`OPENID_SCOPE` environment variable in Docker not working

[Mike Wyatt]

I'm trying to get my existing Guacamole installation working with OpenID.
I've got everything working correctly, but Guacamole is not requesting the
`groups` scope.

Here is the relevant environment variables from my docker-compose.yml:

```
environment:
  - GUACD_HOSTNAME=${COMPOSE_PROJECT_NAME}-guacd-1
  - POSTGRESQL_HOSTNAME=${COMPOSE_PROJECT_NAME}-postgres-1
  - POSTGRESQL_DATABASE=postgres
  - POSTGRESQL_USER=postgres
  - POSTGRESQL_PASSWORD=postgres
  - POSTGRESQL_AUTO_CREATE_ACCOUNTS=true

  - OPENID_AUTHORIZATION_ENDPOINT=https://auth.
${HOMELAB_BASE_DOMAIN}/api/oidc/authorization?state=1234abcedfdhf
  - OPENID_JWKS_ENDPOINT=https://auth.${HOMELAB_BASE_DOMAIN}/jwks.json
  - OPENID_ISSUER=https://auth.${HOMELAB_BASE_DOMAIN}
  - OPENID_CLIENT_ID=guacamole
  - OPENID_REDIRECT_URI=https://remote-desktop-gateway.
${HOMELAB_BASE_DOMAIN}
  - OPENID_USERNAME_CLAIM_TYPE=preferred_username
  - OPENID_GROUPS_CLAIM_TYPE=groups
  - OPENID_SCOPE=openid profile groups email
```

You can see the last line is setting `OPENID_SCOPE`, however, the generated
`guacamole.properties` does not contain `openid-scope`:

```
guacamole@78282607ee6c:/opt/guacamole$ cat
/home/guacamole/.guacamole/guacamole.properties
# guacamole.properties - generated Thu Feb  8 07:05:31 AM UTC 2024
guacd-hostname: remote-desktop-gateway-guacd-1
guacd-port: 4822
postgresql-username: postgres
postgresql-password: postgres
postgresql-database: postgres
postgresql-hostname: remote-desktop-gateway-postgres-1
postgresql-port: 5432
postgresql-auto-create-accounts: true
openid-authorization-endpoint:
https://auth.example.com/api/oidc/authorization?state=1234abcedfdhf
openid-jwks-endpoint: https://auth. example.com/jwks.json
openid-issuer: https://auth. example.com
openid-client-id: guacamole
openid-redirect-uri: https://remote-desktop-gateway. example.com
openid-username-claim-type: preferred_username
openid-groups-claim-type: groups
```

If I do manually edit the URL of the page I'm logging in with to add
`email` to the `scope` query parameter, groups are properly detected when
logging in. Without this, OpenID is a little hamstrung.

- Mike Wyatt

RE: [EXT] Re: server fails to compile

[Khoe, Yonathan]

Hi Nick,
When will we be seeing the 1.6.0 release?  I am also experiencing this compile 
error that I rather not circumvent (per Vincent Sherwood’s method) if it would 
lead to further complication later down the line.

Thanks,
Yonathan Khoe

From: Nick Couchman 
Sent: Friday, January 26, 2024 7:02 PM
To: user@guacamole.apache.org
Subject: [EXT] Re: server fails to compile

On Fri, Jan 26, 2024 at 6:40 PM Jim Ham 
mailto:jim...@porcine.com>> wrote:
Guacamole 1.5.4, from the tar on the website. I did the ./configure and
then ./make. Many files compile just fine, but the task ends with the
following error:


CC   guacenc-video.o
video.c: In function ‘guacenc_video_alloc’:
video.c:64:22: error: assignment discards ‘const’ qualifier from pointer
target type [-Werror=discarded-qualifiers]
64 | container_format = container_format_context->oformat;
   |  ^
video.c:67:22: error: initialization discards ‘const’ qualifier from
pointer target type [-Werror=discarded-qualifiers]
67 | AVCodec* codec = avcodec_find_encoder_by_name(codec_name);
   |  ^~~~
cc1: all warnings being treated as errors

<\code>

I'm compiling on a Raspberry Pi 4. GCC gives me the following version:

gcc (Raspbian 12.2.0-14+rpi1) 12.2.0
Copyright (C) 2022 Free Software Foundation, Inc.

Any suggestions?

This has already been fixed in the Git code in the master branch, targeted for 
version 1.6.0:

https://issues.apache.org/jira/browse/GUACAMOLE-1714

You can back-port the patch to your source tree code if you'd like to fix it 
immediately:

https://patch-diff.githubusercontent.com/raw/apache/guacamole-server/pull/399.patch

-Nick

Re: Major bug message log in guacd 1.5.4

[Nick Couchman]

On Wed, Feb 7, 2024 at 6:40 AM Yannick Martin 
wrote:

> Hello
>
> About pthread_keys leak, I wonder if
>
> https://github.com/apache/guacamole-server/blob/master/src/libguac/client.c#L299
> and L300 is not a duplicate call of those done in:
>  guac_rwlock_init(&(client->__users_lock));
>  guac_rwlock_init(&(client->__pending_users_lock));
>
>  which call pthread_key_create too =>
>
> https://github.com/apache/guacamole-server/blob/master/src/libguac/rwlock.c#L52
>
>
Two issues with this:
* I'm not sure that duplicating a call to pthread_key_create() would/should
result in the behavior we're seeing - where TLS-based connections fail
after a certain, relatively well-defined number (58-60).
* This also would not explain why this only occurs in certain situations,
on certain platforms - that is, the same exact libguac code running on EL7
(RHEL, CentOS, etc.) does not result in the resource leak, whereas it does
on some other set of platforms (Debian, Alpine, EulerOS). Unless the
pthread library has been changed substantially between those versions to
not clean up after itself?

-Nick