Hey Justin, It's possible that the response does not contain the mail attribute, the Tomcat logs should tell you if that is the case, in which case you'd need to specify the attribute in guacamole.config with the openid-username-claim-type directive. I've never used Keylock but based on this documentation for mod_auth_openidc http://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/mod-auth-openidc.html preferred_username may be what you need as that is what they say to map using mod_auth_openidc: OIDCRemoteUserClaim preferred_username Your first email said you had enabled the mappings to Username, given name, full name, email, and family name so maybe this is not the issue, however might be worth a try since this is a symptom of not having the username claim type that Guacamole is expecting in the response. JP
On 2018/02/09 13:49:16, Justin Gauthier <[email protected]<mailto:[email protected]>> wrote: > Hey Nick,> > > Thanks for the response!> > > I suspected as much, unfortunately I am unsure why it's not seeing the token. > Like I said, I don't have anything else that uses OpenID to test the setup.> > > Hopefully Mike is able to assist when he gets a chance.> > > Thanks again for the help, it's greatly appreciated.> > > ________________________________> > From: Nick Couchman <[email protected]<mailto:[email protected]>>> > Sent: Friday, February 9, 2018 8:40:25 AM> > To: [email protected]<mailto:[email protected]>> > Subject: Re: OpenID-Connect HTTP 500> > > On Thu, Feb 8, 2018 at 11:37 PM, Justin Gauthier > <[email protected]<mailto:[email protected]>>> wrote:> > The response paylode is: {"message":"Invalid> > login.","translatableMessage":{"key":"Invalid> > login.","variables":null},"statusCode":null,"expected":[{"name":"id_tok> > en","type":"GUAC_OPENID_TOKEN","authorizationURI":"https://keycloak.jus> > tin-tech.com/auth/realms/Justin-Tech/protocol/openid-> > connect/auth?scope=openid+email+profile&response_type=id_token&client_i> > d=guacamole&redirect_uri=https%3A%2F%2Fguacamole.justin-<http://tin-tech.com/auth/realms/Justin-Tech/protocol/openid-> > connect/auth?scope=openid+email+profile&response_type=id_token&client_i> > d=guacamole&redirect_uri=https%3A%2F%2Fguacamole.justin->> > tech.com<http://tech.com>%2F&nonce=e1s34a0epan04mre7qduhpnrho"}],"type":"INVALID_CREDENT> > IALS"}> > > I also see a GET for https://guacamole.justin-tech.com/#session_state=b> > 1988d87-4a4d-4539-a186-1d2ef58aca04&id_token=[TOKEN]¬-before-> > policy=1518147539> > > > Mike can probably provide more precise information, but my guess is that > there is something about the response being sent back to the Guacamole > Session that Guacamole is unhappy about - either it isn't seeing the id_token > parameter when it expects to, or it's in a format it doesn't expect, or > something like that. I've not used Guacamole with OIDC, so I'm not going to > be of very much help, here.> > > -Nick> >
