Hello JP, Thanks for the response. After looking at https://guacamole.apache.org/doc/gug/openid-auth.html, and the .well-known/openid-configuration section of keycloak, it appears that keycloak does not support a scope of "openid email profile", or even "openid profile", I have changed the 'openid-scope' section in guacamole.properties, and it is still not working. Also in that section, regarding 'openid-username-claim-type', I can see that claims_supported include both email, and preferred_username. Setting 'openid-username-claim-type' to either of those does not work. I have also noticed that there is a GET request for https://keycloak.ju stin-tech.com/auth/realms/Justin-Tech/protocol/openid- connect/auth?scope=openid&response_type=id_token&client_id=guacamole&re direct_uri=https%3A%2F%2Fguacamole.justin-tech.com&nonce=[NONCE] I then see the POST a short while later with the following response payload: {"message":"Invalid login.","translatableMessage":{"key":"Invalid login.","variables":null},"statusCode":null,"expected":[{"name":"id_tok en","type":"GUAC_OPENID_TOKEN","authorizationURI":"https://keycloak.jus tin-tech.com/auth/realms/Justin-Tech/protocol/openid- connect/auth?scope=openid&response_type=id_token&client_id=guacamole&re direct_uri=https%3A%2F%2Fguacamole.justin- tech.com&nonce=[NONCE]"}],"type":"INVALID_CREDENTIALS"} It is odd that I can see the ID_TOKEN and other parameters in the URL, however do not see that information in the dev tools. The link I see in the URL is: https://guacamole.justin-tech.com/#session_state=659548d0-bb82-4aea-b54 7-1f9374e519bd&id_token=[TOKEN]¬-before-policy=1518383231 One thing I am not sure about is, the URL used to access guacamole is h ttps://guacamole.justin-tech.com/#/ however, the token is returned to h ttps://guacamole.justin-tech.com/#session_state ... I am not sure if this is the correct behavior. Additionally, in my nginx proxy, I have the following configuration: upstream guacamole { server guacamole01.corp.justin-tech.com:8080;} server { listen 443 ssl; server_name guacamole.justin- tech.com; ssl on; # Remember to comment these out if you need to change their defaults include snippets/ssl-defaults.conf; proxy_buffering off; proxy_http_version 1.1; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection;# access_log off; proxy_pass_request_headers on; proxy_set_header Host $host; location / { proxy_pass http://guacamole/guacamole/; } s sl_certificate /etc/letsencrypt/live/justin-tech.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/justin- tech.com/privkey.pem; # managed by Certbot
} Note the trailing slash on the end of the proxy_pass. Without this, I am unable to load guacamole at all. Also note that if I remove the /guacamole/ from proxy_pass, and adjust the redirect URLs accordingly, I get the same problem where the /#session_state is happening. It is my understanding that the use of the "#" symbol in URLs can cause problems because the information after the "#" is not forwarded. This could explain why it appears that Guacamole is not seeing this information, even though I can see it in the URL. Is there anyway to get nginx to pass this information along to the backend server? Also, I tried looking at the logs, but could not see anything indicating that there was a token or anything passed back to guacamole. Which log file should I be looking in for that? I also followed this and added the file, however I did not see any increased logging. https: //guacamole.apache.org/doc/gug/configuring-guacamole.html#webapp- logging in either /var/log/messages or /var/log/tomcat/catalina.2018- 02-11.log. Has anyone confirmed if the OpenID plugin works behind a proxy? Thanks again. Justin On Sun, 2018-02-11 at 20:33 +0000, JP Harvey wrote: > Hey Justin, > It’s possible that the response does not contain the mail attribute, > the Tomcat logs should tell you if that is the case, in which case > you’d need to specify the attribute in guacamole.config with the > openid-username-claim-type > directive. > I’ve never used Keylock but based on this documentation for > mod_auth_openidc > > http://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/mod-auth-o > penidc.html preferred_username may be what you need as that is what > they say to map using mod_auth_openidc: > OIDCRemoteUserClaim preferred_username > Your first email said you had enabled the mappings to Username, given > name, full name, email, and family name so maybe this is not the > issue, however might be worth a try since this is a symptom of not > having > the username claim type that Guacamole is expecting in the response. > JP > On 2018/02/09 13:49:16, Justin Gauthier <[email protected]> wrote: > > > > Hey Nick,> > > > > > > Thanks for the response!> > > > > > > I suspected as much, unfortunately I am unsure why it’s not seeing > the token. Like I said, I don’t have anything else that uses OpenID > to test the setup.> > > > > > > Hopefully Mike is able to assist when he gets a chance.> > > > > > > Thanks again for the help, it’s greatly appreciated.> > > > > > > ________________________________> > > > From: Nick Couchman <[email protected]>> > > > Sent: Friday, February 9, 2018 8:40:25 AM> > > > To: [email protected]> > > > Subject: Re: OpenID-Connect HTTP 500> > > > > > > On Thu, Feb 8, 2018 at 11:37 PM, Justin Gauthier <ju...@justin-tech > .com>> wrote:> > > > > The response paylode is: {"message":"Invalid> > > > login.","translatableMessage":{"key":"Invalid> > > > > login.","variables":null},"statusCode":null,"expected":[{"name":"id_t > ok> > > > en","type":"GUAC_OPENID_TOKEN","authorizationURI":"https://keycloak > .jus>; > > > > tin-tech.com/auth/realms/Justin-Tech/protocol/openid-> > > > > connect/auth?scope=openid+email+profile&response_type=id_token&client > _i> > > > d=guacamole&redirect_uri=https%3A%2F%2Fguacamole.justin-<http://tin > -tech.com/auth/realms/Justin-Tech/protocol/openid-> > > > > connect/auth?scope=openid+email+profile&response_type=id_token&client > _i> > > > d=guacamole&redirect_uri=https%3A%2F%2Fguacamole.justin->> > > > tech.com<http://tech.com>%2F&nonce=e1s34a0epan04mre7qduhpnrho"}],"t > ype":"INVALID_CREDENT> > > > > IALS"}> > > > > > > I also see a GET for > https://guacamole.justin-tech.com/#session_state=b> > > > 1988d87-4a4d-4539-a186-1d2ef58aca04&id_token=[TOKEN]¬-before-> > > > policy=1518147539> > > > > > > > > > Mike can probably provide more precise information, but my guess is > that there is something about the response being sent back to the > Guacamole Session that Guacamole is unhappy about - either it isn't > seeing the id_token parameter when it expects to, or > it's in a format it doesn't expect, or something like that. I've > not used Guacamole with OIDC, so I'm not going to be of very much > help, here.> > > > > > > -Nick> > > > > > >
signature.asc
Description: This is a digitally signed message part
