On Sat, Apr 6, 2019 at 11:14 AM Nick Couchman <[email protected]> wrote:
> On Fri, Apr 5, 2019 at 10:05 AM Craig Bloodworth < > [email protected]> wrote: > >> Maybe I'm not fully understanding how the OpenID extension should work, >> but I believe instead of logging in with the standard Guacamole client >> login screen the user should be forwarded to the OpenID Connect IdP (in >> this case Google) to authenticate and then be sent back to the Guacamole >> client. In the case of my implementation this redirect isn't happening. >> >> The extension is loaded: >> >> 09:00:44.048 [localhost-startStop-1] INFO >> o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is "/etc/guacamole". >> 09:00:45.357 [localhost-startStop-1] INFO >> o.a.g.extension.ExtensionModule - Extension "MySQL Authentication" loaded. >> 09:00:45.361 [localhost-startStop-1] INFO >> o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is "/etc/guacamole". >> 09:00:45.533 [localhost-startStop-1] INFO >> o.a.g.extension.ExtensionModule - Extension "OpenID Authentication >> Extension" loaded. >> >> > Anything else show, here, when you hit the login screen? > > >> And the guacamole.properties file is configured: >> >> openid-authorization-endpoint: >> https://accounts.google.com/o/oauth2/v2/auth >> openid-jwks-endpoint: https://www.googleapis.com/oauth2/v3/certs >> openid-issuer: https://accounts.google.com >> openid-client-id: >> xxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com >> openid-redirect-uri: https://servers.xxxxxxxxxxxxxxxx.co.uk >> openid-username-claim-type: email >> openid-scope: openid email profile >> openid-allowed-clock-skew: 60 >> openid-max-token-validity: 300 >> openid-max-nonce-validity: 10 >> >> But only the standard login screen is shown. What am I missing? >> >> I've checked the browser console and there are no obvious errors other >> than the 403 error from /api/tokens which is triggered because I'm not >> logged in. >> > > Everything looks good to me, but I've never configured OpenID > authentication before, so I'm not entirely sure. Maybe others on the list > will have more hints. > The OpenID extension .jar will need to be renamed such that it is loaded before the MySQL extension .jar: 000-guacamole-auth-openid.jar 001-guacamole-auth-jdbc-mysql.jar As the MySQL extension is loading first, its request for username+password credentials is given priority over the OpenID extension's request for a token. Related thought: it might be good to modify the OpenID extension to optionally add an arbitrary "Sign in with _____" button, rather than the current all-or-nothing approach. - Mike
