Pre-Fill Username using data sent by nginx

[Mauricio Silveira <ma...@livreti.com.br>]

Hi.


I was wondering if there is any way possible to pass a username to 
pre-fill the username field at login page.


My usage idea is: I'm using nginx with client certificates as 
pre-authentication, and I'd like to use the UserPrincipalName from the 
client certificate to present the user, guacamole's login page with its 
name already filled and move focus to the password field, so that the 
user with a certificate will only need to type the password to enter a 
session.


Optionally, I'd like to make it possible to "lock" the username field 
(Mandatory from username passed from nginx ).


I tried the using 
"https://guacserver.example/#/Whatever245qrgq3yeqreg?username=johndoe&password=wrong" 
style using a wrong password to see if the username gets filled, but it 
doesn't.

As for the nginx part, if anyone is interested, here's my reference: 
https://clouddocs.f5.com/training/community/nginx/html/class3/module1/module17.html. 
It uses njs module.


Then, I modified njs' subject_alternative.js to return only the UPN from 
the client certificate.


I was thinking something like 
"https://guacserver.example/#/Whatever245qrgq3yeqreg?PREFILL_USERNAME=name_from_njs_san&PREFILL_LOCK=yes" 
to get the desired behavior ( I still have to play around with nginx 
rewrite url to make sure the end user won't be able to modify the 
PREFILL_USERNAME and PREFILL_LOCK arguments ).


I don't know java and angular, but I have some experience with 
C/perl/php/python/js and general scripting ( I usually write code when I 
really need to, I'm not a programmer/developer ).


I'm willing to accept the challenge to create an extension for this 
feature, but I have no idea where to start. I wonder if I should look at 
something like guacamole-auth-quickconnect or guacamole-auth-header as 
reference. Any hints?


Thanks!

- Mauricio Silveira


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org

Re: Pre-Fill Username using data sent by nginx

[Nick Couchman <vn...@apache.org>]

On Wed, Mar 9, 2022 at 1:34 PM Mauricio Silveira <ma...@livreti.com.br>
wrote:

> Hi.
>
>
> I was wondering if there is any way possible to pass a username to
> pre-fill the username field at login page.
>
>
> My usage idea is: I'm using nginx with client certificates as
> pre-authentication, and I'd like to use the UserPrincipalName from the
> client certificate to present the user, guacamole's login page with its
> name already filled and move focus to the password field, so that the
> user with a certificate will only need to type the password to enter a
> session.
>
>
> Optionally, I'd like to make it possible to "lock" the username field
> (Mandatory from username passed from nginx ).
>
>
I would think the better way to go would be to have Guacamole accept the
certificate-based (x509) authentication, either by implementing an
extension that supports it, or by using a SSO-type system that facilitates
it. So, a few options come to mind:
* If Nginx is currently doing the certificate-based authentication, you
could use the Header authentication extension in Guacamole to accept
successful authentication, including the Username, from Nginx. You have to
be a bit careful with this, because you want to make sure that there's no
way for users to bypass the authentication mechanism by spoofing a header
or something like that, but it can be done in a relatively secure fashion.
* You could also use a SSO system to do the certificate-based
authentication, and then one of the Guacamole SSO modules to accept that
authentication. For example, I believe CAS supports x509 authentication, so
you could have CAS do the authentication, and then it can pass through the
relevant information about the user to Guacamole via the CAS authentication
extension.

-Nick