You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Yang Yang <yy...@icloud.com> on 2019/05/29 13:01:44 UTC
Looping with Guacamole+Keycloak
Hello,
I am playing with Guacamole 1.0.0 and Keycloak 6.0.1. Following the configuration Justin posted in this thread http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/OpenID-KeyCloak-td5345.html <http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/OpenID-KeyCloak-td5345.html>, I ran into the same problem, can someone help?
When accessing Guacamole, I will be redirected to Keycloak login page, and then will be in a loop after typing in valid username/password. Attached are two images presenting two HTTP requests captured from a typical loop.
Thanks,
Yang
Re: Looping with Guacamole+Keycloak
Posted by Justin Gauthier <ju...@justin-tech.com>.
That’s awesome, you should add a PR for this to the Guacamole GitHub so it can be reviewed and hopefully merged into the next release.
Regards,
Justin
________________________________
From: Yang Yang <yy...@icloud.com>
Sent: Thursday, May 30, 2019 2:09:30 AM
To: user@guacamole.apache.org
Cc: mjumper@apache.org; Justin Gauthier; Kevin Martin
Subject: Re: Looping with Guacamole+Keycloak
Hello,
I solved this issue by making a small change to two files for the openid extension and rebuild it:
~/guacamole-client-1.0.0/extensions/guacamole-auth-openid/src/main/resources/config/openidConfig.js
~/guacamole-client-1.0.0/extensions/guacamole-auth-openid/target/classes/config/openidConfig.js
/**
* Config block which augments the existing routing, providing special handling
* for the "id_token=" fragments provided by OpenID Connect.
*/
angular.module('index').config(['$routeProvider',
function indexRouteConfig($routeProvider) {
// Transform "/#/id_token=..." to "/#/?id_token=…"
-- $routeProvider.when('/id_token=:response', {
++ $routeProvider.when(‘/&id_token=:response', {
template : '',
controller : ['$location', function reroute($location) {
var params = $location.path().substring(1);
$location.url('/');
$location.search(params);
}]
});
}]);
On May 29, 2019, at 21:01, Yang Yang <yy...@icloud.com>> wrote:
Hello,
I am playing with Guacamole 1.0.0 and Keycloak 6.0.1. Following the configuration Justin posted in this thread http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/OpenID-KeyCloak-td5345.html, I ran into the same problem, can someone help?
When accessing Guacamole, I will be redirected to Keycloak login page, and then will be in a loop after typing in valid username/password. Attached are two images presenting two HTTP requests captured from a typical loop.
<image-1.png><image-2.png>
Thanks,
Yang
Re: Looping with Guacamole+Keycloak
Posted by Mike Jumper <mj...@apache.org>.
On Thu, May 30, 2019 at 7:35 PM Yang Yang <yy...@icloud.com> wrote:
> Hi Mike,
>
> I just tested the recent change you proposed with
> guacOpenIDTransformToken(), and can confirm that it works well in my case,
> with “Exclude Session State From Authentication Response” in Keycloak
> setting ON or OFF.
>
> Do you think it is a good idea to report this issue to Keycloak team?
>
If you can confirm that the URL that Keycloak initially redirects to is
incorrect, using "&" instead of "?", and that this isn't just due to some
shuffling of the URL that happens on the Guacamole side after redirecting,
then yes. If things now work regardless of the setting, I'm not sure that's
the case.
I am not sure whether it is really the case. And, if the Keycloak team add
> the “?” as I thought, do we still need guacOpenIDTransformToken()?
>
Not sure. I would think that "relocateParameters.js" would handle things,
but that has been there since 0.9.13-incubating:
https://github.com/apache/guacamole-client/blob/1.0.0/guacamole/src/main/webapp/relocateParameters.js
The logout issue is still there.
>
Single logout is entirely different and not yet implemented.
https://issues.apache.org/jira/browse/GUACAMOLE-519
- Mike
Re: Looping with Guacamole+Keycloak
Posted by Yang Yang <yy...@icloud.com.INVALID>.
Hi Mike,
I just tested the recent change you proposed with guacOpenIDTransformToken(), and can confirm that it works well in my case, with “Exclude Session State From Authentication Response” in Keycloak setting ON or OFF.
