Hello Mike,
Hello Mike,
Ok let me give you the whole picture
I recreated the whole Guacamole platform to
ensure no bad things, until compile of both 0.9.14 server & client.
Server is ubuntu with Apache2 + Tomcat7 from repository.
Apache 2 is a normal Rproxy with SSL + :
ProxyPass
"/guacamole/" "http://localhost:8080/guacamole/"; flushpackets=on
ProxyPassReverse "/guacamole/" "http://localhost:8080/guacamole/";
ProxyPass "/websocket-tunnel"
"ws://localhost:8080/guacamole/websocket-tunnel"
ProxyPassReverse
"/guacamole/websocket-tunnel" "ws://localhost:8080/guacamole/websocket-tunnel"
Tomcat7 server.xml is :
<Connector port="8080"
address="127.0.0.1" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="false"
scheme="http" secure="false" clientAuth="false" />
Guacamole.properties :
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
mysql-password: mypassword
openid-authorization-endpoint:
https://tacauth.mydomain.tld/oxauth/restv1/authorize
openid-jwks-endpoint: https://tacauth.mydomain.tld/oxauth/restv1/jwks
openid-issuer: https://tacauth.mydomain.tld
openid-client-id: @!EC70.5976.0EF8.1E8D!0001!C6E7.8D34!0008!A650.4304.641D.350F
openid-redirect-uri: https://tacos.mydomain.tld/guacamole/
openid-username-claim-type: preferred_username
openid-scope: openid profile email
auth-provider: org.apache.guacamole.auth.openid.OpenIDAuthenticationProvider
api-session-timeout: 360
logback.xml :
<configuration>
<!-- Appender for debugging -->
<appender name="GUAC-DEBUG" class="ch.qos.logback.core.ConsoleAppender">
<encoder>
<pattern>%d{HH:mm:ss.SSS} [%thread]
%-5level %logger{36} - %msg%n</pattern>
</encoder>
</appender>
<!-- Log at DEBUG level -->
<root level="trace">
<appender-ref ref="GUAC-DEBUG"/>
</root>
</configuration>
Guacd launched with L debug
Guacamole unique extension : guacamole-auth-openid-0.9.14.jar
Guacamole lib : mysql-connector-java-8.0.13.jar
MySQL is taken from Ubuntu, DB created via cat
001* then 002* to mysql p guacamole_db, privileges granted.
OpenID :
- Server is Gluu 3.1.4
- OpenID client for Guacamole :
o Redirect Login URIs: https://tacos.mydomain.tld/guacamole/
o Grant Types: implicit
o Persist Client Authorizations: false
o Pre-Authorization: true
o Application Type: Web
o Subject Type: public
o Access Token as JWT: True
o Include Claims In Id Token:
true (required to have the claimed into the JWT)
o Scopes: openid email profile
o Response Types: code id_token code token
From that, lets party J: service guacd
restart;service apache2 restart;service tomcat7 restart
And then tailing f catalina.out + syslog (guacd)
OpenID was loaded successfully (simple check),
but apparently FileAuthenticationProvider is enforced after it :
13:12:25.994 [localhost-startStop-1] DEBUG
o.a.g.extension.ExtensionModule - Loading
extension: "guacamole-auth-openid-0.9.14.jar"
13:12:26.041 [localhost-startStop-1] DEBUG
o.a.g.extension.ExtensionModule - [0] Binding
AuthenticationProvider
"org.apache.guacamole.auth.openid.OpenIDAuthenticationProvider".
13:12:26.054 [localhost-startStop-1]
INFO o.a.g.environment.LocalEnvironment -
GUACAMOLE_HOME is "/usr/share/tomcat7/.guacamole".
13:12:26.362 [localhost-startStop-1] DEBUG
o.a.g.e.LanguageResourceService - Merged strings with existing language: "en"
13:12:26.388 [localhost-startStop-1]
INFO o.a.g.extension.ExtensionModule - Extension
"OpenID Authentication Extension" loaded.
13:12:26.389 [localhost-startStop-1] DEBUG
o.a.g.extension.ExtensionModule - [1] Binding
AuthenticationProvider
"org.apache.guacamole.auth.file.FileAuthenticationProvider".
