Dave Smith created GUACAMOLE-560: ------------------------------------ Summary: Support OIDC from Okta Key: GUACAMOLE-560 URL: https://issues.apache.org/jira/browse/GUACAMOLE-560 Project: Guacamole Issue Type: New Feature Components: guacamole-auth-openid Affects Versions: 0.9.14 Reporter: Dave Smith
{quote}i've tried to get this setup. Unfortunately it seems Okta insist (even with Single Page App (SPA)) to have state field in the POST even if (when using SPA) it's not actually used. The guacamole client just goes in a redirect loop with error in URL visible of "invalid state". With SPA the state parameter can even be some random letters, but must be there. Using OIDCDebugger.com gleans this:{quote} {quote} error=invalid_request error_description=The authentication request has an invalid 'state' parameter. yet by adding a bunch of x's to the state parameter.. i get a much more positive response: state=xxxxxxxxxxxxx id_token=eyJraWQiOiI0NlpNbjlZZG5HQ1AxMGhDUWs5VWtvc2ljUmltTURJRDBBbVh1dWhHUUhrIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIwMHUxMDAxNnVwUzhFaENuMjJwNyIsInZlciI6MSwiaXNzIjoiaHR0cHM6Ly9hdG9zbXBjYXdzLm9rdGEuY29tIiwiYXVkIjoiMG9hMTIzZG8weXNibFN4dUoycDciLCJpYXQiOjE1MjQ3NTQwOTUsImV4cCI6MTUyNDc1NzY5NSwianRpIjoiSUQuRmZGYzFpZlA2VG I'd kindly ask that state could be added as an optional parameter to the guac properties file.{quote} -- This message was sent by Atlassian JIRA (v7.6.3#76005)