Do you think it is a good idea to report this issue to Keycloak team? I am not sure whether it is really the case. And, if the Keycloak team add the “?” as I thought, do we still need guacOpenIDTransformToken()?
The logout issue is still there.
Thanks,
Yang
> On May 31, 2019, at 09:53, Yang Yang <yy...@icloud.com> wrote:
>
> Hi Mike and Nick,
>
> Both of you are right. I just got a workaround for my initial case, not really a fix to the issue. And, I met the looping issue again when turning off “Exclude Session State From Authentication Response” in Keycloak setting, which results with “../#/&session_state=….&id_token=…” instead of “../#/&id_token=…”
>
> From my understanding, this is actually a bug on Keycloak side that it misses the “?” before parameters such as “id_token=…” or others as “session_state=…”. The solution currently available (Transform "/#/id_token=..." to "/#/?id_token=…”) or the one I made is to help, in some very specific case, parameter “id_token=...” be properly handled.
>
> By the way, I found another issue with Keycloak, or any other OpenID integration I believe, is that users cannot logout from Guacamole. When a user logout, they will be directed to the login page, and then will be redirected to Keycloak; however, as the login session on Keycloak side is still there, the user will be login again.
>
>
> Sorry that I got very limited knowledge in programming, never used Java or JavaScript before, and could not help more…
>
> Thanks,
> Yang
>
>> On May 31, 2019, at 07:58, Mike Jumper <mjumper@apache.org <ma...@apache.org>> wrote:
>>
>> On Thu, May 30, 2019 at 4:34 PM Nick Couchman <vnick@apache.org <ma...@apache.org>> wrote:
>> On Thu, May 30, 2019 at 02:09 Yang Yang <yy8402@icloud.com.invalid <ma...@icloud.com.invalid>> wrote:
>> Hello,
>>
>> I solved this issue by making a small change to two files for the openid extension and rebuild it:
>> ~/guacamole-client-1.0.0/extensions/guacamole-auth-openid/src/main/resources/config/openidConfig.js
>> ~/guacamole-client-1.0.0/extensions/guacamole-auth-openid/target/classes/config/openidConfig.js
>>
>> /**
>> * Config block which augments the existing routing, providing special handling
>> * for the "id_token=" fragments provided by OpenID Connect.
>> */
>> angular.module('index').config(['$routeProvider',
>> function indexRouteConfig($routeProvider) {
>>
>> // Transform "/#/id_token=..." to "/#/?id_token=…"
>> -- $routeProvider.when('/id_token=:response', {
>> ++ $routeProvider.when(‘/&id_token=:response', {
>>
>>
>> While this change fixes things for your use case, I suspect that it may break things for other instances of OpenID providers. At the very least such a change would need to be thoroughly tested with multiple OpenID providers.
>>
>> The above change to the regex would indeed break things for any IDP that places the id_token at the beginning of the string.
>>
>> The fact that the id_token parameter will not always occur at the beginning of the parameter list was identified in an older thread:
>>
>> https://lists.apache.org/thread.html/cc0a9300086c55e25d59d73d025d6e0be07b42cc8903f4de1c1b48a5@%3Cuser.guacamole.apache.org%3E <https://lists.apache.org/thread.html/cc0a9300086c55e25d59d73d025d6e0be07b42cc8903f4de1c1b48a5@%3Cuser.guacamole.apache.org%3E>
>>
>> That thread resulted in the following proposed change, with the intent to open a JIRA issue and PR if it could be confirmed to solve the issue:
>>
>> https://github.com/apache/guacamole-client/compare/master...mike-jumper:openid-token <https://github.com/apache/guacamole-client/compare/master...mike-jumper:openid-token>
>>
>> That confirmation never came. If the above could be confirmed, I would suggest moving forward with the changes I proposed in that older thread. They are intended to handle the id_token parameter regardless of where it's located, not just at the beginning (current implementation) or anywhere BUT the beginning (the patch in this latest thread), however I'm not 100% sure the regex in my changes is correct, either.
>>
>> - Mike
>
Re: Looping with Guacamole+Keycloak
Posted by Yang Yang <yy...@icloud.com.INVALID>.
