You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by "Zubizarreta Pikabea, Aitzol" <ai...@tecnalia.com> on 2023/04/22 16:28:14 UTC
Issue with Guacamole 1.5.0, OpenID and Totp
Good afternoon,
We have a Guacamole setup with the OpenID and ToTp extensions enabled. We are having issues with this setup as users authenticated via our OpenID Connect Idp (Duende 6) get the ToTP configuration prompt but after successful authentication guacamole rejects them with the error message 'Invalid session'.
The terminal logs this message: "[http-nio-8080-exec-6] INFO o.a.g.a.o.t.TokenValidationService - Rejected OpenID token with invalid/old nonce."
The JWT token includes a nonce claim that is perfectly valid but for some reason our setup is not working. If we disable the ToTp extension it works perfect. The user can login and access the published servers with no issues.
Can anybody help us with this issue?
Kind regards,
Re: Issue with Guacamole 1.5.0, OpenID and Totp
Posted by Michael Jumper <mj...@apache.org>.
Both TOTP and OpenID have anti-replay defenses built in that prevent the
same auth data from being submitted twice. This works great when either is
used independently, but when combined they conflict with each other. The
same occurs when TOTP is combined with SAML, as well as some other
combinations that involve the same kind of resubmission flow:
https://issues.apache.org/jira/browse/GUACAMOLE-1762
https://issues.apache.org/jira/browse/GUACAMOLE-1691
There is work underway to allow TOTP and the various SSO extensions to not
conflict.
- Mike
On Sat, Apr 22, 2023, 9:28 AM Zubizarreta Pikabea, Aitzol <
aitzol.zubizarreta@tecnalia.com> wrote:
> Good afternoon,
>
>
>
> We have a Guacamole setup with the OpenID and ToTp extensions enabled. We
> are having issues with this setup as users authenticated via our OpenID
> Connect Idp (Duende 6) get the ToTP configuration prompt but after
> successful authentication guacamole rejects them with the error message
> ‘Invalid session’.
>
>
>
> The terminal logs this message: “[http-nio-8080-exec-6] INFO
> o.a.g.a.o.t.TokenValidationService - Rejected OpenID token with invalid/old
> nonce.”
>
>
>
> The JWT token includes a nonce claim that is perfectly valid but for some
> reason our setup is not working. If we disable the ToTp extension it works
> perfect. The user can login and access the published servers with no issues.
>
>
>
> Can anybody help us with this issue?
>
>
>
> Kind regards,
>