> On Dec 12, 2017, at 3:21 PM, genesis <[email protected]> wrote: > But after that, if I click on other url: > http://guacamoleclient:8090/#/{guacamoleconfig_encrypted_2} with different > GuacamoleConfiguration parameters, the browser will open another tab, but > with the same connection of the first url, the same > (/#/client/NzI0NwBjAG5vYXV0aA), this identifier should be different, because > the id of the second connection is different.
In our application we tried doing something very similar -- put a base64 encoded JWT into the URL as either a parameter or additional URI path segment and using a simple extension to process the URL -- and we had the same result. Instead we put the JWT into the browser as a session cookie, and modified our extension to look for the cookie containing our token. This worked for us. I feel I'd be remiss if I didn't point out, for those reading along who might be interested in doing something similar, it is really imperative with either of these approaches that you carefully validate the authenticity of the token. JWTs used in this way must be signed and signatures must be properly validated, and depending on what sorts of details you're including in connection parameters, should probably be encrypted as well. Also, the signing and encryption is worth nothing unless you're extremely careful about key management -- as an attacker, if I can get your key(s), I can almost certainly make tokens for myself that will let me access your resources via Guacamole. carl
