You can debug the flow easily directly in your browser using dev tools. If you're using Chrome you'll need to check "preserve log" under the network tab or it will disappear before you can see what happened; Firefox has this defaulted. Also make sure your scope preferred_username is actually available. I forget what keycloak calls a username. I think I added an email to get it working originally using default settings. -Ryan
-----Original Message----- From: Stephan Leruth <[email protected]> Sent: Thursday, September 12, 2019 3:58 AM To: [email protected] Subject: Re: Guacamole 1.0.0 - Keycloak OpenID Information Hello, Unfortunately it still does not work. To summarize my installation, I use 2 servers : - Keycloak 4.3.0 on CentOS 7 - Guacamole 1.0.0 on CentOS 7 By checking the URL, I can confirm that the patch described here (https://github.com/apache/guacamole-client/commit/0344ef30e45954d1252d44b9826c7eedad8b02f3) is correctly applied. Looking at your nginx configuration, I understand that you access Guacamole via the URL https://guacamole.com.br/. Is it correct ? For my part, I access it via the URL https: //dom.domain.local/guacamole. I do not think that's the source of the problem ? I can not find a log that allows me to trace the error. The script I used for the installation of Guacamole is this one : https://github.com/Zer0CoolX/guacamole-install-rhel Thank you very much for your help. sur 11/09/2019 le 23:41, Rafael Ramos écrivit: > Hi Stephan, > > My nginx configuration is: > location / { > proxy_pass http://localhost:8080/guacamole/; > proxy_buffering off; > proxy_http_version 1.1; > proxy_set_header X-Forwarded-For > $proxy_add_x_forwarded_for; > proxy_set_header Upgrade $http_upgrade; > proxy_set_header Connection $http_connection; > proxy_cookie_path /guacamole/ /; > } > > And my guacamole.properties: > openid-authorization-endpoint: > https://keycloak/auth/realms/master/protocol/openid-connect/auth > openid-jwks-endpoint: > https://keycloak/auth/realms/master/protocol/openid-connect/certs > openid-issuer: https://keycloak/auth/realms/master > openid-client-id: guacamole > openid-redirect-uri: https://guacamole.com.br/ > openid-scope: openid email profile > openid-username-claim-type: preferred_username > > > > Em qua, 11 de set de 2019 às 18:36, Stephan Leruth <[email protected]> > escreveu: > > > > > Hello, > > > > I applied the same settings as you but the problem is not solved. > > > > Could you tell me your NGINX configuration ? > > > > Thank you > > > > > > sur 11/09/2019 le 23:26, Rafael Ramos écrivit: > > > > > Hello, > > > > > > I am using Keycloak on Guacamole and I have no problems. > > > > > > The only difference is that I have the following settings: > > > Standard Flow Enabled: Off > > > Direct Access Grants Enabled: Off > > > > > > And in extensions I have only: > > > guacamole-auth-0-openid-1.0.0.jar > > > guacamole-auth-jdbc-mysql-1.0.0.jar > > > > > > Em qua, 11 de set de 2019 às 13:56, Stephan Leruth > > > <[email protected]> > > > escreveu: > > > > > > > Hello, > > > > > > > > I use Guacamole in version 1.0.0 and it works perfectly. > > > > I configured the connection via LDAP (Active Directory) and this > > allows me > > > > to give access rights to certain users. However, I receive many > > complaints > > > > because the users want to implement a single sign-on (SSO). > > > > > > > > By reading the Apache Guacamole documentation, I read that > > authentication > > > > by OpenID is supported. I decided to set up a Keycloak server. > > > > Once it was correctly configured (SSO functional but no client > > > > configured), I tried to configure Guacamole. After several days > > > > of > > testing, > > > > I always have the same error : an infinite loop during authentication ! > > > > > > > > I have read different topics on the Internet that indicate that > > > > this > > is an > > > > identified problem and should be corrected in the following > > > > versions (1.2.0). Correct ? > > > > I also read this guide ( > > > > https://blog.exceptionerror.io/2019/06/10/home-lab-2019/) which > > indicates > > > > that the patch can be done manually. After completing these > > > > commands, > > it > > > > does not work better. > > > > > > > > I allow myself to add my Keycloak and Guacamole configuration > > > > for can > > be > > > > identify a big mistake on my part ? > > > > > > > > #OpenID Authentication > > > > openid-authorization-endpoint: > > > > > > https://sso01.dom.domain.local/auth/realms/master/protocol/openid-co > > nnect/auth > > > > openid-jwks-endpoint: > > > > > > https://sso01.dom.domain.local/auth/realms/master/protocol/openid-co > > nnect/certs > > > > openid-issuer: > > > > https://sso01.dom.domain.local/auth/realms/master > > > > openid-client-id: guacamole > > > > openid-redirect-uri: > > > > https://guacamole.dom.domain.local/guacamole > > > > openid-username-claim-type: username > > > > openid-scope: openid email profile > > > > openid-allowed-clock-skew: 500 > > > > > > > > Thank you ! > > > > > > > > > > > > Shaguu > > > > > > > > ---------------------------------------------------------------- > > > > ----- To unsubscribe, e-mail: > > > > [email protected] > > > > For additional commands, e-mail: [email protected] > > > > > > -------------------------------------------------------------------- > > - To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
