On Mon, Dec 3, 2018 at 12:12 PM B3r3n <b3...@argosnet.com> wrote: > ... > > openid-authorization-endpoint: > https://tacauth.mydomain.tld/oxauth/restv1/authorize > openid-jwks-endpoint: https://tacauth.mydomain.tld/oxauth/restv1/jwks > openid-issuer > <https://tacauth.mydomain.tld/oxauth/restv1/jwksopenid-issuer>: > https://tacauth.mydomain.tld > openid-client-id: > @!EC70.5976.0EF8.1E8D!0001!C6E7.8D34!0008!A650.4304.641D.350F > openid-redirect-uri: https://tacos.mydomain.tld/guacamole/ > openid-username-claim-type: preferred_username > openid-scope: openid profile email >
Note that "openid email profile" is the default. This will likely have no effect. > auth-provider: > org.apache.guacamole.auth.openid.OpenIDAuthenticationProvider > The "auth-provider" property has been deprecated since 0.9.7 and was removed in 0.9.10-incubating. Older releases would have logged a warning regarding its use, while releases from 0.9.10-incubating onward will simply ignore it. Continuing to specify this is bad practice and has no effect. ... > Guacamole unique extension : guacamole-auth-openid-0.9.14.jar > When you say "unique" here, do you mean that this is the only .jar wile within GUACAMOLE_HOME/extensions/? > Guacamole lib : mysql-connector-java-8.0.13.jar > MySQL is taken from Ubuntu, DB created via cat > 001* then 002* to mysql –p guacamole_db, privileges granted. > If only the OpenID extension is installed, then all this will have no effect. MySQL will not be used unless the MySQL extension is installed. ... > but apparently FileAuthenticationProvider is enforced after it : > It is not enforced; it is only loaded. It will only have an effect if "user-mapping.xml" is present. ... > I am puzzled with the fact Guacamole claims the > user-mapping.xml file, as well as the fact it > bound the fileauth provider. To me that is useless since openid is here… > The "user-mapping.xml" authentication mechanism is built into Guacamole. It is always loaded but is loaded last. If any extensions are present at all, they will take priority, with "user-mapping.xml" finally getting a crack at authentication after all other extensions have had a chance. If you do not have a "user-mapping.xml" file at all, then this will have no effect. > Login with Firefox to URL (not /guacamole/), PHP > page is find (simple check to display variables), to call /guacamole/: > URL/guacamole/ redirects to Gluu login page OK > Logging in as guacadmin/guacadmin OK > Then endless looping between: > > URL/guacamole/#scope=openid+profile+email&id_token=JWT_token&session_id=9ae89b5e-d29d-4751-a022-a3f1a96526c8&state&session_state=24871b53-da56-4e4a-a85b-a754d5603472 > and > > URL/guacamole/#/scope=openid+profile+email&id_token=JWT_token&session_id=9ae89b5e-d29d-4751-a022-a3f1a96526c8&state&session_state=24871b53-da56-4e4a-a85b-a754d5603472 > I think this is failing because of the presence of other parameters after the "#/". The OpenID Connect extension for Guacamole works around issues with AngularJS and OpenID by handling the mangled parameters as if they were the name of a page, rewriting ".../#/id_token=FOO" to ".../#/?id_token=FOO". This workaround will not have any effect with a path like ".../#/scope=FOO": https://github.com/apache/guacamole-client/blob/fc457c080d813044e30e1f4e8fe855d6a5900259/extensions/guacamole-auth-openid/src/main/resources/config/openidConfig.js#L35-L54 We may need a better workaround if OpenID Connect implementations can be expected to throw other parameters in there besides the expected "id_token". - Mike