
this was common for older web applications, but will break things in the modern
age of REST.
> Guacamole OIDC can not login if 403 custom error page is sent by the frontend
> -----------------------------------------------------------------------------
>
> Key: GUACAMOLE-1348
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1348
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole, guacamole-auth-openid
> Affects Versions: 1.3.0
> Reporter: Salatiel Filho
> Priority: Major
>
> If one set guacamole ( 1.3.0 container) to authenticate using oidc, but
> there is an external frontend that return nice custom error pages for code
> HTTP 403, you will not be able to be redirected to the OIDC.
> In my setup I have k8s ingress globally configured to return customized error
> pages in case of 403,404,500,502 http error codes ( the code is still sent
> correctly, just the page content will be different). When I try to access
> guacamole, I get this on browser:
>
> {code:java}
> Error : An error has occurred and this action cannot be completed. If
> the problem persists, please notify your system administrator or check
> your system logs.
> {code}
>
> Container logs show:
> {code:java}
>
> [http-nio-8080-exec-2] DEBUG
> o.a.g.r.auth.AuthenticationService - Anonymous authentication attempt
> [http-nio-8080-exec-2] DEBUG
> o.a.g.rest.RESTExceptionMapper - Client request rejected: Invalid
> login.
> {code}
>
>
>
> If I override the guacamole ingress to not touch the 403 custom error page, I
> am correctly redirected to the OIDC. ( Keycloak in my case )
>
> {code:java}
> # override global custom errors removing the 403 from the list
> nginx.ingress.kubernetes.io/custom-http-errors: 404,500,503
> {code}
>
> Apparently guacamole *requires* that the 403 message returns the json:
> {"message":"Invalid
> login.","translatableMessage":...,"translatableMessage":\{"key":"LOGIN.INFO_OID_PENDING_REDIRECT","variables":null}}],"type":"INVALID_CREDENTIALS"}
>
> If this is not considered a Bug I think it could be someplace in the
> documentation.
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
