On Thu, Dec 13, 2018, 22:36 B3r3n <b3...@argosnet.com wrote: > > On Thu, Dec 13, 2018 at 11:14 AM B3r3n <b3...@argosnet.com> wrote: > >> > >> Hello Mike, > >> > >> Well noted, I will test that ASAP. > >> > > > > Thanks, B3r3n. > > > >> However, since I moved using header auth, I would like to try achieving > it. > >> My only issue is with the logout feature of Guacamole. > >> > >> Apparently it sends a DELETE /guacamole/api/tokens/token_id. I > >> intended to change it to another GET /url logging out but whatever I > >> do, right after browser sends a POST /guacamole/api/tokens and regets a > >> token. > >> > > > > With the header authentication, you will be immediately > > re-authenticated so long as the header that authenticates you is > > present in the HTTP request. > > > >> Is there an URL I could use to logout from guacamole but where the > >> browser will accept a returning GET, redirect, whatever so it can > >> really be logged out from OpenID ? > > > > Single logout for OpenID Connect is not currently implemented in > Guacamole: > > > > https://issues.apache.org/jira/browse/GUACAMOLE-519 > > > > The path forward to implement that for OpenID is fairly clear - it > > would just need to be done. I don't know what would need to be done > > for the generic header authentication, where there's no standard > > defining how logout should be signaled to the IDP. > I agree, but my intention was to use a Apache Rewriterule or > ProxyHTMLurlmap, > or RewriteHTML to change the DELETE token URL to my logout OIDC URL. > That's why I would just like to know what do you expect once you sent this > DELETE token. If I can replace it by my logout URL, would remove the header > variable and bingo, clean logout from Guacamole :-) >
No, as simple as it may sound, this wouldn't be a good approach. There is no DELETE token URL (DELETE is the method of the HTTP request sent to the token endpoint of Guacamole's REST service, not a component of a URL), and there is good reason for Guacamole's REST service to be the way it is with respect to logout. For proper security, clean up of resources, etc., single logout needs to be implemented in addition to the Guacamole parts of the logout process, not instead of those parts. Nick had a good proposal earlier: providing a mechanism within the header auth for redirecting the user to a configurable URL after Guacamole logout has completed. - Mike