13:12:26.392 [localhost-startStop-1]
INFO o.a.g.environment.LocalEnvironment -
GUACAMOLE_HOME is "/usr/share/tomcat7/.guacamole".
13:12:26.547 [localhost-startStop-1]
INFO o.a.g.t.w.WebSocketTunnelModule - Loading JSR-356 WebSocket support...
13:12:26.579 [localhost-startStop-1] DEBUG
o.a.guacamole.tunnel.TunnelModule - WebSocket
module loaded: org.apache.guacamole.tunnel.websocket.WebSocketTunnelModule
I am puzzled with the fact Guacamole claims the
user-mapping.xml file, as well as the fact it
bound the fileauth provider. To me that is useless since openid is here
Login with Firefox to URL (not /guacamole/), PHP
page is find (simple check to display variables), to call /guacamole/:
URL/guacamole/ redirects to Gluu login page OK
Logging in as guacadmin/guacadmin OK
Then endless looping between:
URL/guacamole/#scope=openid+profile+email&id_token=JWT_token&session_id=9ae89b5e-d29d-4751-a022-a3f1a96526c8&state&session_state=24871b53-da56-4e4a-a85b-a754d5603472
and
URL/guacamole/#/scope=openid+profile+email&id_token=JWT_token&session_id=9ae89b5e-d29d-4751-a022-a3f1a96526c8&state&session_state=24871b53-da56-4e4a-a85b-a754d5603472
JWT_token decoded:
{
"iss": "https://tacauth.mydomain.tld";,
"aud": "@!EC70.5976.0EF8.1E8D!0001!C6E7.8D34!0008!A650.4304.641D.350F",
"exp": 1543841611,
"iat": 1543838011,
"nonce": "957dcev6c1ua0eaobgu1mgiue9",
"auth_time": 1543838002,
"oxOpenIDConnectVersion": "openidconnect-1.0",
"name": "Guacamole Admin",
"family_name": "Guacamole ",
"given_name": "Guacamole Admin",
"preferred_username": "guacadmin",
"updated_at": "20181123114741.343Z",
"email": "my_email",
"sub": "@!EC70.5976.0EF8.1E8D!0001!C6E7.8D34!0000!9C76.BDDC.7C6A.8D00"
}
As you can see, preferred_username is the login
from Guacamole, since no email yet defined, it cant be used as join.
Guacamole related logs :
12:57:57.521 [http-nio-127.0.0.1-8080-exec-7]
DEBUG o.a.g.a.f.FileAuthenticationProvider - User
mapping file
"/usr/share/tomcat7/.guacamole/user-mapping.xml"
does not exist and will not be read.
12:57:57.522 [http-nio-127.0.0.1-8080-exec-7]
DEBUG o.a.g.r.auth.AuthenticationService -
Anonymous authentication attempt from [192.168.10.10, 127.0.0.1] failed.
12:57:58.127 [http-nio-127.0.0.1-8080-exec-8]
DEBUG o.a.g.a.f.FileAuthenticationProvider - User
mapping file
"/usr/share/tomcat7/.guacamole/user-mapping.xml"
does not exist and will not be read.
12:57:58.127 [http-nio-127.0.0.1-8080-exec-8]
DEBUG o.a.g.r.auth.AuthenticationService -
Anonymous authentication attempt from [192.168.10.10, 127.0.0.1] failed.
To me this looks as a classical Angular issue
where OpenID server cant send back to application
the JWT because located after a #.
