You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by kmartin <km...@6hat.fr> on 2019/04/16 11:55:26 UTC
OpenID / KeyCloak
Hello All,
I set up Guacamole 1.0 + Keycloak 5.0 . Everything goes right until the
login.
i'm log in (on keycloak), i return back to guacamole and then I have loops
between 2 URLs
https://services.xxx.fr:8081/guacamole*/#/*session_state=93ec82e2-2c19-4978-9347-5df101da3189&id_token=xxxx
and
https://services.xxx.fr:8081/guacamole*/#*session_state=93ec82e2-2c19-4978-9347-5df101da3189&id_token=xxxx
Someone has already had the problem ?
Here is my config:
openid-authorization-endpoint:
https://sso.xxx.fr:8443/auth/realms/xxx/protocol/openid-connect/auth
openid-jwks-endpoint:
https://sso.xxx.fr:8443/auth/realms/xxx/protocol/openid-connect/certs
openid-issuer: https://sso.xxx.fr:8443/auth/realms/xxx
openid-client-id: gua
openid-redirect-uri: http://services.xxx.fr:8081/guacamole
openid-username-claim-type: username
openid-scope: openid email profile
openid-allowed-clock-skew: 500
Thanks for your help !
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: OpenID / KeyCloak
Posted by kmartin <km...@6hat.fr>.
That's nice of you.
Thanks Justin.
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: OpenID / KeyCloak
Posted by Justin Gauthier <ju...@justin-tech.com>.
I believe mine are both in VMs, but I have a test implementation with both containerized that I can try to get working.
Give me a few hours to try that out and I’ll get back to you.
________________________________
From: kmartin <km...@6hat.fr>
Sent: Tuesday, April 16, 2019 8:45 AM
To: user@guacamole.apache.org
Subject: Re: OpenID / KeyCloak
Thanks a lot Justin.
Unfortunately i have similar keycloak config.
My Guacamole and Keycloack are containers . You too ?
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: OpenID / KeyCloak
Posted by kmartin <km...@6hat.fr>.
Thanks a lot Justin.
Unfortunately i have similar keycloak config.
My Guacamole and Keycloack are containers . You too ?
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: OpenID / KeyCloak
Posted by Nick Couchman <vn...@apache.org>.
On Fri, Apr 19, 2019 at 11:23 AM kmartin <km...@6hat.fr> wrote:
> I tried with a new fresh from source install on dedicated server. (no
> container)
>
> and still have loops ..
>
I'm in the process of setting up Keycloak to give it a shot and see what
kind of results I can produce.
>
> Do you add user in a user-mapping file too ?
>
>
The user-mapping file (File Authentication Extension) doesn't layer the
same way with other authentication modules, so this probably won't work.
You'll need to use some other module, most likely JDBC, to provide this
functionality.
-Nick
Re: OpenID / KeyCloak
Posted by kmartin <km...@6hat.fr>.
I tried with a new fresh from source install on dedicated server. (no
container)
and still have loops ..
Do you add user in a user-mapping file too ?
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: OpenID / KeyCloak
Posted by kmartin <km...@6hat.fr>.
i tried with :
guacamole 0.9.14 and Keycloak 5.0 & 4.8.3 (on container)
I still have loops :(((
There's for sure a mistake in my configuration.
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: OpenID / KeyCloak
Posted by kmartin <km...@6hat.fr>.
Hi,
Thanks for testing.
On my side , there's no interessing logs , no error on each container ... :/
the asterisk(s) in my URL, it's because i put Bold text to show you where
was the problem.
i'm going to test a 0.9.x version
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: OpenID / KeyCloak
Posted by Justin Gauthier <ju...@justin-tech.com>.
So, I have finally gotten guacamole working in Kubernetes (sorry for the delay), but with a copied OIDC config and using the same keycloak client (with a redirect URL added), and I am also getting stuck an ?id_token= URL.
This is using guacamole/guacamole:1.0.0 and the matching OIDC plugin.
The only difference between my working config and non-working config is moving from 0.9.14 to 1.0.0.
I am going to run with 0.9.14 on Docker and see how that goes.
