It can definitely work behind a proxy. As a test what about making location /guacamole instead of / in the nginx config? You will have to change your redirect URL with OIDC also. You have the headers configured so it should work ok but sometimes Tomcat can be fussy with reverse proxying if you’re using a different path.
With regards to the logging we’re using Docker so it’s being logged to stdout, I’d suggest if you’re installed on a host run Tomcat in the foreground so you can see the log messages on the console. The log you’re looking for shows messages like these when you start up and log on: 11-Feb-2018 20:58:34.593 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive /usr/local/tomcat/webapps/guacamole.war has finished in 6,026 11-Feb-2018 20:58:34.594 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory /usr/local/tomcat/webapps/manager 11-Feb-2018 20:58:34.650 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory /usr/local/tomcat/webapps/manager has finished in 56 ms 11-Feb-2018 20:58:34.651 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory /usr/local/tomcat/webapps/ROOT 11-Feb-2018 20:58:34.677 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory /usr/local/tomcat/webapps/ROOT has finished in 25 ms 11-Feb-2018 20:58:34.677 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory /usr/local/tomcat/webapps/docs 11-Feb-2018 20:58:34.715 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory /usr/local/tomcat/webapps/docs has finished in 38 ms 11-Feb-2018 20:58:34.719 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory /usr/local/tomcat/webapps/host-manager 11-Feb-2018 20:58:34.763 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory /usr/local/tomcat/webapps/host-manager has finished in 44 ms 11-Feb-2018 20:58:34.763 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory /usr/local/tomcat/webapps/examples 11-Feb-2018 20:58:35.114 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory /usr/local/tomcat/webapps/examples has finished in 11-Feb-2018 20:58:35.124 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8080"] 11-Feb-2018 20:58:35.136 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["ajp-nio-8009"] 11-Feb-2018 20:58:35.138 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 6653 ms 11-Feb-2018 23:36:50.290 INFO [http-nio-8080-exec-6] org.webjars.servlet.WebjarsServlet.doGet Webjars resource requested: /META-INF/resources/webjars/angular-touch/1.3.16/angular-touch.min.js 11-Feb-2018 23:36:50.807 INFO [http-nio-8080-exec-8] org.webjars.servlet.WebjarsServlet.doGet Webjars resource requested: /META-INF/resources/webjars/angular-route/1.3.16/angular-route.min.js 11-Feb-2018 23:36:50.863 INFO [http-nio-8080-exec-10] org.webjars.servlet.WebjarsServlet.doGet Webjars resource requested: /META-INF/resources/webjars/messageformat/1.0.2/messageformat.min.js 11-Feb-2018 23:36:50.865 INFO [http-nio-8080-exec-9] org.webjars.servlet.WebjarsServlet.doGet Webjars resource requested: /META-INF/resources/webjars/angular-translate/2.8.0/angular-translate.min.js 11-Feb-2018 23:36:50.866 INFO [http-nio-8080-exec-1] org.webjars.servlet.WebjarsServlet.doGet Webjars resource requested: /META-INF/resources/webjars/angular-translate-interpolation-messageformat/2.8.0/angular-translate-interpolation-messageformat.min.js 11-Feb-2018 23:36:50.918 INFO [http-nio-8080-exec-2] org.webjars.servlet.WebjarsServlet.doGet