On Fri, Apr 2, 2021 at 8:16 AM quegu <[email protected]> wrote: > Hello > > I am experiencing a looping problem with the Openid connection extension > with Keycloak. I have searched the forums and see this problem but without > any solution. I am running guacamole 1.3.0 with extension 1.3.0 . > > my experience is exactly the same as this user: > > https://issues.apache.org/jira/browse/GUACAMOLE-1251 > > the only thing i see in logs is: > > DEBUG o.a.g.rest.RESTExceptionMapper - Client request rejected: Invalid > login. > DEBUG o.a.g.r.auth.AuthenticationService - Anonymous authentication attempt > from x.x.x.x failed. > > the looping is between these two URIs: > > > > https://keycloakexample.com/auth/realms/demo/protocol/openid-connect/auth?scope=openid+email+profile&response_type=id_token&client_id=guacamole&redirect_uri=http://example.com:8080/guacamole/%23/ > > http://example.com:8080/guacamole/#/&id_token=kjhkhjkj... > > Can you provide your full Guacamole logs? Is the system clock of your Guacamole server correct? What values are you providing for the various OpenID configuration properties in guacamole.properties?
If Keycloak is sending you back to Guacamole with an ID token, and Guacamole is sending you back to Keycloak to get a new token, this means that Guacamole is unable to verify the token provided by Keycloak. If the token appears to be invalid, Guacamole redirects you back to the IdP with the expectation that the token is just stale and you will be sent back with a valid token. i see in jira : > > https://issues.apache.org/jira/browse/GUACAMOLE-560 > > so is it possible for it to work with Keycloak currently? or its broken > for now? > It's not broken and should work. The JIRA issue you point to deals with adding support for the optional "state" request parameter that Okta's OpenID implementation requires. If Keycloak is sending you back to Guacamole with an ID token, then it has accepted the authentication request and verified your identity. If it required the "state" parameter, it would have rejected the request for authentication would not have sent you back with a token. Michael Jumper CEO, Lead Developer Glyptodon Inc <https://glyp.to/>.
