Hey Justin, Is it still doing the redirect loop to the IDP? I enabled debug logging in our container and our logs are the same up until this point:
18:59:37.502 [http-bio-8080-exec-9] DEBUG o.a.i.t.jdbc.JdbcTransaction - Opening JDBC Connection 18:59:37.733 [http-bio-8080-exec-9] DEBUG o.a.i.d.pooled.PooledDataSource - Created connection 1647012044. 18:59:37.733 [http-bio-8080-exec-9] DEBUG o.a.i.d.pooled.PooledDataSource - Testing connection 1647012044 ... 18:59:37.772 [http-bio-8080-exec-9] DEBUG o.a.i.d.pooled.PooledDataSource - Connection 1647012044 is GOOD! 18:59:37.774 [http-bio-8080-exec-9] DEBUG o.a.g.a.j.user.UserMapper.selectOne - ==> Preparing: SELECT guacamole_user.user_id, guacamole_user.username, password_hash, password_salt, password_date, disabled, expired, access_window_start, access_window_end, valid_from, valid_until, timezone, full_name, email_address, organization, organizational_role, MAX(start_date) AS last_active FROM guacamole_user LEFT JOIN guacamole_user_history ON guacamole_user_history.user_id = guacamole_user.user_id WHERE guacamole_user.username = ? GROUP BY guacamole_user.user_id 18:59:37.802 [http-bio-8080-exec-9] DEBUG o.a.g.a.j.user.UserMapper.selectOne - ==> Parameters: null 18:59:37.842 [http-bio-8080-exec-9] DEBUG o.a.g.a.j.user.UserMapper.selectOne - <== Total: 0 18:59:37.847 [http-bio-8080-exec-9] DEBUG o.a.i.t.jdbc.JdbcTransaction - Resetting autocommit to true on JDBC Connection [org.postgresql.jdbc.PgConnection@622b68cc] 18:59:37.859 [http-bio-8080-exec-9] DEBUG o.a.i.t.jdbc.JdbcTransaction - Closing JDBC Connection [org.postgresql.jdbc.PgConnection@622b68cc] 18:59:37.860 [http-bio-8080-exec-9] DEBUG o.a.i.d.pooled.PooledDataSource - Testing connection 1647012044 ... 18:59:37.870 [http-bio-8080-exec-9] DEBUG o.a.i.d.pooled.PooledDataSource - Connection 1647012044 is GOOD! 18:59:37.871 [http-bio-8080-exec-9] DEBUG o.a.i.d.pooled.PooledDataSource - Returned connection 1647012044 to pool. 18:59:37.871 [http-bio-8080-exec-9] DEBUG o.a.g.a.f.FileAuthenticationProvider - User mapping file "/etc/guacamole/user-mapping.xml" does not exist and will not be read. 18:59:37.872 [http-bio-8080-exec-9] DEBUG o.a.g.r.auth.AuthenticationService - Anonymous authentication attempt from [10.0.1.203, 10.0.60.20] failed. At that point, we get this in the logs: 16:52:02.922 [http-nio-8080-exec-5] DEBUG org.jose4j.jwk.HttpsJwks - Refreshing/loading JWKS from https://<our_idp_redacted.url>/common/discovery/keys Followed by more IDP stuff, where as yours just repeats the select from the database without logging anything about getting the keys from the IDP. To isolate variables maybe get rid of Duo auth completely (don't load the jar file) in case it's causing an issue and test again (we get stuck in a Duo loop when we try it with OpenID anyway, so not sure it's going to work for you) , and verify that your config/extension files are indeed in /etc/guacamole which is where it has set GUACAMOLE_HOME. If it is doing the redirect to the IDP then I'd guess it's still not getting back what it needs in terms of attributes, although there is nothing in the logs so maybe the openid connect extension does not have any debug logging. JP -----Original Message----- From: just_insane [mailto:[email protected]] Sent: Monday, February 12, 2018 06:58 To: [email protected] Subject: OpenID-Connect HTTP 500 Hey JP, So I changed the proxy_pass from http://guacamole/guacamole/ to http://guacamole/ and re-ran the tests after updating the redirect URL in guacamole.properties and keycloak. Here are the logs from tomcat (on pastebin): https://pastebin.com/cqAsvK5s Based on the logs, it appears to be trying to authenticate against JDBC (Postgres) anonymously. I am not sure why this is happening, since I changed the name of the auth extension so that it loads first. Note that I do have users in postgres, would this make a difference? Regards, Justin -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
