On Wed, Aug 28, 2019 at 6:47 AM Ryan Underwood <[email protected]>
wrote:
> TL;DR;
>
> What is the recommended way to add a connection for an active user (with a
> tunnel open) and take the user directly into it, without causing their
> existing session to break?
>
>
>
> I’ve got an environment with Mike’s auth-json on the latest guacamole from
> source. It works as I expected with a minor caveat: when I create a new
> connection for an active user, the new auth token invalidates the old auth
> token and the user’s existing active session gets cut off. I’ve tried
> sending the signed json with a new connection added but since it’s an auth
> mechanism it does just that with the side effect of killing the existing
> guac auth token. It looks like an event sync between the Java
> authentication provider and the Angular web client. What is the recommended
> way to add a connection for an active user (with a tunnel open) and take
> the user directly into it, without causing their existing session to break?
> In this environment I’m not running any other guacamole
> extensions--preference to keeping it that way. Here’s a high level overview
> of the scenario:
>
> Step 1:
>
> Click link -> triggers auth json -> forward user to Guac with auth token
> on url -> user enters session and all is well
>
> Step 2:
>
> User, via another tab does the same thing as above:
>
> Click link -> triggers auth json -> original session gets logged out ->
> forward user to guac with auth token on url -> user enters 2nd session
>
The reason the first session is disconnected when the second session starts
is that the client side of the webapp sees the existing token in local
storage and automatically sends a REST API request to the server to
invalidate it prior to using the new token. You can alter this behavior by
using the "anonymous" username within your JSON, which is just the empty
string (""). The client side of the webapp behaves differently when the
user is anonymous and does not store the token within local storage, thus
there's nothing for the other tab to invalidate when the new token is used.
- Mike
