I have been able to get the redirect from Guacamole to Keycloak to work, however, once I login to keycloak, and get redirected back to Guacamole, I get put into a redirect loop. It does not look like Guacamole is reading the token_id from the URL, and this is causing it to report invalid credentials, and refreshing.
In nginx I see the following in the access log: 10.0.1.203 - - [08/Feb/2018:23:14:51 -0500] "GET /auth/realms/Justin- Tech/protocol/openid- connect/auth?scope=openid+email+profile&response_type=id_token&client_i d=guacamole&redirect_uri=https%3A%2F%2Fguacamole.justin- tech.com%2F&nonce=a7tk6oajbm14p4aa5icuad0c60 HTTP With each refresh it is getting a new nonce token. Additionally, I can see the id_token in the Guacamole URL, as well as a session state and not-before-policy. In the POST to https://guacamole.justin-tech.com/api/tokens, I am seeing an Invalid login response, with key: invalid login. It is expecting name: id_token, type: GUAC_OPENID_TOKEN, and an authorizationURI: https://keycloak.justin-tech.com/auth/realms/Justin-T ech/protocol/openid- connect/auth?scope=openid+email+profile&response_type=id_token&client_i d=guacamole&redirect_uri=https%3A%2F%2Fguacamole.justin- tech.com%2F&nonce=e1s34a0epan04mre7qduhpnrho, type: INVALID_CREDENTIALS. The response paylode is: {"message":"Invalid login.","translatableMessage":{"key":"Invalid login.","variables":null},"statusCode":null,"expected":[{"name":"id_tok en","type":"GUAC_OPENID_TOKEN","authorizationURI":"https://keycloak.jus tin-tech.com/auth/realms/Justin-Tech/protocol/openid- connect/auth?scope=openid+email+profile&response_type=id_token&client_i d=guacamole&redirect_uri=https%3A%2F%2Fguacamole.justin- tech.com%2F&nonce=e1s34a0epan04mre7qduhpnrho"}],"type":"INVALID_CREDENT IALS"} I also see a GET for https://guacamole.justin-tech.com/#session_state=b 1988d87-4a4d-4539-a186-1d2ef58aca04&id_token=[TOKEN]¬-before- policy=1518147539 I am seeing the following in the localhost_access_logs: 10.0.60.20 - - [08/Feb/2018:23:18:01 -0500] "GET /guacamole/api/patches HTTP/1.1" 200 352 10.0.60.20 - - [08/Feb/2018:23:18:01 -0500] "POST /guacamole/api/tokens HTTP/1.1" 403 477 and here are the logs from catalina.log Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet INFO: Webjars resource requested: /META- INF/resources/webjars/jquery/2.1.3/dist/jquery.min.js Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet INFO: Webjars resource requested: /META- INF/resources/webjars/angular/1.3.16/angular.min.js Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet INFO: Webjars resource requested: /META- INF/resources/webjars/lodash/2.4.1/dist/lodash.min.js Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet INFO: Webjars resource requested: /META-INF/resources/webjars/angular- cookies/1.3.16/angular-cookies.min.js Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet INFO: Webjars resource requested: /META-INF/resources/webjars/angular- route/1.3.16/angular-route.min.js Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet INFO: Webjars resource requested: /META-INF/resources/webjars/angular- touch/1.3.16/angular-touch.min.js Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet INFO: Webjars resource requested: /META- INF/resources/webjars/messageformat/1.0.2/messageformat.min.js Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet INFO: Webjars resource requested: /META-INF/resources/webjars/angular- translate/2.8.0/angular-translate.min.js Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet INFO: Webjars resource requested: /META-INF/resources/webjars/angular- translate-interpolation-messageformat/2.8.0/angular-translate- interpolation-messageformat.min.js Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet INFO: Webjars resource requested: /META-INF/resources/webjars/angular- translate-loader-static-files/2.8.0/angular-translate-loader-static- files.min.js Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet INFO: Webjars resource requested: /META-INF/resources/webjars/blob- polyfill/1.0.20150320/Blob.js Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet INFO: Webjars resource requested: /META- INF/resources/webjars/filesaver/1.3.3/FileSaver.min.js Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet INFO: Webjars resource requested: /META-INF/resources/webjars/angular- module-shim/0.0.4/angular-module-shim.js Other than the redirect loop, I am not seeing any errors in any of the log files, other than the 403, which I belive to be caused by not reading the id_token from the URL. Note that according to the .well-known/openid-configuration file, scopes supported are "openid" and "offline_access", whereas the docs seem to indicate that the scope should be at least "openid profile", with a default of "openid email profile". I have tried changing openid- scope to "openid" and "openid profile". These are my corrent guacamole.properties settings: # OpenID-connect