On Fri, Nov 30, 2018, 10:39 B3r3n <[email protected] wrote: > Hello Mike, > > > At 18:37 30/11/2018, Mike Jumper wrote: > >On Wed, Nov 21, 2018 at 1:41 AM B3r3n <[email protected]> wrote: > > > > > > Burping the whole session, I found some infos. It seems Guacamole > considers > > > invalid credentials: > > > {"message":"Invalid login.","translatableMessage":{"key":"Invalid > > > > > > login.","variables":null},"statusCode":null,"expected":[{"name":"id_token","type":"GUAC_OPENID_TOKEN","authorizationURI":" > https://auth/oxauth/restv1/authorize?scope=openid+email+profile&response_type=id_token&client_id=%40%213CBA.9C61.872A.9B54%210001%218204.1C64%210008%215F53.D604.4734.13E8&redirect_uri=https%3A%2F%2Fguacamole.security.equant.com%2Fguacamole%2F&nonce=buo73qjm36bac5uobsvjra2tjo > "}],"type":"INVALID_CREDENTIALS"} > > > entering infinite loop with OIDC server (Gluu). > > > > > > I wonder where Guacamole gets the user attribute to make the link > between > > > OIDC username & Guacamole username. > > > >See the "openid-username-claim-type" property: > > I used that as well, claiming the parameter (visible in Apache > headers + environment) called MYPREFIX_referred_username). > Same issue. >
Same issue or not, you absolutely need to specify this if the claim within the JWT to be used for the username is not the default value documented at the link above. The claim type is "MYPREFIX_referred_username"? Can you perhaps share your guacamole.properties and your Apache config for comparison's sake? Please also check your Tomcat logs. There may well be errors logged by Guacamole that explaim why the token is failing to validate. - Mike
