On Thu, Dec 13, 2018 at 10:38 PM B3r3n <[email protected]> wrote: > Hello Nick, > > >> > >> The path forward to implement that for OpenID is fairly clear - it > >> would just need to be done. I don't know what would need to be done > >> for the generic header authentication, where there's no standard > >> defining how logout should be signaled to the IDP. > >> > > > > For the header module, we could add a header-logout-url parameter that > > could be configured to take the user to a URL that would log them out of > > whatever session generated the header? This kind of kicks the problem of > > how the header logout is accomplished out of the Guacamole realm and over > > to whatever login system is generating the header. > That would just be perfect. This matchines my request from 2 weeks ago. > DELETE token being replaced by https://oidc/logout URL ...
Not replaced - in addition to. ... will remove the header and thus no more access on Guacamole, even if > user keeps seeing menues etc. > No, unless the auth token from Guacamole is revoked, the user will still be able to use Guacamole. The DELETE request is necessary. Maybe also another point: upon auth-header module + not the required > variable, > block user to the Guacamole login page, not permitting login, just with a > simple message as "Authentication required" ? There actually is no login "page" per se - what you see when you're prompted for credentials by Guacamole is the webapp handling an error returned by the server which describes the credentials needed to log in. The content of the error itself dictates the content of that prompt. In the case of things like the MySQL or PostgreSQL authentication, the error describes a username/password pair. For OpenID Connect, the error describes an "id_token" query parameter and the URL that the user should be redirected to to obtain that parameter. You're right in abstract: there should be a similar and optional redirect to an IDP to ultimately provide the header if it's missing. That may be more complex than the logout redirect if the IDP needs some sort of parameter in the URL to dictate a return path back to the webapp. - Mike