Webjars resource requested: /META-INF/resources/webjars/angular-translate-loader-static-files/2.8.0/angular-translate-loader-static-files.min.js 11-Feb-2018 23:36:50.967 INFO [http-nio-8080-exec-3] org.webjars.servlet.WebjarsServlet.doGet Webjars resource requested: /META-INF/resources/webjars/blob-polyfill/1.0.20150320/Blob.js 11-Feb-2018 23:36:50.980 INFO [http-nio-8080-exec-5] org.webjars.servlet.WebjarsServlet.doGet Webjars resource requested: /META-INF/resources/webjars/angular-module-shim/0.0.4/angular-module-shim.js 11-Feb-2018 23:36:50.984 INFO [http-nio-8080-exec-4] org.webjars.servlet.WebjarsServlet.doGet Webjars resource requested: /META-INF/resources/webjars/filesaver/1.3.3/FileSaver.min.js 11-Feb-2018 23:36:50.987 INFO [http-nio-8080-exec-7] org.webjars.servlet.WebjarsServlet.doGet Webjars resource requested: /META-INF/resources/webjars/jquery/2.1.3/dist/jquery.min.js 11-Feb-2018 23:36:51.010 INFO [http-nio-8080-exec-8] org.webjars.servlet.WebjarsServlet.doGet Webjars resource requested: /META-INF/resources/webjars/lodash/2.4.1/dist/lodash.min.js 11-Feb-2018 23:36:51.057 INFO [http-nio-8080-exec-1] org.webjars.servlet.WebjarsServlet.doGet Webjars resource requested: /META-INF/resources/webjars/angular/1.3.16/angular.min.js 11-Feb-2018 23:36:51.088 INFO [http-nio-8080-exec-9] org.webjars.servlet.WebjarsServlet.doGet Webjars resource requested: /META-INF/resources/webjars/angular-cookies/1.3.16/angular-cookies.min.js 11-Feb-2018 23:36:54.000 [http-nio-8080-exec-5] INFO o.a.g.r.auth.AuthenticationService - User "xx...@xxxxxxx.com" successfully authenticated from [xxxxx]. JP From: Justin Gauthier [mailto:jus...@justin-tech.com] Sent: Sunday, February 11, 2018 14:04 To: user@guacamole.apache.org Subject: Re: Re: OpenID-Connect HTTP 500 Hello JP, Thanks for the response. After looking at https://guacamole.apache.org/doc/gug/openid-auth.html, and the .well-known/openid-configuration section of keycloak, it appears that keycloak does not support a scope of "openid email profile", or even "openid profile", I have changed the 'openid-scope' section in guacamole.properties, and it is still not working. Also in that section, regarding 'openid-username-claim-type', I can see that claims_supported include both email, and preferred_username. Setting 'openid-username-claim-type' to either of those does not work. I have also noticed that there is a GET request for https://keycloak.justin-tech.com/auth/realms/Justin-Tech/protocol/openid-connect/auth?scope=openid&response_type=id_token&client_id=guacamole&redirect_uri=https%3A%2F%2Fguacamole.justin-tech.com&nonce=[NONCE<https://keycloak.justin-tech.com/auth/realms/Justin-Tech/protocol/openid-connect/auth?scope=openid&response_type=id_token&client_id=guacamole&redirect_uri=https%3A%2F%2Fguacamole.justin-tech.com&nonce=%5bNONCE>] I then see the POST a short while later with the following response payload: {"message":"Invalid login.","translatableMessage":{"key":"Invalid login.","variables":null},"statusCode":null,"expected":[{"name":"id_token","type":"GUAC_OPENID_TOKEN","authorizationURI":"https://keycloak.justin-tech.com/auth/realms/Justin-Tech/protocol/openid-connect/auth?scope=openid&response_type=id_token&client_id=guacamole&redirect_uri=https%3A%2F%2Fguacamole.justin-tech.com&nonce=[NONCE]"}],"type":"INVALID_CREDENTIALS<https://keycloak.justin-tech.com/auth/realms/Justin-Tech/protocol/openid-connect/auth?scope=openid&response_type=id_token&client_id=guacamole&redirect_uri=https%3A%2F%2Fguacamole.justin-tech.com&nonce=796bmc3pj9ur5mmhv8lhcag8dp>"} It