[jira] [Closed] (GUACAMOLE-1348) Guacamole OIDC can not login if 403 custom error page is sent by the frontend

Fri, 14 May 2021 10:50:04 -0700 


     [ 
https://issues.apache.org/jira/browse/GUACAMOLE-1348?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Mike Jumper closed GUACAMOLE-1348.
----------------------------------
    Resolution: Not A Bug

> Guacamole OIDC can not login if 403 custom error page is sent by the frontend
> -----------------------------------------------------------------------------
>
>                 Key: GUACAMOLE-1348
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1348
>             Project: Guacamole
>          Issue Type: Bug
>          Components: guacamole, guacamole-auth-openid
>    Affects Versions: 1.3.0
>            Reporter: Salatiel Filho
>            Priority: Major
>
> If one  set guacamole ( 1.3.0 container) to authenticate using oidc, but 
> there is an external frontend that return nice custom error pages for  code 
> HTTP 403, you will not be able to be redirected to the OIDC.
> In my setup I have k8s ingress globally configured to return customized error 
> pages in case of 403,404,500,502 http error codes ( the code is still sent 
> correctly, just the page content will be different). When I try to access 
> guacamole, I get this on browser:
>  
> {code:java}
> Error : An error has occurred and this action cannot be completed. If
> the problem persists, please notify your system administrator or check
> your system logs.
> {code}
>  
> Container logs show:
> {code:java}
>  
> [http-nio-8080-exec-2] DEBUG
>  o.a.g.r.auth.AuthenticationService - Anonymous authentication attempt
> [http-nio-8080-exec-2] DEBUG
> o.a.g.rest.RESTExceptionMapper - Client request rejected: Invalid
> login.
> {code}
>  
>  
>  
> If I override the guacamole ingress to not touch the 403 custom error page, I 
> am correctly redirected to the OIDC. ( Keycloak in my case )
>  
> {code:java}
> # override global custom errors removing the 403 from the list
> nginx.ingress.kubernetes.io/custom-http-errors: 404,500,503
> {code}
>  
> Apparently guacamole *requires* that the 403 message returns the json:
> {"message":"Invalid 
> login.","translatableMessage":...,"translatableMessage":\{"key":"LOGIN.INFO_OID_PENDING_REDIRECT","variables":null}}],"type":"INVALID_CREDENTIALS"}
>  
> If this is not considered a Bug I think it could be someplace in the 
> documentation.
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to