On Fri, Apr 5, 2019 at 10:05 AM Craig Bloodworth < [email protected]> wrote:
> Maybe I'm not fully understanding how the OpenID extension should work, > but I believe instead of logging in with the standard Guacamole client > login screen the user should be forwarded to the OpenID Connect IdP (in > this case Google) to authenticate and then be sent back to the Guacamole > client. In the case of my implementation this redirect isn't happening. > > The extension is loaded: > > 09:00:44.048 [localhost-startStop-1] INFO > o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is "/etc/guacamole". > 09:00:45.357 [localhost-startStop-1] INFO o.a.g.extension.ExtensionModule > - Extension "MySQL Authentication" loaded. > 09:00:45.361 [localhost-startStop-1] INFO > o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is "/etc/guacamole". > 09:00:45.533 [localhost-startStop-1] INFO o.a.g.extension.ExtensionModule > - Extension "OpenID Authentication Extension" loaded. > > Anything else show, here, when you hit the login screen? > And the guacamole.properties file is configured: > > openid-authorization-endpoint: > https://accounts.google.com/o/oauth2/v2/auth > openid-jwks-endpoint: https://www.googleapis.com/oauth2/v3/certs > openid-issuer: https://accounts.google.com > openid-client-id: > xxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com > openid-redirect-uri: https://servers.xxxxxxxxxxxxxxxx.co.uk > openid-username-claim-type: email > openid-scope: openid email profile > openid-allowed-clock-skew: 60 > openid-max-token-validity: 300 > openid-max-nonce-validity: 10 > > But only the standard login screen is shown. What am I missing? > > I've checked the browser console and there are no obvious errors other > than the 403 error from /api/tokens which is triggered because I'm not > logged in. > Everything looks good to me, but I've never configured OpenID authentication before, so I'm not entirely sure. Maybe others on the list will have more hints. -Nick >
