Hi,
I'm trying to set up Guacamole in docker with OIDC authentication provided
by authelia.
I've hit a problem that Guacamole is apparently not generating state
parameter in the url. To which Authelia responds with an error message:
Authorization Request failed with error: The state is missing or does not
have enough characters and is therefore considered too weak. Request
parameter 'state' must be at least be 8 characters long to ensure
sufficient entropy.
I am not sure if this is due to misconfiguration but indeed when
intercepting in browser the redirect url generated by guacamole looks like
this:
https://auth.mydomain.org/api/oidc/authorization?scope=openid+profile+groups+email&response_type=id_token&client_id=REDACTED&redirect_uri=https%3A%2F%2Fguac.mydomain.org%2F&nonce=dui8asvdnv3mghumfkk3fmpe8i
Which should be correct apart from the missing state parameter.
Is this expected behavior or is my configuration wrong? As far as I
understand OIDC implicit flow should contain the state parameter. This is
happening on both 1.5.5 and 1.6.0.
My docker config is below:
guacamole:
image: guacamole/guacamole:latest
environment:
- GUACD_HOSTNAME=guacd
- MYSQL_HOSTNAME=mariadb
- MYSQL_PORT=3306
- MYSQL_DATABASE=${MYSQL_DATABASE}
- MYSQL_USERNAME=${MYSQL_USER}
- MYSQL_PASSWORD=REDACTED
#- MYSQL_AUTO_CREATE_ACCOUNTS=true
- REMOTE_IP_VALVE_ENABLED=true
- OPENID_ENABLED=true
- OPENID_CLIENT_ID=REDACTED
- OPENID_SCOPE=openid profile groups email
- OPENID_ISSUER=https://auth.${DOMAINNAME_2}
<https://auth.${domainname_2}/>
- OPENID_JWKS_ENDPOINT=https://auth.${DOMAINNAME_2}/jwks.json
<https://auth.${domainname_2}/jwks.json>
-
OPENID_AUTHORIZATION_ENDPOINT=https://auth.${DOMAINNAME_2}/api/oidc/authorization
<https://auth.${domainname_2}/api/oidc/authorization>
- OPENID_REDIRECT_URI=https://guac.${DOMAINNAME_2}/
<https://guac.${domainname_2}/>
- OPENID_USERNAME_CLAIM_TYPE=preferred_username
- OPENID_GROUPS_CLAIM_TYPE=groups
- EXTENSION_PRIORITY=openid
- WEBAPP_CONTEXT=ROOT
- LOG_LEVEL=trace
