On June 24, 2025 5:35:51 AM PDT, newslet...@tobiasmeier.dev.INVALID wrote: >Hi > >I did an upgrade, and yes I fully replaced and rebuild the guacamole server >and also ensured the client is rebuilt. > >Awesome, yes the problem with the loop in multi connect is solved by hard >refresh, thanks! > >Though I can't say that about the SSO problem, any ideas there? > >- Tobias > >Sent with [Proton Mail](https://pr.tn/ref/BTTM5JG4EZEG) secure email. > >On Tuesday, June 24th, 2025 at 12:35, Vincent Sherwood ><vince...@itsolutions.ie.INVALID> wrote: > >> Just checking. Did you do a completely clean install? >> >> I upgraded a server yesterday and started to get RDP reconnect loops that I >> had never experienced before. After some troubleshooting I realised I hadn't >> restarted guacd - so did a full clear out and restart. >> >> Rename the guacamole.war file to guacamole.war.1.6 in the tomcat webapps >> directory and wait for tomcat to undeploy it (the guacamole folder will >> disappear) >> stop guacd >> stop tomcat >> restart guacd >> restart tomcat >> rename the war file back to guacamole.war so tomcat re-deploys it again >> Hard reload the guacamole site in the browser (Ctrl-F5) >> >> --------------------------------------------------------------- >> >> From: newslet...@tobiasmeier.dev.INVALID <newslet...@tobiasmeier.dev.INVALID> >> Sent: Tuesday 24 June 2025 10:09 >> To: user@guacamole.apache.org <user@guacamole.apache.org> >> Subject: Re: Guacamole Crash 1.6.0 multi-connect and SSO >> >> Hi >> Here I add the debug log from SSO process from guacamole side: >> >> https://pastebin.com/LMVf9Ejx >> >> From authentik side there are no errors: >> >> - Tobias >> >> Sent with [Proton Mail](https://pr.tn/ref/BTTM5JG4EZEG) secure email. >> >> On Tuesday, June 24th, 2025 at 10:28, newslet...@tobiasmeier.dev.INVALID >> <newslet...@tobiasmeier.dev.INVALID> wrote: >> >>> Hi >>> >>> Since upgrading to 1.6.0 multi-connection SSH seems to be broken, as soon >>> as I add a second SSH connection, this appears (attatchment) >>> >>> Here the debug log: >>> https://pastebin.com/iGcXZRmE >>> >>> After then it just loops left/right conenction infinitely, my internet is >>> definitely enough stable. >>> >>> Second Problem: >>> OIDC Connection, previously OpenID worked fine, I updated the extension to >>> 1.6.0 and didn't touch my variables, they are currently like this, now it >>> does not work anymore. >>> >>> ``` >>> openid-authorization-endpoint: >>> https://auth.mydomain.dev/application/o/authorize/ >>> openid-client-id: XXXXX >>> openid-issuer: https://auth.mydomain.dev/application/o/guacamole/ >>> openid-jwks-endpoint: >>> https://auth.mydomain.dev/application/o/guacamole/jwks/ >>> openid-redirect-uri: https://guac.mydomain.dev/guacamole >>> openid-scope: openid email profile >>> openid-username-claim-type: preferred_username extension-priority: *, openid >>> ``` >>> >>> I get a 502 on authentik side, normally I'd say this is an authentik issue, >>> but since SSO worked before upgrade and I didn't touch authentik side nor >>> guacamole side of sso otherwise than updating, I think this is rather on >>> guacamole? >>> >>> (Second Attatchment) >>> >>> - Tobias >>> >>> Sent with [Proton Mail](https://pr.tn/ref/BTTM5JG4EZEG) secure email. >> >> IT Solutions Email Disclaimer - This e-mail and any files transmitted with >> it contain information which may be confidential and which may also be >> privileged and is intended solely for the use of the individual or entity to >> whom it is addressed. Unless you are the intended recipient you may not copy >> or use it, or disclose it to anyone else. Any opinions expressed are that of >> the individual and not necessarily that of IT Solutions Ltd. If you have >> received this e-mail in error please notify the sender by return. For >> further information on IT Solutions visit https://www.itsolutions.ie >> >> IT Solutions Email Disclaimer - The information contained in this email >> message, including any files transmitted with it, is confidential and may be >> legally privileged. >> >> This e-mail is intended only for the personal attention of the stated >> addressee(s). Any access to this email, including any files transmitted with >> it, by any other person is unauthorised. If you are not an addressee, you >> must not disclose, copy, circulate or in any other way use or rely on the >> accuracy or completeness of the information contained in this email or any >> files transmitted with it. >> >> If you have received this email in error, please inform the sender >> immediately and delete it and all copies from your system. You may not >> forward this email without the permission of the authorised sender. >> >> The views expressed in this email are those of the author, and do not >> necessarily represent the views of IT Solutions or its affiliates. Internet >> communications are not secure and IT Solutions cannot therefore accept legal >> responsibility for the contents of this message nor for any damage caused by >> viruses. This email has been scanned at the originating end. For further >> information on IT Solutions visit https://www.itsolutions.ie It's possible that there is something different about what Guacamole is doing that contributes to the error you're receiving from Authentik, but given that it's Authentik throwing the error, I think you'll need to look at Authentik's logs to determine why it's failing.
If there are no errors from Authentik at all despite the 502, that's suspicious. I'm not too surprised that there are no failures noted on the Guacamole side, since the failure is occurring within Authentik before the user is redirected back. The only steps taken by Guacamole for the in-progress authentication attempt (redirect the user to the IdP) succeeded. - Mike