Hi Mike and Nick,
Both of you are right. I just got a workaround for my initial case, not really a fix to the issue. And, I met the looping issue again when turning off “Exclude Session State From Authentication Response” in Keycloak setting, which results with “../#/&session_state=….&id_token=…” instead of “../#/&id_token=…”
From my understanding, this is actually a bug on Keycloak side that it misses the “?” before parameters such as “id_token=…” or others as “session_state=…”. The solution currently available (Transform "/#/id_token=..." to "/#/?id_token=…”) or the one I made is to help, in some very specific case, parameter “id_token=...” be properly handled.
By the way, I found another issue with Keycloak, or any other OpenID integration I believe, is that users cannot logout from Guacamole. When a user logout, they will be directed to the login page, and then will be redirected to Keycloak; however, as the login session on Keycloak side is still there, the user will be login again.
Sorry that I got very limited knowledge in programming, never used Java or JavaScript before, and could not help more…
Thanks,
Yang
> On May 31, 2019, at 07:58, Mike Jumper <mj...@apache.org> wrote:
>
> On Thu, May 30, 2019 at 4:34 PM Nick Couchman <vnick@apache.org <ma...@apache.org>> wrote:
> On Thu, May 30, 2019 at 02:09 Yang Yang <yy...@icloud.com.invalid> wrote:
> Hello,
>
> I solved this issue by making a small change to two files for the openid extension and rebuild it:
> ~/guacamole-client-1.0.0/extensions/guacamole-auth-openid/src/main/resources/config/openidConfig.js
> ~/guacamole-client-1.0.0/extensions/guacamole-auth-openid/target/classes/config/openidConfig.js
>
> /**
> * Config block which augments the existing routing, providing special handling
> * for the "id_token=" fragments provided by OpenID Connect.
> */
> angular.module('index').config(['$routeProvider',
> function indexRouteConfig($routeProvider) {
>
> // Transform "/#/id_token=..." to "/#/?id_token=…"
> -- $routeProvider.when('/id_token=:response', {
> ++ $routeProvider.when(‘/&id_token=:response', {
>
>
> While this change fixes things for your use case, I suspect that it may break things for other instances of OpenID providers. At the very least such a change would need to be thoroughly tested with multiple OpenID providers.
>
> The above change to the regex would indeed break things for any IDP that places the id_token at the beginning of the string.
>
> The fact that the id_token parameter will not always occur at the beginning of the parameter list was identified in an older thread:
>
> https://lists.apache.org/thread.html/cc0a9300086c55e25d59d73d025d6e0be07b42cc8903f4de1c1b48a5@%3Cuser.guacamole.apache.org%3E <https://lists.apache.org/thread.html/cc0a9300086c55e25d59d73d025d6e0be07b42cc8903f4de1c1b48a5@%3Cuser.guacamole.apache.org%3E>
>
> That thread resulted in the following proposed change, with the intent to open a JIRA issue and PR if it could be confirmed to solve the issue:
>
> https://github.com/apache/guacamole-client/compare/master...mike-jumper:openid-token <https://github.com/apache/guacamole-client/compare/master...mike-jumper:openid-token>
>
> That confirmation never came. If the above could be confirmed, I would suggest moving forward with the changes I proposed in that older thread. They are intended to handle the id_token parameter regardless of where it's located, not just at the beginning (current implementation) or anywhere BUT the beginning (the patch in this latest thread), however I'm not 100% sure the regex in my changes is correct, either.
>
> - Mike
Re: Looping with Guacamole+Keycloak
Posted by Mike Jumper <mj...@apache.org>.
On Thu, May 30, 2019 at 4:34 PM Nick Couchman <vn...@apache.org> wrote:
> On Thu, May 30, 2019 at 02:09 Yang Yang <yy...@icloud.com.invalid> wrote:
>
>> Hello,
>>
>> I solved this issue by making a small change to two files for the openid
>> extension and rebuild it:
>>
>> ~/guacamole-client-1.0.0/extensions/guacamole-auth-openid/src/main/resources/config/openidConfig.js
>>
>> ~/guacamole-client-1.0.0/extensions/guacamole-auth-openid/target/classes/config/openidConfig.js
>>
>> /**
>> * Config block which augments the existing routing, providing special
>> handling
>> * for the "id_token=" fragments provided by OpenID Connect.
