`OPENID_SCOPE` environment variable in Docker not working
I'm trying to get my existing Guacamole installation working with OpenID. I've got everything working correctly, but Guacamole is not requesting the `groups` scope. Here is the relevant environment variables from my docker-compose.yml: ``` environment: - GUACD_HOSTNAME=${COMPOSE_PROJECT_NAME}-guacd-1 - POSTGRESQL_HOSTNAME=${COMPOSE_PROJECT_NAME}-postgres-1 - POSTGRESQL_DATABASE=postgres - POSTGRESQL_USER=postgres - POSTGRESQL_PASSWORD=postgres - POSTGRESQL_AUTO_CREATE_ACCOUNTS=true - OPENID_AUTHORIZATION_ENDPOINT=https://auth. ${HOMELAB_BASE_DOMAIN}/api/oidc/authorization?state=1234abcedfdhf - OPENID_JWKS_ENDPOINT=https://auth.${HOMELAB_BASE_DOMAIN}/jwks.json - OPENID_ISSUER=https://auth.${HOMELAB_BASE_DOMAIN} - OPENID_CLIENT_ID=guacamole - OPENID_REDIRECT_URI=https://remote-desktop-gateway. ${HOMELAB_BASE_DOMAIN} - OPENID_USERNAME_CLAIM_TYPE=preferred_username - OPENID_GROUPS_CLAIM_TYPE=groups - OPENID_SCOPE=openid profile groups email ``` You can see the last line is setting `OPENID_SCOPE`, however, the generated `guacamole.properties` does not contain `openid-scope`: ``` guacamole@78282607ee6c:/opt/guacamole$ cat /home/guacamole/.guacamole/guacamole.properties # guacamole.properties - generated Thu Feb 8 07:05:31 AM UTC 2024 guacd-hostname: remote-desktop-gateway-guacd-1 guacd-port: 4822 postgresql-username: postgres postgresql-password: postgres postgresql-database: postgres postgresql-hostname: remote-desktop-gateway-postgres-1 postgresql-port: 5432 postgresql-auto-create-accounts: true openid-authorization-endpoint: https://auth.example.com/api/oidc/authorization?state=1234abcedfdhf openid-jwks-endpoint: https://auth. example.com/jwks.json openid-issuer: https://auth. example.com openid-client-id: guacamole openid-redirect-uri: https://remote-desktop-gateway. example.com openid-username-claim-type: preferred_username openid-groups-claim-type: groups ``` If I do manually edit the URL of the page I'm logging in with to add `email` to the `scope` query parameter, groups are properly detected when logging in. Without this, OpenID is a little hamstrung. - Mike Wyatt
RE: [EXT] Re: server fails to compile
Hi Nick, When will we be seeing the 1.6.0 release? I am also experiencing this compile error that I rather not circumvent (per Vincent Sherwood’s method) if it would lead to further complication later down the line. Thanks, Yonathan Khoe From: Nick Couchman Sent: Friday, January 26, 2024 7:02 PM To: user@guacamole.apache.org Subject: [EXT] Re: server fails to compile On Fri, Jan 26, 2024 at 6:40 PM Jim Ham mailto:jim...@porcine.com>> wrote: Guacamole 1.5.4, from the tar on the website. I did the ./configure and then ./make. Many files compile just fine, but the task ends with the following error: CC guacenc-video.o video.c: In function ‘guacenc_video_alloc’: video.c:64:22: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers] 64 | container_format = container_format_context->oformat; | ^ video.c:67:22: error: initialization discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers] 67 | AVCodec* codec = avcodec_find_encoder_by_name(codec_name); | ^~~~ cc1: all warnings being treated as errors <\code> I'm compiling on a Raspberry Pi 4. GCC gives me the following version: gcc (Raspbian 12.2.0-14+rpi1) 12.2.0 Copyright (C) 2022 Free Software Foundation, Inc. Any suggestions? This has already been fixed in the Git code in the master branch, targeted for version 1.6.0: https://issues.apache.org/jira/browse/GUACAMOLE-1714 You can back-port the patch to your source tree code if you'd like to fix it immediately: https://patch-diff.githubusercontent.com/raw/apache/guacamole-server/pull/399.patch -Nick
Re: Major bug message log in guacd 1.5.4
On Wed, Feb 7, 2024 at 6:40 AM Yannick Martin wrote: > Hello > > About pthread_keys leak, I wonder if > > https://github.com/apache/guacamole-server/blob/master/src/libguac/client.c#L299 > and L300 is not a duplicate call of those done in: > guac_rwlock_init(&(client->__users_lock)); > guac_rwlock_init(&(client->__pending_users_lock)); > > which call pthread_key_create too => > > https://github.com/apache/guacamole-server/blob/master/src/libguac/rwlock.c#L52 > > Two issues with this: * I'm not sure that duplicating a call to pthread_key_create() would/should result in the behavior we're seeing - where TLS-based connections fail after a certain, relatively well-defined number (58-60). * This also would not explain why this only occurs in certain situations, on certain platforms - that is, the same exact libguac code running on EL7 (RHEL, CentOS, etc.) does not result in the resource leak, whereas it does on some other set of platforms (Debian, Alpine, EulerOS). Unless the pthread library has been changed substantially between those versions to not clean up after itself? -Nick