is odd that I can see the ID_TOKEN and other parameters in the URL, however do not see that information in the dev tools. The link I see in the URL is: https://guacamole.justin-tech.com/#session_state=659548d0-bb82-4aea-b547-1f9374e519bd&id_token=[TOKEN]¬-before-policy=1518383231<https://guacamole.justin-tech.com/#session_state=659548d0-bb82-4aea-b547-1f9374e519bd&id_token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI4eTVad0VPU3F5MzBGejhrUkFVazlPMDdEUk85aE9LRkxhVHFTcWdTYnVJIn0.eyJqdGkiOiI3NzFmYzRkYi05NmU5LTQ1NTItOWIxYS0xZmJjMmE4NjFhNjIiLCJleHAiOjE1MTgzODYzMDUsIm5iZiI6MCwiaWF0IjoxNTE4Mzg1NDA1LCJpc3MiOiJodHRwczovL2tleWNsb2FrLmp1c3Rpbi10ZWNoLmNvbS9hdXRoL3JlYWxtcy9KdXN0aW4tVGVjaCIsImF1ZCI6Imd1YWNhbW9sZSIsInN1YiI6ImI0ODEwZDlhLWVlNzItNDBhOC05MDUzLTUwODEwZjI3NTI4ZCIsInR5cCI6IklEIiwiYXpwIjoiZ3VhY2Ftb2xlIiwibm9uY2UiOiI3OTZibWMzcGo5dXI1bW1odjhsaGNhZzhkcCIsImF1dGhfdGltZSI6MTUxODM4NTQwMiwic2Vzc2lvbl9zdGF0ZSI6IjY1OTU0OGQwLWJiODItNGFlYS1iNTQ3LTFmOTM3NGU1MTliZCIsImFjciI6IjAiLCJuYW1lIjoiSnVzdGluIEdhdXRoaWVyIEdhdXRoaWVyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoianVzdGluIiwiZ2l2ZW5fbmFtZSI6Ikp1c3RpbiBHYXV0aGllciIsImZhbWlseV9uYW1lIjoiR2F1dGhpZXIiLCJlbWFpbCI6Imp1c3RpbkBqdXN0aW4tdGVjaC5jb20ifQ.fwAkxsv3mPvTmXhQ9A4SOlzlfDW0AmaV47Qm3OeCY0kK2CqTDW2NAp3tl8OBZnTcDIdP6qVvDAMUsBL477-xSGSWlDpbrjSAMcBuNa5nqaO2NH1lkQHVWsdwUtu0q30WTzwGCphkTpW9iLZSea8u_2BDBGuACgYm17F4vWzg8t9sl-lmz3M7xKod4LGeTAwGMMD0ddvDKGloC49jFLNPF3aRHUa-5HiK_jOlaGmFomStaHS2Yil5ZFaiQMRudXbhU_vlGTzIZ8alZ-NQdaMARwmvRFsbCsNLlsjw6NX6b-mv3AtOF75yLH6h6OTaEimwf7GBXzGCCWJNYSVAYia3eg¬-before-policy=1518383231> One thing I am not sure about is, the URL used to access guacamole is https://guacamole.justin-tech.com/#/ however, the token is returned to https://guacamole.justin-tech.com/#session_state ... I am not sure if this is the correct behavior. Additionally, in my nginx proxy, I have the following configuration: upstream guacamole { server guacamole01.corp.justin-tech.com:8080; } server { listen 443 ssl; server_name guacamole.justin-tech.com; ssl on; # Remember to comment these out if you need to change their defaults include snippets/ssl-defaults.conf; proxy_buffering off; proxy_http_version 1.1; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; # access_log off; proxy_pass_request_headers on; proxy_set_header Host $host; location / { proxy_pass http://guacamole/guacamole/; } ssl_certificate /etc/letsencrypt/live/justin-tech.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/justin-tech.com/privkey.pem; # managed by Certbot } Note the trailing slash on the end of the proxy_pass. Without this, I am unable to load guacamole at all. Also note that if I remove the /guacamole/ from proxy_pass, and adjust the redirect URLs accordingly, I get the same problem where the /#session_state is happening. It is my understanding that the use of the "#" symbol in URLs can cause problems because the information after the "#" is not forwarded. This could explain why it appears that Guacamole is not seeing this information, even though I can see it in the URL. Is there anyway to get nginx to pass this information along to the backend server? Also, I tried looking at the logs, but could not see anything indicating that there was a token or anything