You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@guacamole.apache.org by Макаров Андрей <un...@yandex.ru> on 2020/02/04 12:48:12 UTC

TOTP + OpenID do not work

I configured next auth scheme: OpenID + DB auth (postgres). It worked fine, after that I've enabled totp, and now I cannot login into guacamole. Nothing happens after entering the TOTP-code, except TOTP-code entry page which appears again and again.
Does it not work by design? Or maybe I made some misconfiguration?

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org

Re: TOTP + OpenID do not work

Posted by Mike Jumper <mj...@apache.org>.

On Tue, Feb 4, 2020 at 4:48 AM Макаров Андрей <un...@yandex.ru> wrote:
>
> I configured next auth scheme: OpenID + DB auth (postgres). It worked fine, after that I've enabled totp, and now I cannot login into guacamole. Nothing happens after entering the TOTP-code, except TOTP-code entry page which appears again and again.
> Does it not work by design? Or maybe I made some misconfiguration?
>

My guess would be that the OpenID support as currently designed is not
compatible with TOTP. The TOTP extension works by vetoing the auth
result of the other extensions, requesting additional credentials.
Once those credentials (the TOTP code) are supplied, the full set of
credentials are resubmitted and revalidated ... but at that point, the
OpenID token, nonce. etc. would no longer be valid.

The OpenID support likely needs to be modified to allow for MFA configurations.

- Mike

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org

Re: TOTP + OpenID do not work

Posted by uncletimmy3 <un...@yandex.ru>.

Using Burp I added username and password to the totp http request, after
which the guacamole authorized me. It looks like a bug



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org