________________________________
From: Ryan Underwood <ry...@greymarketlabs.com>
Sent: Tuesday, April 16, 2019 11:02:54 AM
To: user@guacamole.apache.org
Subject: RE: OpenID / KeyCloak
A few thoughts:
- Are you sure that the asterisk(s) in your URL is what you intended? I know that keycloak will let you specify the valid redirect URLs with wildcards so wasn't sure if that was a failed configuration. The Guacamole angular app rewrites URLs and it's possible this is affecting the hook for that.
- IIRC keycloak uses preferred_username for what you are likely calling the username claim. If you're testing with "guacadmin" and using email you'll need to add one because it doesn't exist by default in the database.
- Pasting some logs from keycloak, any reverse proxy, and the guacamole client would help debugging.
- Openid/guacamole works fine for logging in to guacamole but it's like the Hotel California if you want to sign out.
-----Original Message-----
From: Justin Gauthier <ju...@justin-tech.com>
Sent: Tuesday, April 16, 2019 8:02 AM
To: user@guacamole.apache.org; user@guacamole.apache.org
Subject: Re: OpenID / KeyCloak
I have Guacamole 1.0 working with an older version of Keycloak, below are my settings:
Keycloak settings:
and the guacamole settings:
openid-authorization-endpoint: https://auth.[REDACTED]/auth/realms/[REDACTED]/protocol/openid-connect/auth
openid-jwks-endpoint: https://auth.[REDACTED]/auth/realms/[REDACTED]/protocol/openid-connect/certs
openid-issuer: https://auth.[REDACTED]/auth/realms/[REDACTED]
openid-client-id: guacamole
openid-redirect-uri: https://guacamole.[REDACTED]/guacamole/
openid-username-claim-type: username
openid-scope: openid email profile
openid-allowed-clock-skew: 500
The other tabs in keycloak are standard, just have to add the mapper(s) for the email and username, like below.
Hopefully that helps.
Regards,
Justin
________________________________
From: kmartin <km...@6hat.fr>
Sent: Tuesday, April 16, 2019 7:55 AM
To: user@guacamole.apache.org
Subject: OpenID / KeyCloak
Hello All,
I set up Guacamole 1.0 + Keycloak 5.0 . Everything goes right until the login.
i'm log in (on keycloak), i return back to guacamole and then I have loops between 2 URLs
https://services.xxx.fr:8081/guacamole*/#/*session_state=93ec82e2-2c19-4978-9347-5df101da3189&id_token=xxxx
and
https://services.xxx.fr:8081/guacamole*/#*session_state=93ec82e2-2c19-4978-9347-5df101da3189&id_token=xxxx
Someone has already had the problem ?
Here is my config:
openid-authorization-endpoint:
https://sso.xxx.fr:8443/auth/realms/xxx/protocol/openid-connect/auth
openid-jwks-endpoint:
https://sso.xxx.fr:8443/auth/realms/xxx/protocol/openid-connect/certs
openid-issuer: https://sso.xxx.fr:8443/auth/realms/xxx
openid-client-id: gua
openid-redirect-uri: http://services.xxx.fr:8081/guacamole
openid-username-claim-type: username
openid-scope: openid email profile
openid-allowed-clock-skew: 500
Thanks for your help !
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
RE: OpenID / KeyCloak
Posted by Ryan Underwood <ry...@greymarketlabs.com>.
A few thoughts:
- Are you sure that the asterisk(s) in your URL is what you intended? I know that keycloak will let you specify the valid redirect URLs with wildcards so wasn't sure if that was a failed configuration. The Guacamole angular app rewrites URLs and it's possible this is affecting the hook for that.
- IIRC keycloak uses preferred_username for what you are likely calling the username claim. If you're testing with "guacadmin" and using email you'll need to add one because it doesn't exist by default in the database.
- Pasting some logs from keycloak, any reverse proxy, and the guacamole client would help debugging.
- Openid/guacamole works fine for logging in to guacamole but it's like the Hotel California if you want to sign out.
