On Wed, Nov 21, 2018 at 1:41 AM B3r3n <b3...@argosnet.com> wrote: > > Burping the whole session, I found some infos. It seems Guacamole considers > invalid credentials: > {"message":"Invalid login.","translatableMessage":{"key":"Invalid > login.","variables":null},"statusCode":null,"expected":[{"name":"id_token","type":"GUAC_OPENID_TOKEN","authorizationURI":"https://auth/oxauth/restv1/authorize?scope=openid+email+profile&response_type=id_token&client_id=%40%213CBA.9C61.872A.9B54%210001%218204.1C64%210008%215F53.D604.4734.13E8&redirect_uri=https%3A%2F%2Fguacamole.security.equant.com%2Fguacamole%2F&nonce=buo73qjm36bac5uobsvjra2tjo"}],"type":"INVALID_CREDENTIALS"} > entering infinite loop with OIDC server (Gluu). > > I wonder where Guacamole gets the user attribute to make the link between > OIDC username & Guacamole username.
See the "openid-username-claim-type" property: http://guacamole.apache.org/doc/gug/openid-auth.html#guac-openid-config > Also wondering about the password. No password will be available to Guacamole if using OpenID. If a valid token is received from the IDP, the user will be authenticated. > To reduce risk from differences, the user (test) has password "test" in both > OIDC & MySQL local database. You don't need to set a password if using OpenID. The MySQL authentication will trust the authentication result of the OpenID extension. > > Also my guacamole properties has MySQL details (to manage user profile) but > no mysql auth jdbc. > > I noticed I could have both OIDC+MySQL jar files, OIDC loading first with a > rename if needed. did not tested that yet. > If you don't have the MySQL auth .jar in place, those properties will be ignored. - Mike