OpenID Connect openid-redirect-uri value

[sw6653 <sw...@groupw.com>]

Hello,

I'm trying to authenticate using Microsoft 365 and the Apache Guacamole
OpenID Connect extension. I am having trouble knowing what value to enter
for openid-redirect-uri. Modules for other applications have provided part
of this uri, for example a Django module instructed me to enter
/microsoft/auth-callback. So for testing I entered
https://localhost:8000/microsoft/auth-callback/ as the reply URL in the
Azure AD App registration setup.

Also the Azure AD App registration lets you enter multiple URIs. I usually
have 2, one for testing that contains localhost and one for the production
server address. Do I have to change this value in guacamole.properties when
I switch from testing to production? Or can it be a relative address?

Thanks,
-Stu



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org

Re: OpenID Connect openid-redirect-uri value

[Nick Couchman <vn...@apache.org>]

On Mon, Aug 17, 2020 at 2:13 PM sw6653 <sw...@groupw.com> wrote:

> Thanks Nick,
>
> I'm using a docker environment. I have a container running an nginx proxy
> to
> handle the SSL connections and containers for guacamole, guacd and mysql.
> The nginx server will proxy pass location / to
> http://guacamole:8080/guacamole. With this setup I reach the guacamole
> login
> page during testing by entering https://localhost/ in the browser. Can you
> please confirm that I should enter https://localhost/ for
> openid-redirect-uri?
>
>
You might be able to use that value, but I can see two potential issues:
1) This will only work on your local computer - any attempt to access it
remotely would fail.
2) I'm not sure that Office365 would actually let you use https://localhost
as a valid redirect URL - it seems like this might have some security
implications and might be something they'd disallow.

You can give it a try, but you're probably better off using the actual
hostname of your computer and not localhost.

-Nick

Re: OpenID Connect openid-redirect-uri value

[sw6653 <sw...@groupw.com>]

Thanks Nick,

I'm using a docker environment. I have a container running an nginx proxy to
handle the SSL connections and containers for guacamole, guacd and mysql.
The nginx server will proxy pass location / to
http://guacamole:8080/guacamole. With this setup I reach the guacamole login
page during testing by entering https://localhost/ in the browser. Can you
please confirm that I should enter https://localhost/ for
openid-redirect-uri?

Thanks,
-Stu



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org

Re: OpenID Connect openid-redirect-uri value

[Nick Couchman <vn...@apache.org>]

On Mon, Aug 17, 2020 at 10:52 AM sw6653 <sw...@groupw.com> wrote:

> Hello,
>
> I'm trying to authenticate using Microsoft 365 and the Apache Guacamole
> OpenID Connect extension. I am having trouble knowing what value to enter
> for openid-redirect-uri. Modules for other applications have provided part
> of this uri, for example a Django module instructed me to enter
> /microsoft/auth-callback. So for testing I entered
> https://localhost:8000/microsoft/auth-callback/ as the reply URL in the
> Azure AD App registration setup.
>
>
From the manual

The URI that should be submitted to the OpenID service such that they can
redirect the authenticated user back to Guacamole after the authentication
process is complete. This must be the full URL that a user would enter into
their browser to access Guacamole.

(http://guacamole.apache.org/doc/gug/openid-auth.html)

So, this should be the URL of your Guacamole install.

-Nick