I should also note that when in the redirect loop, I can see that the usual URL of https://guacamole.justin-tech.com/#/ is showing as both ht tps://guacamole.justin-tech.com/#session. and https://guacamole.justin- tech.com/#/session.
Thanks again, Justin On Thu, 2018-02-08 at 23:37 -0500, Justin Gauthier wrote: > I have been able to get the redirect from Guacamole to Keycloak to > work, however, once I login to keycloak, and get redirected back to > Guacamole, I get put into a redirect loop. It does not look like > Guacamole is reading the token_id from the URL, and this is causing > it > to report invalid credentials, and refreshing. > > In nginx I see the following in the access log: > > > 10.0.1.203 - - [08/Feb/2018:23:14:51 -0500] "GET /auth/realms/Justin- > Tech/protocol/openid- > connect/auth?scope=openid+email+profile&response_type=id_token&client > _i > d=guacamole&redirect_uri=https%3A%2F%2Fguacamole.justin- > tech.com%2F&nonce=a7tk6oajbm14p4aa5icuad0c60 HTTP > > > With each refresh it is getting a new nonce token. > > Additionally, I can see the id_token in the Guacamole URL, as well as > a > session state and not-before-policy. > > In the POST to https://guacamole.justin-tech.com/api/tokens, I am > seeing an Invalid login response, with key: invalid login. > > It is expecting name: id_token, type: GUAC_OPENID_TOKEN, and an > authorizationURI: https://keycloak.justin-tech.com/auth/realms/Justin > -T > ech/protocol/openid- > connect/auth?scope=openid+email+profile&response_type=id_token&client > _i > d=guacamole&redirect_uri=https%3A%2F%2Fguacamole.justin- > tech.com%2F&nonce=e1s34a0epan04mre7qduhpnrho, type: > INVALID_CREDENTIALS. > > The response paylode is: {"message":"Invalid > login.","translatableMessage":{"key":"Invalid > login.","variables":null},"statusCode":null,"expected":[{"name":"id_t > ok > en","type":"GUAC_OPENID_TOKEN","authorizationURI":"https://keycloak.j > us > tin-tech.com/auth/realms/Justin-Tech/protocol/openid- > connect/auth?scope=openid+email+profile&response_type=id_token&client > _i > d=guacamole&redirect_uri=https%3A%2F%2Fguacamole.justin- > tech.com%2F&nonce=e1s34a0epan04mre7qduhpnrho"}],"type":"INVALID_CREDE > NT > IALS"} > > I also see a GET for https://guacamole.justin-tech.com/#session_state > =b > 1988d87-4a4d-4539-a186-1d2ef58aca04&id_token=[TOKEN]¬-before- > policy=1518147539 > > I am seeing the following in the localhost_access_logs: > > 10.0.60.20 - - [08/Feb/2018:23:18:01 -0500] "GET > /guacamole/api/patches > HTTP/1.1" 200 352 > 10.0.60.20 - - [08/Feb/2018:23:18:01 -0500] "POST > /guacamole/api/tokens > HTTP/1.1" 403 477 > > and here are the logs from catalina.log > > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > INFO: Webjars resource requested: /META- > INF/resources/webjars/jquery/2.1.3/dist/jquery.min.js > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > INFO: Webjars resource requested: /META- > INF/resources/webjars/angular/1.3.16/angular.min.js > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > INFO: Webjars resource requested: /META- > INF/resources/webjars/lodash/2.4.1/dist/lodash.min.js > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > INFO: Webjars resource requested: /META- > INF/resources/webjars/angular- > cookies/1.3.16/angular-cookies.min.js > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > INFO: Webjars resource requested: /META- > INF/resources/webjars/angular- > route/1.3.16/angular-route.min.js > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > INFO: Webjars resource requested: /META- > INF/resources/webjars/angular- > touch/1.3.16/angular-touch.min.js > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > INFO: Webjars resource requested: /META- > INF/resources/webjars/messageformat/1.0.2/messageformat.min.js > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > INFO: Webjars resource requested: /META- > INF/resources/webjars/angular- > translate/2.8.0/angular-translate.min.js > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > INFO: Webjars resource requested: /META- > INF/resources/webjars/angular- > translate-interpolation-messageformat/2.8.0/angular-translate- > interpolation-messageformat.min.js > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > INFO: Webjars resource requested: /META- > INF/resources/webjars/angular- > translate-loader-static-files/2.8.0/angular-translate-loader-static- > files.min.js > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > INFO: Webjars resource requested: /META-INF/resources/webjars/blob- > polyfill/1.0.20150320/Blob.js > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > INFO: Webjars resource requested: /META- > INF/resources/webjars/filesaver/1.3.3/FileSaver.min.js > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > INFO: Webjars resource requested: /META- > INF/resources/webjars/angular- > module-shim/0.0.4/angular-module-shim.js > > Other than the redirect loop, I am not seeing any errors in any of > the > log files, other than the 403, which I belive to be caused by not > reading the id_token from the URL. > > > Note that according to the .well-known/openid-configuration file, > scopes supported are "openid" and "offline_access", whereas the docs > seem to indicate that the scope should be at least "openid profile", > with a default of "openid email profile". I have tried changing > openid- > scope to "openid" and "openid profile". > > These are my corrent guacamole.properties settings: > > # OpenID-connect > openid-authorization-endpoint: https://keycloak.justin-tech.com/auth/ > re > alms/Justin-Tech/protocol/openid-connect/auth > openid-jwks-endpoint: https://keycloak.justin-tech.com/auth/realms/Ju > st > in-Tech/protocol/openid-connect/certs > openid-issuer: https://keycloak.justin-tech.com/auth/realms/Justin-Te > ch > openid-client-id: guacamole > openid-redirect-uri: https://guacamole.justin-tech.com/ > > > I have also tried openid-redirect-uri without the trailing "/". > > > Please let me know if there is any other information needed, if I > left > it out. > > Thanks, > > Justin > > > On Thu, 2018-02-08 at 17:57 +0000, Justin Gauthier wrote: > > Nick, > > > > I have completed that step, however now I am in an redirect loop. > > > > Once I get home I’ll take a look at the logs and provide that > > information. > > > > Thanks for the help, > > > > Justin > > > > From: Nick Couchman <[email protected]> > > Sent: Thursday, February 8, 2018 11:27:05 AMFeb 08, 2018 11:27:40 > > PM > > org.webjars.servlet.WebjarsServlet doGet > > INFO: Webjars resource requested: /META- > > INF/resources/webjars/jquery/2.1.3/dist/jquery.min.js > > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > > INFO: Webjars resource requested: /META- > > INF/resources/webjars/angular/1.3.16/angular.min.js > > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > > INFO: Webjars resource requested: /META- > > INF/resources/webjars/lodash/2.4.1/dist/lodash.min.js > > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > > INFO: Webjars resource requested: /META- > > INF/resources/webjars/angular-cookies/1.3.16/angular-cookies.min.js > > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > > INFO: Webjars resource requested: /META- > > INF/resources/webjars/angular-route/1.3.16/angular-route.min.js > > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > > INFO: Webjars resource requested: /META- > > INF/resources/webjars/angular-touch/1.3.16/angular-touch.min.js > > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > > INFO: Webjars resource requested: /META- > > INF/resources/webjars/messageformat/1.0.2/messageformat.min.js > > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > > INFO: Webjars resource requested: /META- > > INF/resources/webjars/angular-translate/2.8.0/angular- > > translate.min.js > > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > > INFO: Webjars resource requested: /META- > > INF/resources/webjars/angular-translate-interpolation- > > messageformat/2.8.0/angular-translate-interpolation- > > messageformat.min.js > > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > > INFO: Webjars resource requested: /META- > > INF/resources/webjars/angular-translate-loader-static- > > files/2.8.0/angular-translate-loader-static-files.min.js > > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > > INFO: Webjars resource requested: /META-INF/resources/webjars/blob- > > polyfill/1.0.20150320/Blob.js > > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > > INFO: Webjars resource requested: /META- > > INF/resources/webjars/filesaver/1.3.3/FileSaver.min.js > > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > > INFO: Webjars resource requested: /META- > > INF/resources/webjars/angular-module-shim/0.0.4/angular-module- > > shim.js > > To: [email protected] > > Subject: Re: OpenID-Connect HTTP 500 > > > > On Thu, Feb 8, 2018 at 10:00 AM, Justin Gauthier <justin@justin-tec > > h. > > com> wrote: > > > Hello everyone, > > > > > > I have discovered that I had a the openid-redirect-uri > > > incorrectly > > > specified. That issue has now been resolved, and I get a login > > > screen > > > now. > > > > > > Now, when I get that login screen, I can login with credentials > > > stored > > > in the postgres database, but I do not get redirected to > > > Keycloak. > > > I > > > see a 403 message with the following information: > > > > > > {"message":"Invalid login","translatableMessage":{"key":"Invalid > > > login","variables":null},"statusCode":null,"expected":[{"name":"u > > > se > > > rnam > > > e","type":"USERNAME"},{"name":"password","type":"PASSWORD"}],"typ > > > e" > > > :"IN > > > VALID_CREDENTIALS"} > > > > > > My understanding is that Guacamole should be redirecting me to > > > Keycloak > > > to authenticate, and then I should be redirected back to > > > Guacamole > > > with > > > the authentication token, and it would not ask for the username > > > and > > > password? > > > > > > > Justin, > > Authentication extensions are loaded in alphabetical order, which > > means the OpenID extension is being loaded (and evaluated) after > > the > > JDBC extension. I suggest that you rename the OpenID extension to > > something that will force it to load first - when I do this with > > modules, I usually prefix a number on to them. For example, in the > > GUACAMOLE_HOME/extensions folder, instead of installing it as > > "gaucamole-auth-openid-0.9.14.jar, install it as "guacamole-auth-0- > > openid-0.9.14.jar" - the -0 before the -openid will cause it to be > > loaded and evaluated prior to the -jdbc JAR, and perhaps allow the > > redirect to happen properly. > > > > Regards, > > Nick
signature.asc
Description: This is a digitally signed message part
