Hi Can anyone else confirm this behaviour, when having OIDC SSO set up and TOPT, User is prompted TOPT after completing SSO. That SSO User though does not actually have TOPT set up at guacamole, because it's an OIDC user, so authentication fails.
While I could deativate TOPT, OIDC would work, however I don't wanna leave guacamole protected accounts without TOPT. - TObias Sent with [Proton Mail](https://pr.tn/ref/BTTM5JG4EZEG) secure email. On Tuesday, June 24th, 2025 at 23:03, newslet...@tobiasmeier.dev.INVALID <newslet...@tobiasmeier.dev.INVALID> wrote: > Hi Michael, > > Thanks for joining in, I just took another long session on this and finally > found a fix, seems like the guacamole headers grew possibly at some point, > after adding the following options to my authentik reverse-proxy config: > > ``` > proxy_buffer_size 16k; > proxy_buffers 8 16k;``` > > Now I noticed another problem, on 1.5.5 Nick told me in this report: > https://www.mail-archive.com/user@guacamole.apache.org/msg13233.htmlThat when > using SSO there won't be an additional 2FA prompt, though it still appears, > now since we have guacamole 1.6.0, am I missing any config, looking at the > docs, I can't seem to directly find anything. > > - Tobias > > Sent with [Proton Mail](https://pr.tn/ref/BTTM5JG4EZEG) secure email. > > On Tuesday, June 24th, 2025 at 20:07, Michael Jumper <mjum...@apache.org> > wrote: > >> On June 24, 2025 5:35:51 AM PDT, newslet...@tobiasmeier.dev.INVALID wrote: >> >>> Hi >>> >>> I did an upgrade, and yes I fully replaced and rebuild the guacamole server >>> and also ensured the client is rebuilt. >>> >>> Awesome, yes the problem with the loop in multi connect is solved by hard >>> refresh, thanks! >>> >>> Though I can't say that about the SSO problem, any ideas there? >>> >>> - Tobias >>> >>> Sent with [Proton Mail](https://pr.tn/ref/BTTM5JG4EZEG) secure email. >>> >>> On Tuesday, June 24th, 2025 at 12:35, Vincent Sherwood >>> <vince...@itsolutions.ie.INVALID> wrote: >>> >>>> Just checking. Did you do a completely clean install? >>>> >>>> I upgraded a server yesterday and started to get RDP reconnect loops that >>>> I had never experienced before. After some troubleshooting I realised I >>>> hadn't restarted guacd - so did a full clear out and restart. >>>> >>>> Rename the guacamole.war file to guacamole.war.1.6 in the tomcat webapps >>>> directory and wait for tomcat to undeploy it (the guacamole folder will >>>> disappear) >>>> stop guacd >>>> stop tomcat >>>> restart guacd >>>> restart tomcat >>>> rename the war file back to guacamole.war so tomcat re-deploys it again >>>> Hard reload the guacamole site in the browser (Ctrl-F5) >>>> >>>> --------------------------------------------------------------- >>>> >>>> From: newslet...@tobiasmeier.dev.INVALID >>>> <newslet...@tobiasmeier.dev.INVALID> >>>> Sent: Tuesday 24 June 2025 10:09 >>>> To: user@guacamole.apache.org <user@guacamole.apache.org> >>>> Subject: Re: Guacamole Crash 1.6.0 multi-connect and SSO >>>> >>>> Hi >>>> Here I add the debug log from SSO process from guacamole side: >>>> >>>> https://pastebin.com/LMVf9Ejx >>>> >>>> From authentik side there are no errors: >>>> >>>> - Tobias >>>> >>>> Sent with [Proton Mail](https://pr.tn/ref/BTTM5JG4EZEG) secure email. >>>> >>>> On Tuesday, June 24th, 2025 at 10:28, newslet...@tobiasmeier.dev.INVALID >>>> <newslet...