>> */
>> angular.module('index').config(['$routeProvider',
>> function indexRouteConfig($routeProvider) {
>>
>> // Transform "/#/id_token=..." to "/#/?id_token=…"
>> -- $routeProvider.when('/id_token=:response', {
>> ++ $routeProvider.when(‘/&id_token=:response', {
>>
>
>
> While this change fixes things for your use case, I suspect that it may
> break things for other instances of OpenID providers. At the very least
> such a change would need to be thoroughly tested with multiple OpenID
> providers.
>
The above change to the regex would indeed break things for any IDP that
places the id_token at the beginning of the string.
The fact that the id_token parameter will not always occur at the beginning
of the parameter list was identified in an older thread:
https://lists.apache.org/thread.html/cc0a9300086c55e25d59d73d025d6e0be07b42cc8903f4de1c1b48a5@%3Cuser.guacamole.apache.org%3E
That thread resulted in the following proposed change, with the intent to
open a JIRA issue and PR if it could be confirmed to solve the issue:
https://github.com/apache/guacamole-client/compare/master...mike-jumper:openid-token
That confirmation never came. If the above could be confirmed, I would
suggest moving forward with the changes I proposed in that older thread.
They are intended to handle the id_token parameter regardless of where it's
located, not just at the beginning (current implementation) or anywhere BUT
the beginning (the patch in this latest thread), however I'm not 100% sure
the regex in my changes is correct, either.
- Mike
Re: Looping with Guacamole+Keycloak
Posted by Nick Couchman <vn...@apache.org>.
On Thu, May 30, 2019 at 02:09 Yang Yang <yy...@icloud.com.invalid> wrote:
> Hello,
>
> I solved this issue by making a small change to two files for the openid
> extension and rebuild it:
>
> ~/guacamole-client-1.0.0/extensions/guacamole-auth-openid/src/main/resources/config/openidConfig.js
>
> ~/guacamole-client-1.0.0/extensions/guacamole-auth-openid/target/classes/config/openidConfig.js
>
> /**
> * Config block which augments the existing routing, providing special
> handling
> * for the "id_token=" fragments provided by OpenID Connect.
> */
> angular.module('index').config(['$routeProvider',
> function indexRouteConfig($routeProvider) {
>
> // Transform "/#/id_token=..." to "/#/?id_token=…"
> -- $routeProvider.when('/id_token=:response', {
> ++ $routeProvider.when(‘/&id_token=:response', {
>
While this change fixes things for your use case, I suspect that it may
break things for other instances of OpenID providers. At the very least
such a change would need to be thoroughly tested with multiple OpenID
providers.
Can you provide an example of the initial response route before it gets
transformed by this code?
-Nick
Re: Looping with Guacamole+Keycloak
Posted by Yang Yang <yy...@icloud.com.INVALID>.
Hello,
I solved this issue by making a small change to two files for the openid extension and rebuild it:
~/guacamole-client-1.0.0/extensions/guacamole-auth-openid/src/main/resources/config/openidConfig.js
~/guacamole-client-1.0.0/extensions/guacamole-auth-openid/target/classes/config/openidConfig.js
/**
* Config block which augments the existing routing, providing special handling
* for the "id_token=" fragments provided by OpenID Connect.
*/
angular.module('index').config(['$routeProvider',
function indexRouteConfig($routeProvider) {
// Transform "/#/id_token=..." to "/#/?id_token=…"
-- $routeProvider.when('/id_token=:response', {
++ $routeProvider.when(‘/&id_token=:response', {
template : '',
controller : ['$location', function reroute($location) {
var params = $location.path().substring(1);
$location.url('/');
$location.search(params);
}]
});
}]);
> On May 29, 2019, at 21:01, Yang Yang <yy...@icloud.com> wrote:
>
> Hello,
>
>
> I am playing with Guacamole 1.0.0 and Keycloak 6.0.1. Following the configuration Justin posted in this thread http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/OpenID-KeyCloak-td5345.html <http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/OpenID-KeyCloak-td5345.html>, I ran into the same problem, can someone help?
>
> When accessing Guacamole, I will be redirected to Keycloak login page, and then will be in a loop after typing in valid username/password. Attached are two images presenting two HTTP requests captured from a typical loop.
>
> <image-1.png><image-2.png>
>
> Thanks,
> Yang