[ 
https://issues.apache.org/jira/browse/GUACAMOLE-808?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18091450#comment-18091450
 ] 

David Bateman commented on GUACAMOLE-808:
-----------------------------------------

Yeah, sorry I have a terrible habit of thinking out aloud in chats.. Using the 
event class doesn't really work in any case.. 

There are multiple problems that need to be addressed for this to work, and 
treating them should allow redirection for all authentication providers. Need 
to go back to exactly how the authentication process works and look at what is 
missing at each step.. Here is how I see things at this point for a scenario 
where an unauthenticated user attemps to connect to "/#/settings/sessions" 
 # The user connects to "/#/settings/sessions", which loads the static content 
including the javascipt "authenticationService.js". The method 
authenticationService.authenticate performs a REST POST to "/api/tokens".. So 
the requestURI seen in our authenicateUser methods of our authentication 
providers is always "/api/tokens" and not the desired redirection path. *We 
therefore need to include the desired redirection path as a parameter to 
/api/tokens in  authenticationService.authenticate*
 # The java method TokenRESTService.createToken recieves this post and 
authenticates with AuthenticateService.authenticate which enumerates all of the 
suplied authentication providers. There are two cases.
 ** For authentication providers that don't need a redirection like the JDBC 
providers, the redirection path should be returned as part of the 
authenticatedUser, and it could be recovered from 
authenticatedUser.getCredentials().getRequestDetails() if we also store the 
requestURI here.
 ** This won't work for authentication providers needing a redirection, as it 
will be ta second call to "/api/tokens" with the patch supplied by 
openid-redirect-id for example that will be seen in the requestURI in the 
second call to our authenicateUser method. The SSO authenication user method 
must therefore as you say store the redirection path in session data, and this 
part should indeed be promoted to the base class as they'll all need it

  This has several other implications 
 * *The  AutheticatedUser interface class should include a redirection path, 
and the derived classes should implement the code to set this value*
 * *The SSO base class needs a session manager that stores the redirection path 
on the first call to authenticateUser and sets the redirection path in 
authenticatedUser on the second call to authenicateUser*

3. When we come back to AuthenticationService.authenticate we need to treat two 
cases,
 * An existing login where the redirection path is ignored, and
 * A new login where the redirection path is accepted

  AuthenticateService.authenticate already distinguishes these two cases and so 
what I propose is that 
 * *The GuacamoleSession class also includes a redirection variable*
 * *In AuthenticationService.authenticate this variable is only set for the 
case of a new login, elsewise it is set to null*

4. When the authentication comes back to TokenRESTService.createToken we 
therefore have the redirection path in the GuacamoleSession only for the cases 
when we really want to redirect. From here we could do two things
 * *Add a redirection field to APIAuthenticationResult and it if is set, in the 
 javascript method authenticateService.authenticate, if the redirection is set, 
set window.location.href with its value*
 * *Seen a javax Response.seeOther(redirection) from 
TokenRESTService.createToken and treat it in the javascript 
authenticationService.authenticate*

  The first is conceptually easier I think.

[~vnick] are you ok with my analysis ? Can you think of other ways to do this ? 
In the end this seems quite an intrusive change so not for staging/1.6.1 I 
think.

> Support redirecting to originally requested URL after successful SSO login
> --------------------------------------------------------------------------
>
>                 Key: GUACAMOLE-808
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-808
>             Project: Guacamole
>          Issue Type: Improvement
>          Components: guacamole, guacamole-auth-sso-cas, 
> guacamole-auth-sso-openid, guacamole-auth-sso-saml
>            Reporter: Parth Mishra
>            Priority: Minor
>
> Upon successful authentication via OIDC, the user is returned to the redirect 
> URI (e.g. {{https://myserver.com/guacamole/}}) even if they were requesting 
> another Guacamole resource such as a Connection link. It would be nice if the 
> user could be routed to the requested resource after successful 
> authentication.
> This way, if they were to click a direct link to a guacamole Connection they 
> have access too, the successful authentication via the IDP can reroute them 
> directly to the requested connection URL rather than the guacamole UI. 
> Typically this is done with encoding the request URL with the "state" 
> parameter of OIDC and verifying with the nonce. 
> This feature could be really useful for relying on custom frontends without 
> having to modify or reimplement the web app.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to