@tobiasmeier.dev.INVALID> wrote: >>>> >>>>> Hi >>>>> >>>>> Since upgrading to 1.6.0 multi-connection SSH seems to be broken, as soon >>>>> as I add a second SSH connection, this appears (attatchment) >>>>> >>>>> Here the debug log: >>>>> https://pastebin.com/iGcXZRmE >>>>> >>>>> After then it just loops left/right conenction infinitely, my internet is >>>>> definitely enough stable. >>>>> >>>>> Second Problem: >>>>> OIDC Connection, previously OpenID worked fine, I updated the extension >>>>> to 1.6.0 and didn't touch my variables, they are currently like this, now >>>>> it does not work anymore. >>>>> >>>>> ``` >>>>> openid-authorization-endpoint: >>>>> https://auth.mydomain.dev/application/o/authorize/ >>>>> openid-client-id: XXXXX >>>>> openid-issuer: https://auth.mydomain.dev/application/o/guacamole/ >>>>> openid-jwks-endpoint: >>>>> https://auth.mydomain.dev/application/o/guacamole/jwks/ >>>>> openid-redirect-uri: https://guac.mydomain.dev/guacamole >>>>> openid-scope: openid email profile >>>>> openid-username-claim-type: preferred_username extension-priority: *, >>>>> openid >>>>> ``` >>>>> >>>>> I get a 502 on authentik side, normally I'd say this is an authentik >>>>> issue, but since SSO worked before upgrade and I didn't touch authentik >>>>> side nor guacamole side of sso otherwise than updating, I think this is >>>>> rather on guacamole? >>>>> >>>>> (Second Attatchment) >>>>> >>>>> - Tobias >>>>> >>>>> Sent with [Proton Mail](https://pr.tn/ref/BTTM5JG4EZEG) secure email. >>>> >>>> IT Solutions Email Disclaimer - This e-mail and any files transmitted with >>>> it contain information which may be confidential and which may also be >>>> privileged and is intended solely for the use of the individual or entity >>>> to whom it is addressed. Unless you are the intended recipient you may not >>>> copy or use it, or disclose it to anyone else. Any opinions expressed are >>>> that of the individual and not necessarily that of IT Solutions Ltd. If >>>> you have received this e-mail in error please notify the sender by return. >>>> For further information on IT Solutions visit https://www.itsolutions.ie >>>> >>>> IT Solutions Email Disclaimer - The information contained in this email >>>> message, including any files transmitted with it, is confidential and may >>>> be legally privileged. >>>> >>>> This e-mail is intended only for the personal attention of the stated >>>> addressee(s). Any access to this email, including any files transmitted >>>> with it, by any other person is unauthorised. If you are not an addressee, >>>> you must not disclose, copy, circulate or in any other way use or rely on >>>> the accuracy or completeness of the information contained in this email or >>>> any files transmitted with it. >>>> >>>> If you have received this email in error, please inform the sender >>>> immediately and delete it and all copies from your system. You may not >>>> forward this email without the permission of the authorised sender. >>>> >>>> The views expressed in this email are those of the author, and do not >>>> necessarily represent the views of IT Solutions or its affiliates. >>>> Internet communications are not secure and IT Solutions cannot therefore >>>> accept legal responsibility for the contents of this message nor for any >>>> damage caused by viruses. This email has been scanned at the originating >>>> end. For further information on IT Solutions visit >>>> https://www.itsolutions.ie >> >> It's possible that there is something different about what Guacamole is >> doing that contributes to the error you're receiving from Authentik, but >> given that it's Authentik throwing the error, I think you'll need to look at >> Authentik's logs to determine why it's failing. >> >> If there are no errors from Authentik at all despite the 502, that's >> suspicious. >> >> I'm not too surprised that there are no failures noted on the Guacamole >> side, since the failure is occurring within Authentik before the user is >> redirected back. The only steps taken by Guacamole for the in-progress >> authentication attempt (redirect the user to the IdP) succeeded. >> >> - Mike