passed back to guacamole. Which log file should I be looking in for that? I also followed this and added the file, however I did not see any increased logging. https://guacamole.apache.org/doc/gug/configuring-guacamole.html#webapp-logging in either /var/log/messages or /var/log/tomcat/catalina.2018-02-11.log. Has anyone confirmed if the OpenID plugin works behind a proxy? Thanks again. Justin On Sun, 2018-02-11 at 20:33 +0000, JP Harvey wrote: Hey Justin, It’s possible that the response does not contain the mail attribute, the Tomcat logs should tell you if that is the case, in which case you’d need to specify the attribute in guacamole.config with the openid-username-claim-type directive. I’ve never used Keylock but based on this documentation for mod_auth_openidc http://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/mod-auth-openidc.html preferred_username may be what you need as that is what they say to map using mod_auth_openidc: OIDCRemoteUserClaim preferred_username Your first email said you had enabled the mappings to Username, given name, full name, email, and family name so maybe this is not the issue, however might be worth a try since this is a symptom of not having the username claim type that Guacamole is expecting in the response. JP On 2018/02/09 13:49:16, Justin Gauthier <j...@justin-tech.com<mailto:j...@justin-tech.com>> wrote: > Hey Nick,> > > Thanks for the response!> > > I suspected as much, unfortunately I am unsure why it’s not seeing the token. > Like I said, I don’t have anything else that uses OpenID to test the setup.> > > Hopefully Mike is able to assist when he gets a chance.> > > Thanks again for the help, it’s greatly appreciated.> > > ________________________________> > From: Nick Couchman <ni...@gmail.com<mailto:ni...@gmail.com>>> > Sent: Friday, February 9, 2018 8:40:25 AM> > To: user@guacamole.apache.org<mailto:user@guacamole.apache.org>> > Subject: Re: OpenID-Connect HTTP 500> > > On Thu, Feb 8, 2018 at 11:37 PM, Justin Gauthier > <ju...@justin-tech.com<mailto:ju...@justin-tech.com>>> wrote:> > The response paylode is: {"message":"Invalid> > login.","translatableMessage":{"key":"Invalid> > login.","variables":null},"statusCode":null,"expected":[{"name":"id_tok> > en","type":"GUAC_OPENID_TOKEN","authorizationURI":"https://keycloak.jus> > tin-tech.com/auth/realms/Justin-Tech/protocol/openid-> > connect/auth?scope=openid+email+profile&response_type=id_token&client_i> > d=guacamole&redirect_uri=https%3A%2F%2Fguacamole.justin-<http://tin-tech.com/auth/realms/Justin-Tech/protocol/openid-> > connect/auth?scope=openid+email+profile&response_type=id_token&client_i> > d=guacamole&redirect_uri=https%3A%2F%2Fguacamole.justin->> > tech.com<http://tech.com>%2F&nonce=e1s34a0epan04mre7qduhpnrho"}],"type":"INVALID_CREDENT> > IALS"}> > > I also see a GET for https://guacamole.justin-tech.com/#session_state=b> > 1988d87-4a4d-4539-a186-1d2ef58aca04&id_token=[TOKEN]¬-before-> > policy=1518147539> > > > Mike can probably provide more precise information, but my guess is that > there is something about the response being sent back to the Guacamole > Session that Guacamole is unhappy about - either it isn't seeing the id_token > parameter when it expects to, or it's in a format it doesn't expect, or > something like that. I've not used Guacamole with OIDC, so I'm not going to > be of very much help, here.> > > -Nick> >