> On Mon, Dec 3, 2018 at 12:12 PM B3r3n <[email protected]> wrote: > >> ... >> >> openid-authorization-endpoint: >> https://tacauth.mydomain.tld/oxauth/restv1/authorize >> openid-jwks-endpoint: https://tacauth.mydomain.tld/oxauth/restv1/jwks openid-issuer >> <https://tacauth.mydomain.tld/oxauth/restv1/jwksopenid-issuer>: https://tacauth.mydomain.tld >> openid-client-id: >> @!EC70.5976.0EF8.1E8D!0001!C6E7.8D34!0008!A650.4304.641D.350F >> openid-redirect-uri: https://tacos.mydomain.tld/guacamole/ >> openid-username-claim-type: preferred_username >> openid-scope: openid profile email >> > > Note that "openid email profile" is the default. This will likely have no effect. Agree, but when you cant find the issue, you doubt of documentations, and so enforce values ;-)
>> auth-provider: >> org.apache.guacamole.auth.openid.OpenIDAuthenticationProvider >> > > The "auth-provider" property has been deprecated since 0.9.7 and was removed in 0.9.10-incubating. Older releases would have logged a warning regarding its use, while releases from 0.9.10-incubating onward will simply ignore it. Continuing to specify this is bad practice and has no effect. noted, thanks > > ... >> Guacamole unique extension : guacamole-auth-openid-0.9.14.jar >> > > When you say "unique" here, do you mean that this is the only .jar wile within GUACAMOLE_HOME/extensions/? Yes, but I discovered I need to have MySQL as well, but in 2nd position. This to be able to manage connexions, users etc. However, when it is not I should not endless loop but have access to user's simple profile. > > >> Guacamole lib : mysql-connector-java-8.0.13.jar >> MySQL is taken from Ubuntu, DB created via cat >> 001* then 002* to mysql âp guacamole_db, privileges granted. >> > > If only the OpenID extension is installed, then all this will have no effect. MySQL will not be used unless the MySQL extension is installed. > > ... >> but apparently FileAuthenticationProvider is enforced after it : >> > > It is not enforced; it is only loaded. It will only have an effect if "user-mapping.xml" is present. > > ... >> I am puzzled with the fact Guacamole claims the >> user-mapping.xml file, as well as the fact it >> bound the fileauth provider. To me that is useless since openid is here⦠>> > > The "user-mapping.xml" authentication mechanism is built into Guacamole. It is always loaded but is loaded last. If any extensions are present at all, they will take priority, with "user-mapping.xml" finally getting a crack at authentication after all other extensions have had a chance. If you do not have a "user-mapping.xml" file at all, then this will have no effect. Ok, IMHO this remains puzzling. When you dont use something, why complaining you cant get it. If there is no use of fileauthprovider & user-mapping because other modules will do the job, complaining puzzles... Just my opinion... > > >> Login with Firefox to URL (not /guacamole/), PHP >> page is find (simple check to display variables), to call /guacamole/: URL/guacamole/ redirects to Gluu login page OK >> Logging in as guacadmin/guacadmin OK >> Then endless looping between: >> >> URL/guacamole/#scope=openid+profile+email&id_token=JWT_token&session_id=9ae89b5e-d29d-4751-a022-a3f1a96526c8&state&session_state=24871b53-da56-4e4a-a85b-a754d5603472 and >> >> URL/guacamole/#/scope=openid+profile+email&id_token=JWT_token&session_id=9ae89b5e-d29d-4751-a022-a3f1a96526c8&state&session_state=24871b53-da56-4e4a-a85b-a754d5603472 >> > > I think this is failing because of the presence of other parameters after the "#/". The OpenID Connect extension for Guacamole works around issues with AngularJS and OpenID by handling the mangled parameters as if they were the name of a page, rewriting ".../#/id_token=FOO" to > ".../#/?id_token=FOO". This workaround will not have any effect with a path like ".../#/scope=FOO": Just a sec. My browser is the one calling that URL right ? If I dont mistake, it is said that everything after # in a URL is to be ignored. Maybe Guacamole can recognize it but Apache as reverse proxy or Tomcat7 should them comply with this rule and thus ignore (not relaying to) these values. Accordingly, Guacamole detects an anymonous auth attempt, which is logged. Am I right ? > > https://github.com/apache/guacamole-client/blob/fc457c080d813044e30e1f4e8fe855d6a5900259/extensions/guacamole-auth-openid/src/main/resources/config/openidConfig.js#L35-L54 > > We may need a better workaround if OpenID Connect implementations can be expected to throw other parameters in there besides the expected "id_token". I saw AngularJS is now able to deal with implicit OIDC auth. Or maybe use a web mode with authorization_code ? Thanks for your help ! > > - Mike > > >
