Good Afternoon Guac guys, I've got a Guacamole 1.5.5 Docker Instance that has been killing me with the TOTP + OIDC.
I've got OIDC setup with Google OAUTH, a Postgresql database with the JBDC plugin so it can TOTP, and the TOTP plugin. Essentially, I will get in an auth loop. When the preferred plugin is set to OIDC, I'll hit my server, it'll redirect to Google sign in, I sign in successfully and the console logs: "o.a.g.r.auth.AuthenticationService - User "[email protected]" successfully authenticated from [my.pub.lic.ip, 172.18.0.1].", It then takes me to the "Multi-factor authentication has been enabled on your account. To complete the enrollment process, scan the barcode below with the two-factor authentication app" page. All TOTP values in guacamole.properties are stock, non-modified (Provider Apache Guacamole, 6 digits, SHA1 algo, 30sec timeout). I scan the QR, it generates the code in my auth app (Tried Authy and Google), I enter the code and the console logs: "o.a.g.a.o.t.TokenValidationService - Rejected OpenID token with invalid/old nonce." To where Guac then redirects me back to the OIDC Google Sign-In, to where it auto-completes because it remembers my Google account and it logs: "o.a.g.r.auth.AuthenticationService - User "[email protected]" successfully authenticated from [my.pub.lic.ip, 172.18.0.1].", And takes me back to the TOTP Setup page once again. This goes into infinity. If I take the preference off of OIDC and let it sign in with a Database user, it works perfectly first try, Guacadmin account for example took the TOTP and ran with it, still works, but none of my OIDC users can set this up or get past the TOTP screen. The trouble is that I *need* OIDC and a 2FA post OIDC, I can't use DB auth for my setup. I've set up my OIDC users in the "Users" section of Guacamole, so this shouldn't be a user not found issue, unless there's something weird with cross checking the DB on OIDC users. What this seems to do is successfully Auth with OIDC, receive that callback and move forward, but once TOTP is auth'd, it then tries to REAUTH with OIDC before moving forward, instead of being the last step post-auth as a second auth layer, essentially double-checking the first auth to where the NONCE has already been used and is likely expired by the time it runs it again. This is just conjecture though, as I don't *really* know why it's doing this. I've got Guacamole and Postgres hosted in Docker on top of a Debian 11 layer w/ no firewall at this time for testing, all behind an NGINX reverse proxy with Websockets support and all required headers from the Guac docs, using a Google hosted domain (no cloudflare, no proxy). Please let me know if this is the right place to post a support matter, this is integral to a project we are working on and it's been several head-banging days of rebuilding and trying to figure out why TOTP won't work with OIDC OAUTH. Also let me know if more information will be necessary to come to a resolution, I'll pull whatever logs necessary and post whatever configs. Thank you very much, and I hope to hear back soon, -JS
