`OPENID_SCOPE` environment variable in Docker not working

Wed, 07 Feb 2024 23:23:36 -0800 

I'm trying to get my existing Guacamole installation working with OpenID.
I've got everything working correctly, but Guacamole is not requesting the
`groups` scope.

Here is the relevant environment variables from my docker-compose.yml:

```
    environment:
      - GUACD_HOSTNAME=${COMPOSE_PROJECT_NAME}-guacd-1
      - POSTGRESQL_HOSTNAME=${COMPOSE_PROJECT_NAME}-postgres-1
      - POSTGRESQL_DATABASE=postgres
      - POSTGRESQL_USER=postgres
      - POSTGRESQL_PASSWORD=postgres
      - POSTGRESQL_AUTO_CREATE_ACCOUNTS=true

      - OPENID_AUTHORIZATION_ENDPOINT=https://auth.
${HOMELAB_BASE_DOMAIN}/api/oidc/authorization?state=1234abcedfdhf
      - OPENID_JWKS_ENDPOINT=https://auth.${HOMELAB_BASE_DOMAIN}/jwks.json
      - OPENID_ISSUER=https://auth.${HOMELAB_BASE_DOMAIN}
      - OPENID_CLIENT_ID=guacamole
      - OPENID_REDIRECT_URI=https://remote-desktop-gateway.
${HOMELAB_BASE_DOMAIN}
      - OPENID_USERNAME_CLAIM_TYPE=preferred_username
      - OPENID_GROUPS_CLAIM_TYPE=groups
      - OPENID_SCOPE=openid profile groups email
```

You can see the last line is setting `OPENID_SCOPE`, however, the generated
`guacamole.properties` does not contain `openid-scope`:

```
guacamole@78282607ee6c:/opt/guacamole$ cat
/home/guacamole/.guacamole/guacamole.properties
# guacamole.properties - generated Thu Feb  8 07:05:31 AM UTC 2024
guacd-hostname: remote-desktop-gateway-guacd-1
guacd-port: 4822
postgresql-username: postgres
postgresql-password: postgres
postgresql-database: postgres
postgresql-hostname: remote-desktop-gateway-postgres-1
postgresql-port: 5432
postgresql-auto-create-accounts: true
openid-authorization-endpoint:
https://auth.example.com/api/oidc/authorization?state=1234abcedfdhf
openid-jwks-endpoint: https://auth. example.com/jwks.json
openid-issuer: https://auth. example.com
openid-client-id: guacamole
openid-redirect-uri: https://remote-desktop-gateway. example.com
openid-username-claim-type: preferred_username
openid-groups-claim-type: groups
```

If I do manually edit the URL of the page I'm logging in with to add
`email` to the `scope` query parameter, groups are properly detected when
logging in. Without this, OpenID is a little hamstrung.

- Mike Wyatt

Reply via email to