The redirect happens immediately after hitting the login url. IIRC the OpenID extension needs to load alphabetically first for this to work (depending on the other extensions). This is handled in the docker image automatically but otherwise you'll need to rename it to prepend something like 1_ or a_ so that it does load first. I haven't used Google's OpenID connection but the first page I googled said it supported "server flow;" Guacamole only supports "implicit flow." Google probably supports it somehow. Regardless you should see the redirect in the browser. Make sure you tell Chrome, Firefox, etc. developer tools to "Preserve log" so you don't lose them in the redirect shuffle.
When you cherry-pick the server output log it's hard to tell if something else loaded first or later or even what version is being used. You'll eventually need to make sure the user exists via some other mechanism in Guacamole (jdbc, maybe AD, not sure), based on the username that google is returning. That's a problem for after the redirect is happening. -----Original Message----- From: Nick Couchman <[email protected]> Sent: Saturday, April 06, 2019 2:14 PM To: [email protected] Subject: Re: OpenID Auth Not Redirecting On Fri, Apr 5, 2019 at 10:05 AM Craig Bloodworth <[email protected] <mailto:[email protected]> > wrote: Maybe I'm not fully understanding how the OpenID extension should work, but I believe instead of logging in with the standard Guacamole client login screen the user should be forwarded to the OpenID Connect IdP (in this case Google) to authenticate and then be sent back to the Guacamole client. In the case of my implementation this redirect isn't happening. The extension is loaded: 09:00:44.048 [localhost-startStop-1] INFO o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is "/etc/guacamole". 09:00:45.357 [localhost-startStop-1] INFO o.a.g.extension.ExtensionModule - Extension "MySQL Authentication" loaded. 09:00:45.361 [localhost-startStop-1] INFO o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is "/etc/guacamole". 09:00:45.533 [localhost-startStop-1] INFO o.a.g.extension.ExtensionModule - Extension "OpenID Authentication Extension" loaded. Anything else show, here, when you hit the login screen? And the guacamole.properties file is configured: openid-authorization-endpoint: https://accounts.google.com/o/oauth2/v2/auth openid-jwks-endpoint: https://www.googleapis.com/oauth2/v3/certs openid-issuer: https://accounts.google.com <https://accounts.google.com/> openid-client-id: xxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com <http://xxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com/> openid-redirect-uri: https://servers.xxxxxxxxxxxxxxxx.co.uk <https://servers.xxxxxxxxxxxxxxxx.co.uk/> openid-username-claim-type: email openid-scope: openid email profile openid-allowed-clock-skew: 60 openid-max-token-validity: 300 openid-max-nonce-validity: 10 But only the standard login screen is shown. What am I missing? I've checked the browser console and there are no obvious errors other than the 403 error from /api/tokens which is triggered because I'm not logged in. Everything looks good to me, but I've never configured OpenID authentication before, so I'm not entirely sure. Maybe others on the list will have more hints. -Nick