openid-authorization-endpoint: https://keycloak.justin-tech.com/auth/re alms/Justin-Tech/protocol/openid-connect/auth openid-jwks-endpoint: https://keycloak.justin-tech.com/auth/realms/Just in-Tech/protocol/openid-connect/certs openid-issuer: https://keycloak.justin-tech.com/auth/realms/Justin-Tech openid-client-id: guacamole openid-redirect-uri: https://guacamole.justin-tech.com/ I have also tried openid-redirect-uri without the trailing "/". Please let me know if there is any other information needed, if I left it out. Thanks, Justin On Thu, 2018-02-08 at 17:57 +0000, Justin Gauthier wrote: > Nick, > > I have completed that step, however now I am in an redirect loop. > > Once I get home I’ll take a look at the logs and provide that > information. > > Thanks for the help, > > Justin > > From: Nick Couchman <[email protected]> > Sent: Thursday, February 8, 2018 11:27:05 AMFeb 08, 2018 11:27:40 PM > org.webjars.servlet.WebjarsServlet doGet > INFO: Webjars resource requested: /META- > INF/resources/webjars/jquery/2.1.3/dist/jquery.min.js > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > INFO: Webjars resource requested: /META- > INF/resources/webjars/angular/1.3.16/angular.min.js > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > INFO: Webjars resource requested: /META- > INF/resources/webjars/lodash/2.4.1/dist/lodash.min.js > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > INFO: Webjars resource requested: /META- > INF/resources/webjars/angular-cookies/1.3.16/angular-cookies.min.js > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > INFO: Webjars resource requested: /META- > INF/resources/webjars/angular-route/1.3.16/angular-route.min.js > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > INFO: Webjars resource requested: /META- > INF/resources/webjars/angular-touch/1.3.16/angular-touch.min.js > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > INFO: Webjars resource requested: /META- > INF/resources/webjars/messageformat/1.0.2/messageformat.min.js > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > INFO: Webjars resource requested: /META- > INF/resources/webjars/angular-translate/2.8.0/angular- > translate.min.js > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > INFO: Webjars resource requested: /META- > INF/resources/webjars/angular-translate-interpolation- > messageformat/2.8.0/angular-translate-interpolation- > messageformat.min.js > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > INFO: Webjars resource requested: /META- > INF/resources/webjars/angular-translate-loader-static- > files/2.8.0/angular-translate-loader-static-files.min.js > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > INFO: Webjars resource requested: /META-INF/resources/webjars/blob- > polyfill/1.0.20150320/Blob.js > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > INFO: Webjars resource requested: /META- > INF/resources/webjars/filesaver/1.3.3/FileSaver.min.js > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > INFO: Webjars resource requested: /META- > INF/resources/webjars/angular-module-shim/0.0.4/angular-module- > shim.js > To: [email protected] > Subject: Re: OpenID-Connect HTTP 500 > > On Thu, Feb 8, 2018 at 10:00 AM, Justin Gauthier <justin@justin-tech. > com> wrote: > > Hello everyone, > > > > I have discovered that I had a the openid-redirect-uri incorrectly > > specified. That issue has now been resolved, and I get a login > > screen > > now. > > > > Now, when I get that login screen, I can login with credentials > > stored > > in the postgres database, but I do not get redirected to Keycloak. > > I > > see a 403 message with the following information: > > > > {"message":"Invalid login","translatableMessage":{"key":"Invalid > > login","variables":null},"statusCode":null,"expected":[{"name":"use > > rnam > > e","type":"USERNAME"},{"name":"password","type":"PASSWORD"}],"type" > > :"IN > > VALID_CREDENTIALS"} > > > > My understanding is that Guacamole should be redirecting me to > > Keycloak > > to authenticate, and then I should be redirected back to Guacamole > > with > > the authentication token, and it would not ask for the username and > > password? > > > > Justin, > Authentication extensions are loaded in alphabetical order, which > means the OpenID extension is being loaded (and evaluated) after the > JDBC extension. I suggest that you rename the OpenID extension to > something that will force it to load first - when I do this with > modules, I usually prefix a number on to them. For example, in the > GUACAMOLE_HOME/extensions folder, instead of installing it as > "gaucamole-auth-openid-0.9.14.jar, install it as "guacamole-auth-0- > openid-0.9.14.jar" - the -0 before the -openid will cause it to be > loaded and evaluated prior to the -jdbc JAR, and perhaps allow the > redirect to happen properly. > > Regards, > Nick
signature.asc
Description: This is a digitally signed message part
