Hey Justin,

Is it still doing the redirect loop to the IDP? I enabled debug logging in our 
container and our logs are the same up until this point: 

18:59:37.502 [http-bio-8080-exec-9] DEBUG o.a.i.t.jdbc.JdbcTransaction - 
Opening JDBC Connection
18:59:37.733 [http-bio-8080-exec-9] DEBUG o.a.i.d.pooled.PooledDataSource - 
Created connection 1647012044.
18:59:37.733 [http-bio-8080-exec-9] DEBUG o.a.i.d.pooled.PooledDataSource - 
Testing connection 1647012044 ...
18:59:37.772 [http-bio-8080-exec-9] DEBUG o.a.i.d.pooled.PooledDataSource - 
Connection 1647012044 is GOOD!
18:59:37.774 [http-bio-8080-exec-9] DEBUG o.a.g.a.j.user.UserMapper.selectOne - 
==>  Preparing: SELECT guacamole_user.user_id, guacamole_user.username, 
password_hash, password_salt, password_date, disabled, expired, 
access_window_start, access_window_end, valid_from, valid_until, timezone, 
full_name, email_address, organization, organizational_role, MAX(start_date) AS 
last_active FROM guacamole_user LEFT JOIN guacamole_user_history ON 
guacamole_user_history.user_id = guacamole_user.user_id WHERE 
guacamole_user.username = ? GROUP BY guacamole_user.user_id 
18:59:37.802 [http-bio-8080-exec-9] DEBUG o.a.g.a.j.user.UserMapper.selectOne - 
==> Parameters: null
18:59:37.842 [http-bio-8080-exec-9] DEBUG o.a.g.a.j.user.UserMapper.selectOne - 
<==      Total: 0
18:59:37.847 [http-bio-8080-exec-9] DEBUG o.a.i.t.jdbc.JdbcTransaction - 
Resetting autocommit to true on JDBC Connection 
[org.postgresql.jdbc.PgConnection@622b68cc]
18:59:37.859 [http-bio-8080-exec-9] DEBUG o.a.i.t.jdbc.JdbcTransaction - 
Closing JDBC Connection [org.postgresql.jdbc.PgConnection@622b68cc]
18:59:37.860 [http-bio-8080-exec-9] DEBUG o.a.i.d.pooled.PooledDataSource - 
Testing connection 1647012044 ...
18:59:37.870 [http-bio-8080-exec-9] DEBUG o.a.i.d.pooled.PooledDataSource - 
Connection 1647012044 is GOOD!
18:59:37.871 [http-bio-8080-exec-9] DEBUG o.a.i.d.pooled.PooledDataSource - 
Returned connection 1647012044 to pool.
18:59:37.871 [http-bio-8080-exec-9] DEBUG o.a.g.a.f.FileAuthenticationProvider 
- User mapping file "/etc/guacamole/user-mapping.xml" does not exist and will 
not be read.
18:59:37.872 [http-bio-8080-exec-9] DEBUG o.a.g.r.auth.AuthenticationService - 
Anonymous authentication attempt from [10.0.1.203, 10.0.60.20] failed.

At that point, we get this in the logs:

16:52:02.922 [http-nio-8080-exec-5] DEBUG org.jose4j.jwk.HttpsJwks - 
Refreshing/loading JWKS from 
https://<our_idp_redacted.url>/common/discovery/keys

Followed by more IDP stuff, where as yours just repeats the select from the 
database without logging anything about getting the keys from the IDP.

To isolate variables maybe get rid of Duo auth completely (don't load the jar 
file) in case it's causing an issue and test again (we get stuck in a Duo loop 
when we try it with OpenID anyway, so not sure it's going to work for you) , 
and verify that your config/extension files are indeed in /etc/guacamole which 
is where it has set GUACAMOLE_HOME. If it is doing the redirect to the IDP then 
I'd guess it's still not getting back what it needs in terms of attributes, 
although there is nothing in the logs so maybe the openid connect extension 
does not have any debug logging.

JP

-----Original Message-----
From: just_insane [mailto:jus...@justin-tech.com] 
Sent: Monday, February 12, 2018 06:58
To: user@guacamole.apache.org
Subject: OpenID-Connect HTTP 500

Hey JP,

So I changed the proxy_pass from http://guacamole/guacamole/ to 
http://guacamole/ and re-ran the tests after updating the redirect URL in 
guacamole.properties and keycloak.

Here are the logs from tomcat (on pastebin): https://pastebin.com/cqAsvK5s

Based on the logs, it appears to be trying to authenticate against JDBC
(Postgres) anonymously. I am not sure why this is happening, since I changed 
the name of the auth extension so that it loads first. Note that I do have 
users in postgres, would this make a difference?

Regards,

Justin



--
Sent from: 
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Reply via email to