Awesome! Perfect solution. Thanks :-) Can I suggest the docs are updated to reflect this requirement? It wasn't clear at all IMHO.
Craig On 2019/04/06 18:48:08, Mike Jumper <[email protected]> wrote: > On Sat, Apr 6, 2019 at 11:14 AM Nick Couchman <[email protected]> wrote: > > > On Fri, Apr 5, 2019 at 10:05 AM Craig Bloodworth < > > [email protected]> wrote: > > > >> Maybe I'm not fully understanding how the OpenID extension should work, > >> but I believe instead of logging in with the standard Guacamole client > >> login screen the user should be forwarded to the OpenID Connect IdP (in > >> this case Google) to authenticate and then be sent back to the Guacamole > >> client. In the case of my implementation this redirect isn't happening. > >> > >> The extension is loaded: > >> > >> 09:00:44.048 [localhost-startStop-1] INFO > >> o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is "/etc/guacamole". > >> 09:00:45.357 [localhost-startStop-1] INFO > >> o.a.g.extension.ExtensionModule - Extension "MySQL Authentication" loaded. > >> 09:00:45.361 [localhost-startStop-1] INFO > >> o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is "/etc/guacamole". > >> 09:00:45.533 [localhost-startStop-1] INFO > >> o.a.g.extension.ExtensionModule - Extension "OpenID Authentication > >> Extension" loaded. > >> > >> > > Anything else show, here, when you hit the login screen? > > > > > >> And the guacamole.properties file is configured: > >> > >> openid-authorization-endpoint: > >> https://accounts.google.com/o/oauth2/v2/auth > >> openid-jwks-endpoint: https://www.googleapis.com/oauth2/v3/certs > >> openid-issuer: https://accounts.google.com > >> openid-client-id: > >> xxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com > >> openid-redirect-uri: https://servers.xxxxxxxxxxxxxxxx.co.uk > >> openid-username-claim-type: email > >> openid-scope: openid email profile > >> openid-allowed-clock-skew: 60 > >> openid-max-token-validity: 300 > >> openid-max-nonce-validity: 10 > >> > >> But only the standard login screen is shown. What am I missing? > >> > >> I've checked the browser console and there are no obvious errors other > >> than the 403 error from /api/tokens which is triggered because I'm not > >> logged in. > >> > > > > Everything looks good to me, but I've never configured OpenID > > authentication before, so I'm not entirely sure. Maybe others on the list > > will have more hints. > > > > The OpenID extension .jar will need to be renamed such that it is loaded > before the MySQL extension .jar: > > 000-guacamole-auth-openid.jar > 001-guacamole-auth-jdbc-mysql.jar > > As the MySQL extension is loading first, its request for username+password > credentials is given priority over the OpenID extension's request for a > token. > > Related thought: it might be good to modify the OpenID extension to > optionally add an arbitrary "Sign in with _____" button, rather than the > current all-or-nothing approach. > > - Mike >
