Hello, Thanks for help 😊
The problem actually was cloudflare proxy Â🤔 I have now disabled it and authentication work fine with keycloak 20.0.3. -Timo From: Michael Jumper <[email protected]> Sent: maanantai 16. tammikuuta 2023 21.50 To: [email protected] Subject: Re: [*EXT*] auth-openid (1.4.0) not working with latest Keycloak server The "Non 200 status code (403 Forbidden) returned from https://id.xxxxxxx.com/realms/master/protocol/openid-connect/certs"; portion of the error suggests to me that there is something wrong with the JWKS endpoint URL. It doesn't appear that the OpenID support is doing anything wrong, but rather that the IdP is returning a "403 Forbidden" response when Guacamole reaches out to the IdP's JWKS endpoint. - Mike On Mon, Jan 16, 2023 at 10:29 AM Ionel GARDAIS <[email protected]<mailto:[email protected]>> wrote: Well, Keycloak 20.0.3 is working fine with auth-openid 1.4.0 for me. -- Ionel GARDAIS Tech'Advantage CIO - IT Team manager ________________________________ De: "Ionel GARDAIS" <[email protected]<mailto:[email protected]>> À: "user" <[email protected]<mailto:[email protected]>> Envoyé: Lundi 16 Janvier 2023 19:15:03 Objet: Re: [*EXT*] auth-openid (1.4.0) not working with latest Keycloak server Hi Timo, Can you give a try to Keycloak 20.0.2 ? auth-openid 1.4.0 is working fine for me with this release. This would point if its a 20.0.3 issue or an issue with the auth-openid plugin. -- Ionel GARDAIS Tech'Advantage CIO - IT Team manager ________________________________ De: "Timo Nisula" <[email protected]<mailto:[email protected]>> À: "user" <[email protected]<mailto:[email protected]>> Envoyé: Lundi 16 Janvier 2023 18:01:57 Objet: [*EXT*] auth-openid (1.4.0) not working with latest Keycloak server Hi, I tried to change auth-openid to use new keycloak server but it doesn’t work. Old keycloak server is version 17.0.0 and it works, but when I try to use new keycloak server (latest 20.0.3 version) I got authentication loop. Guacamole server log shows following: 16:28:13.882 [http-nio-8080-exec-10] INFO o.a.g.a.o.t.TokenValidationService - Rejected invalid OpenID token: JWT processing failed. Additional details: [[17] Unable to process JOSE object (cause: org.jose4j.lang.UnresolvableKeyException: Unable to find a suitable verification key for JWS w/ header {"alg":"RS256","typ" : "JWT","kid" : "LaAKcXQe35CMuemrPU3S3IrkTYh6DqKpF3fmx6kJJdE"} due to an unexpected exception (java.io.IOException: Non 200 status code (403 Forbidden) returned from https://id.xxxxxxx.com/realms/master/protocol/openid-connect/certs) while obtaining or using keys from JWKS endpoint at https://id.xxxxxx.com/realms/master/protocol/openid-connect/certs): JsonWebSignature{"alg":"RS256","typ" : "JWT","kid" : "LaAKcXQe35CMuemrPU3S3IrkTYh6DqKpF3fmx6kJJdE"}->eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJMYUFLY1hRZTM1Q011ZW1yUFUzUzNJcmtUWWg2RHFLcEYzZm14NmtKSmRFIn0.eyJleHAiOjE2NzM4ODczOTIsImlhdCI6MTY3Mzg4NjQ5MiwiYXV0aF90aW1lIjoxNjczODg1NjI5LCJqdGkiOiJhYzRkNGY4Mi1iNzg2LTQ0NWMtYmNhZi1jMmQyYzQzYzI4MWEiLCJpc3MiOiJodHRwczovL2lkLm5pc3VsYWZvcmVzdC5jb20vcmVhbG1zL25pc3VsYSIsImF1ZCI6Imd1YWNhbW9sZSIsInN1YiI6Ijk4MTc0Y2NhLTZhYmUtNDY3NS04MGQ2LWRkYzBlOTQzN2E1ZSIsInR5cCI6IklEIiwiYXpwIjoiZ3VhY2Ftb2xlIiwibm9uY2UiOiJjdjE1ZW1oNTh0am9ubHF2YnNvcjVmbWdmMiIsInNlc3Npb25fc3RhdGUiOiI4OWE0NDZkOS03NzFmLTRjMTQtYmQxZi03YjdmNjA0MjVlN2EiLCJzaWQiOiI4OWE0NDZkOS03NzFmLTRjMTQtYmQxZi03YjdmNjA0MjVlN2EiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsIm5hbWUiOiJUaW1vIE5pc3VsYSIsImdyb3VwcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIiwiZGVmYXVsdC1yb2xlcy1uaXN1bGEiXSwicHJlZmVycmVkX3VzZXJuYW1lIjoidGltbmlzIiwiZ2l2ZW5fbmFtZSI6IlRpbW8iLCJmYW1pbHlfbmFtZSI6Ik5pc3VsYSIsImVtYWlsIjoidGltby5uaXN1bGFAbmlzdWxhZm9yZXN0LmNvbSJ9.FWmnWHfjxNuLH9aSv4W2oOHiqKYEmczIFA-qw8RioWoSHUZa1mMfMXAaA3VbbeyyXXHzjk-PiItO6V01_F4Y2zbpJCoOl5vN8Si0a80P8mtOPDCel5PoDpqEQU_loF89v4n-V8aoWtEnW6HygW_TePs9qLmMqhtzdt9v4Onytq2An6B6etfvnkGi37cD69z-6nnsPsRs7W9j-tinUKxRq8GZJh15LNmaCHgkZYB9OpDXARY2tbJnc9f3k8StHm6G33HJRv0bPAZGz5p-WbF1Z7Ep2Ts1DGVVVXvsrCT9ho8JTAsBN_7TRps3F5p3HntwA1psfktIHWQ8kGHWgkul5g] What could be the problem? -Timo
