On Mon, Mar 5, 2018 at 8:33 AM, kevinmsrs <kevin.c...@msrs.us> wrote:

> When trying to connect with the OpenID module, the logs out puts that the
> "email" claim is missing from the token. Shouldn't it look at the id_token
> for the email? the token response does not hold the email claim from what I
> been reading.
>
>
It does look at the id_token. The OpenID auth is attempting to pull the
email claim from the received JWT, as this is the default claim used to
determine identity.

Here is the error from the tomcat log:
> [http-nio-8080-exec-409] WARN  o.a.g.a.o.t.TokenValidationService -
> Username
> claim "email" missing from token. Perhaps the OpenID scope and/or username
> claim type are misconfigured?
>
> At this point, it becomes a redirect loop as Guacamole requests access
> again
> and then fails to read the claim.
>

If your IDP does not provide the email, you will need to choose another
claim which will be present in the JWT and can serve as the identity of the
user. You may need to modify the scope submitted to the IDP to ensure such
a claim is present in the received token. Configuring this involves the
"openid-username-claim-type" and "openid-scope" properties respectively:

http://guacamole.apache.org/doc/gug/openid-auth.html#guac-openid-config

- Mike

Reply via email to