So, I have finally gotten guacamole working in Kubernetes (sorry for the delay), but with a copied OIDC config and using the same keycloak client (with a redirect URL added), and I am also getting stuck an ?id_token= URL.
This is using guacamole/guacamole:1.0.0 and the matching OIDC plugin. The only difference between my working config and non-working config is moving from 0.9.14 to 1.0.0. I am going to run with 0.9.14 on Docker and see how that goes. ________________________________ From: Ryan Underwood <[email protected]> Sent: Tuesday, April 16, 2019 11:02:54 AM To: [email protected] Subject: RE: OpenID / KeyCloak A few thoughts: - Are you sure that the asterisk(s) in your URL is what you intended? I know that keycloak will let you specify the valid redirect URLs with wildcards so wasn't sure if that was a failed configuration. The Guacamole angular app rewrites URLs and it's possible this is affecting the hook for that. - IIRC keycloak uses preferred_username for what you are likely calling the username claim. If you're testing with "guacadmin" and using email you'll need to add one because it doesn't exist by default in the database. - Pasting some logs from keycloak, any reverse proxy, and the guacamole client would help debugging. - Openid/guacamole works fine for logging in to guacamole but it's like the Hotel California if you want to sign out. -----Original Message----- From: Justin Gauthier <[email protected]> Sent: Tuesday, April 16, 2019 8:02 AM To: [email protected]; [email protected] Subject: Re: OpenID / KeyCloak I have Guacamole 1.0 working with an older version of Keycloak, below are my settings: Keycloak settings: and the guacamole settings: openid-authorization-endpoint: https://auth.[REDACTED]/auth/realms/[REDACTED]/protocol/openid-connect/auth openid-jwks-endpoint: https://auth.[REDACTED]/auth/realms/[REDACTED]/protocol/openid-connect/certs openid-issuer: https://auth.[REDACTED]/auth/realms/[REDACTED] openid-client-id: guacamole openid-redirect-uri: https://guacamole.[REDACTED]/guacamole/ openid-username-claim-type: username openid-scope: openid email profile openid-allowed-clock-skew: 500 The other tabs in keycloak are standard, just have to add the mapper(s) for the email and username, like below. Hopefully that helps. Regards, Justin ________________________________ From: kmartin <[email protected]> Sent: Tuesday, April 16, 2019 7:55 AM To: [email protected] Subject: OpenID / KeyCloak Hello All, I set up Guacamole 1.0 + Keycloak 5.0 . Everything goes right until the login. i'm log in (on keycloak), i return back to guacamole and then I have loops between 2 URLs https://services.xxx.fr:8081/guacamole*/#/*session_state=93ec82e2-2c19-4978-9347-5df101da3189&id_token=xxxx and https://services.xxx.fr:8081/guacamole*/#*session_state=93ec82e2-2c19-4978-9347-5df101da3189&id_token=xxxx Someone has already had the problem ? Here is my config: openid-authorization-endpoint: https://sso.xxx.fr:8443/auth/realms/xxx/protocol/openid-connect/auth openid-jwks-endpoint: https://sso.xxx.fr:8443/auth/realms/xxx/protocol/openid-connect/certs openid-issuer: https://sso.xxx.fr:8443/auth/realms/xxx openid-client-id: gua openid-redirect-uri: http://services.xxx.fr:8081/guacamole openid-username-claim-type: username openid-scope: openid email profile openid-allowed-clock-skew: 500 Thanks for your help ! -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
