I missed it on my initial read-through, it looks like in your URL in the video that Guacamole is only requesting: 'openid email profile'. What you have should be sufficient for what you have configured...Seeing as I am running Keycloak with this right now I think we are missing a piece to this puzzle.
I am curious why the backend is responding with a 403 code when you hit the /token endpoint in Guacamole. Can you turn your logging up to DEBUG and see if any additional logs show up? On Mon, Jan 4, 2021 at 9:18 AM Tim Worcester <[email protected]> wrote: > Whoops, sorry! > > I use LDAP for the User Federation in Keycloak. Under 'User Federation' > -> 'Ldap' -> 'LDAP Mappers' -> 'groups' is where my mapper is. > > On Mon, Jan 4, 2021 at 9:08 AM Владислав Львов <[email protected]> wrote: > >> Hello! >> Thank you for your answer! >> I run docker Keycloak on default setting. >> Looks like there no built in scope "groups" >> But i can try to add it! >> Can you show how it looks like on your side?(scope,mappers and other >> settings?) >> Thank you in advance! >> >> >> 04.01.2021, 16:10, "Tim Worcester" <[email protected]>: >> >> I have seen this issue for Keycloak specifically, can you list your >> client scopes? It should look something like this: >> [image: image.png] >> >> I would make sure that email, groups and profile are in your default >> client scope. That resolved the issue for me. >> >> On Mon, Jan 4, 2021 at 5:23 AM Владислав Львов <[email protected]> >> wrote: >> >> Hello! >> Thank you for your answer! >> >> Is there any workaround? >> Looks like Gluu allways use state parameter and there is no way to turn >> it off :( >> Only thing that i could find is here - >> https://gluu.org/docs/gluu-server/4.2/api-guide/openid-connect-api/ >> state - false :( >> >> 03.01.2021, 23:32, "Nick Couchman" <[email protected]>: >> >> On Sun, Jan 3, 2021 at 2:38 PM Владислав Львов <[email protected]> >> wrote: >> >> >> Hello! >> I need help with OpenID >> My project: >> >> I need to provide users with access to remote desktops (RDP) via browser. >> But I want to use standalone server like Gluu (the one that we are >> currently using) or even better - Keycloak, so we won't have to use >> Guacamole for authorization. I tested both of them, the result looks quite >> the same. >> ... >> Now setup is over. I open browser and try to go to https://guac.homelab >> I enter login and password and get into the loop as it's shown in the >> videos: >> https://youtu.be/OjwhCB9pjQw >> https://youtu.be/1dbNnVKp6PA >> >> >> >> It's possible you're running into this issue: >> >> https://issues.apache.org/jira/browse/GUACAMOLE-560 >> >> Certain OpenID providers require the "state" parameter, even though the >> specification for that flow doesn't explicitly call it out. >> >> >> Guacamole logs are attached below or available here: >> https://dropmefiles.com/d2D95 >> >> Can you tell me what am I doing wrong? >> My colleagues suggest that the problem could be in the character #, which >> is used by Guacamole. Could it be the reason of the issue? >> >> >> >> No, I don't think the "#" in the URL is causing an issue - I believe it's >> likely the lack of the state parameter. >> >> -Nick >> >> >> >> -- >> ________________ >> Львов Влад >> [email protected] >> >> >> >> >> >> -- >> ________________ >> Львов Влад >> [email protected] >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] > >