-----Original Message-----
From: Justin Gauthier <ju...@justin-tech.com>
Sent: Tuesday, April 16, 2019 8:02 AM
To: user@guacamole.apache.org; user@guacamole.apache.org
Subject: Re: OpenID / KeyCloak
I have Guacamole 1.0 working with an older version of Keycloak, below are my settings:
Keycloak settings:
and the guacamole settings:
openid-authorization-endpoint: https://auth.[REDACTED]/auth/realms/[REDACTED]/protocol/openid-connect/auth
openid-jwks-endpoint: https://auth.[REDACTED]/auth/realms/[REDACTED]/protocol/openid-connect/certs
openid-issuer: https://auth.[REDACTED]/auth/realms/[REDACTED]
openid-client-id: guacamole
openid-redirect-uri: https://guacamole.[REDACTED]/guacamole/
openid-username-claim-type: username
openid-scope: openid email profile
openid-allowed-clock-skew: 500
The other tabs in keycloak are standard, just have to add the mapper(s) for the email and username, like below.
Hopefully that helps.
Regards,
Justin
________________________________
From: kmartin <km...@6hat.fr>
Sent: Tuesday, April 16, 2019 7:55 AM
To: user@guacamole.apache.org
Subject: OpenID / KeyCloak
Hello All,
I set up Guacamole 1.0 + Keycloak 5.0 . Everything goes right until the login.
i'm log in (on keycloak), i return back to guacamole and then I have loops between 2 URLs
https://services.xxx.fr:8081/guacamole*/#/*session_state=93ec82e2-2c19-4978-9347-5df101da3189&id_token=xxxx
and
https://services.xxx.fr:8081/guacamole*/#*session_state=93ec82e2-2c19-4978-9347-5df101da3189&id_token=xxxx
Someone has already had the problem ?
Here is my config:
openid-authorization-endpoint:
https://sso.xxx.fr:8443/auth/realms/xxx/protocol/openid-connect/auth
openid-jwks-endpoint:
https://sso.xxx.fr:8443/auth/realms/xxx/protocol/openid-connect/certs
openid-issuer: https://sso.xxx.fr:8443/auth/realms/xxx
openid-client-id: gua
openid-redirect-uri: http://services.xxx.fr:8081/guacamole
openid-username-claim-type: username
openid-scope: openid email profile
openid-allowed-clock-skew: 500
Thanks for your help !
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: OpenID / KeyCloak
Posted by Justin Gauthier <ju...@justin-tech.com>.
I have Guacamole 1.0 working with an older version of Keycloak, below are my settings:
Keycloak settings:
[Image]
and the guacamole settings:
openid-authorization-endpoint: https://auth.[REDACTED]/auth/realms/[REDACTED]/protocol/openid-connect/auth
openid-jwks-endpoint: https://auth.[REDACTED]/auth/realms/[REDACTED]/protocol/openid-connect/certs
openid-issuer: https://auth.[REDACTED]/auth/realms/[REDACTED]
openid-client-id: guacamole
openid-redirect-uri: https://guacamole.[REDACTED]/guacamole/
openid-username-claim-type: username
openid-scope: openid email profile
openid-allowed-clock-skew: 500
The other tabs in keycloak are standard, just have to add the mapper(s) for the email and username, like below.
[Image]
Hopefully that helps.
Regards,
Justin
________________________________
From: kmartin <km...@6hat.fr>
Sent: Tuesday, April 16, 2019 7:55 AM
To: user@guacamole.apache.org
Subject: OpenID / KeyCloak
Hello All,
I set up Guacamole 1.0 + Keycloak 5.0 . Everything goes right until the
login.
i'm log in (on keycloak), i return back to guacamole and then I have loops
between 2 URLs
https://services.xxx.fr:8081/guacamole*/#/*session_state=93ec82e2-2c19-4978-9347-5df101da3189&id_token=xxxx
and
https://services.xxx.fr:8081/guacamole*/#*session_state=93ec82e2-2c19-4978-9347-5df101da3189&id_token=xxxx
Someone has already had the problem ?
Here is my config:
openid-authorization-endpoint:
https://sso.xxx.fr:8443/auth/realms/xxx/protocol/openid-connect/auth
openid-jwks-endpoint:
https://sso.xxx.fr:8443/auth/realms/xxx/protocol/openid-connect/certs
openid-issuer: https://sso.xxx.fr:8443/auth/realms/xxx
openid-client-id: gua
openid-redirect-uri: http://services.xxx.fr:8081/guacamole
openid-username-claim-type: username
openid-scope: openid email profile
openid-allowed-clock-skew: 500
Thanks for your help !
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/