Thanks for pointing to the guacamole logs It looks like I have to figure out why Microsoft is sending me a whole webpage:
20:06:52.033 [http-nio-8080-exec-1] DEBUG o.a.g.rest.RESTExceptionMapper - Client request rejected: Invalid login. 20:06:53.075 [http-nio-8080-exec-8] DEBUG org.jose4j.jwk.HttpsJwks - Refreshing/loading JWKS from https://login.microsoftonline.com/<account<https://login.microsoftonline.com/%3caccount> uuid>/oauth2/token 20:06:53.075 [http-nio-8080-exec-8] DEBUG org.jose4j.http.Get - HTTP GET of https://login.microsoftonline.com/<account<https://login.microsoftonline.com/%3caccount> uuid>/oauth2/token 20:06:53.194 [http-nio-8080-exec-8] DEBUG org.jose4j.http.Get - read 160097 characters 20:06:53.195 [http-nio-8080-exec-8] DEBUG org.jose4j.http.Get - HTTP GET of https://login.microsoftonline.com/<account<https://login.microsoftonline.com/%3caccount> uuid>/oauth2/token returned SimpleResponse{statusCode=200, statusMessage='OK', headers={null=[HTTP/1.1 200 OK], date=[Wed, 17 Aug 2022 20:06:53 GMT], content-length=[160109], expires=[-1], x-ms-ests-server=[2.1.13481.9 - NCUS ProdSlices], link=[https://aadcdn.msftauth.net; rel=dns-prefetch, https://aadcdn.msauth.net; rel=dns-prefetch, https://aadcdn.msauth.net; rel=preconnect; crossorigin], p3p=[CP="redacted"], pragma=[no-cache], strict-transport-security=[max-age=31536000; includeSubDomains], set-cookie=[stsservicecookie=redacted; path=/; secure; samesite=none; httponly, x-ms-gateway-slice=redacted; path=/; secure; samesite=none; httponly, esctx=redacted; domain=.login.microsoftonline.com; path=/; secure; HttpOnly; SameSite=None, fpc=redacted; expires=Fri, 16-Sep-2022 20:06:53 GMT; path=/; secure; HttpOnly; SameSite=None], x-content-type-options=[nosniff], x-xss-protection=[0], x-dns-prefetch-control=[on], content-type=[text/html; charset=utf-8], cache-control=[no-store, no-cache], x-ms-request-id=[redacted uuid]}, body=' <!-- Copyright (C) Microsoft Corporation. All rights reserved. --> <!DOCTYPE html> … Is it me or should the body be a JSON string? I redacted some pieces of information, but let me know if there are other parts of the logs I should put back in to help. The error that I get after this is: org.jose4j.lang.JoseException: Parsing error: org.jose4j.json.internal.json_simple.parser.ParseException: Unexpected character (<) at position 4.) while obtaining or using keys from JWKS endpoint at https Does this look like an issue with auth provider? Thanks, Hiram Amador From: Michael Jumper <[email protected]> Sent: Wednesday, August 17, 2022 7:51 PM To: [email protected] Subject: [EXTERNAL] Re: OpenID configuration with Azure AD stuck in loop CAUTION: This email originated from an external source and may contain harmful attachments or links. Please do not follow any links or open any attachments unless you recognize the sender and are expecting these communications from them. Please contact the IT Help Desk to report any suspicious emails. On Wed, Aug 17, 2022, 08:25 Hiram Amador <[email protected]<mailto:[email protected]>> wrote: Hi, I set up guacamole under docker and I think I have Open ID set up so that guacamole can forward the authentication to Azure AD. I think there is something wrong with the reply to URL I am using. It feels like authentication is going through a loop. The OpenID documentation doesn’t mention whether I’m supposed to send the auth to the guacamole home page or whether I should be setting very specific parameters to confirm authentication has succeeded. What do you mean? If Guacamole is configured to use OpenID for auth, it's Guacamole that will confirm auth succeeded. When a user visits Guacamole, they'll be redirected to the IdP to authenticate, the IdP will redirect them back to Guacamole, and Guacamole will validate what it received from the IdP and allow the user in. The Audit logs in Azure AD tells me that authentication is succeeding. In fact, it looks like auth happens 9 times before Azure AD stops from all the auths. Let me know if there is more information I should provide. What do you see in the Guacamole logs when the loop occurs? There should be errors, warnings, etc. that describe why authentication is failing. - Mike