So Guacamole does not know and loops
On OIDC side:
==> ./opt/gluu/jetty/oxauth/logs/oxauth.log <==
2018-12-03 13:40:52,812
INFO [qtp804611486-33584]
[org.xdi.oxauth.service.AuthenticationService]
(AuthenticationService.java:533) - Attempting to
redirect user: SessionUser: SessionState
{dn='oxAuthSessionId=d6ca2359-0beb-445f-8f1d-06ca70e9effb,ou=session,o=@!EC70.5976.0EF8.1E8D!0001!C6E7.8D34,o=gluu',
id='d6ca2359-0beb-445f-8f1d-06ca70e9effb',
lastUsedAt=Mon Dec 03 13:40:52 UTC 2018,
userDn='inum=@!EC70.5976.0EF8.1E8D!0001!C6E7.8D34!0000!9C76.BDDC.7C6A.8D00,ou=people,o=@!EC70.5976.0EF8.1E8D!0001!C6E7.8D34,o=gluu',
authenticationTime=Mon Dec 03 13:40:52 UTC 2018,
state=authenticated,
sessionState='1bca9e3b-6a45-474d-a6ae-de0784ea6a43',
permissionGranted=null, isJwt=false, jwt=null,
permissionGrantedMap=org.xdi.oxauth.model.common.SessionIdAccessMap@372ec45d,
involvedClients=null,
sessionAttributes={auth_step=1,
acr=auth_ldap_server, remote_ip=192.168.10.10,
auth_external_attributes=null,
auth_user=guacadmin, scope=openid profile email,
response_type=id_token,
redirect_uri=https://tacos.mydomain.tld/guacamole/,
nonce=3jpidk0of4p452d96c1f10aj0m,
client_id=@!EC70.5976.0EF8.1E8D!0001!C6E7.8D34!0008!A650.4304.641D.350F},
persisted=true}
2018-12-03 13:40:52,814
INFO [qtp804611486-33584]
[org.xdi.oxauth.service.AuthenticationService]
(AuthenticationService.java:541) - Attempting to
redirect user: User:
<mailto:org.xdi.oxauth.model.common.User@48356eb0>org.xdi.oxauth.model.common.User@48356eb0
2018-12-03 13:40:52,815
INFO [qtp804611486-33584]
[org.xdi.oxauth.auth.Authenticator]
(Authenticator.java:365) - Authentication success for User: 'guacadmin'
Apparently everything is fine. When I test on
Apache, I see both headers & Environement with
preferred_username present. But apparently Guacamole miss it
Thanks for your help !
Brgrds
At 06:45 01/12/2018, Mike Jumper wrote:
On Fri, Nov 30, 2018, 10:39 B3r3n
<<mailto:[email protected]>[email protected] wrote:
Hello Mike,
At 18:37 30/11/2018, Mike Jumper wrote:
>On Wed, Nov 21, 2018 at 1:41 AM B3r3n
<<mailto:[email protected]>[email protected]> wrote:
> >
> > Burping the whole session, I found some
infos. It seems Guacamole considers
> > invalid credentials:
> > {"message":"Invalid login.","translatableMessage":{"key":"Invalid
> >
>
login.","variables":null},"statusCode":null,"expected":[{"name":"id_token","type":"GUAC_OPENID_TOKEN","authorizationURI":"<https://auth/oxauth/restv1/authorize?scope=openid+email+profile&response_type=id_token&client_id=%40%213CBA.9C61.872A.9B54%210001%218204.1C64%210008%215F53.D604.4734.13E8&redirect_uri=https%3A%2F%2Fguacamole.security.equant.com%2Fguacamole%2F&nonce=buo73qjm36bac5uobsvjra2tjo>https://auth/oxauth/restv1/authorize?scope=openid+email+profile&response_type=id_token&client_id=%40%213CBA.9C61.872A.9B54%210001%218204.1C64%210008%215F53.D604.4734.13E8&redirect_uri=https%3A%2F%2Fguacamole.security.equant.com%2Fguacamole%2F&nonce=buo73qjm36bac5uobsvjra2tjo"}],"type":"INVALID_CREDENTIALS"}
> > entering infinite loop with OIDC server (Gluu).
> >
> > I wonder where Guacamole gets the user attribute to make the link between
> > OIDC username & Guacamole username.
>
>See the "openid-username-claim-type" property:
I used that as well, claiming the parameter (visible in Apache
headers + environment) called MYPREFIX_referred_username).
Same issue.
Same issue or not, you absolutely need to
specify this if the claim within the JWT to be
used for the username is not the default value documented at the link above.
The claim type is "MYPREFIX_referred_username"?
Can you perhaps share your guacamole.properties
and your Apache config for comparison's sake?
Please also check your Tomcat logs. There may
well be errors logged by Guacamole that explaim
why the token is failing to validate.
- Mike
