You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@guacamole.apache.org by Venkata Reddy <k....@gmail.com> on 2023/03/14 17:29:50 UTC

Guacamole direction is failing after integrating with keycloak

> Hi Team,
>


> We are integrating guacamole 1.4.0 with keycloak by using the below OPENID
> attributes.
>
>   OPENID_AUTHORIZATION_ENDPOINT: "
> https://authenticate.id-proxy.rp.de.1u1.local:8443/realms/master/protocol/openid-connect/auth
> "
>   OPENID_JWKS_ENDPOINT: "
> https://authenticate.id-proxy.rp.de.1u1.local:8443/realms/master/protocol/openid-connect/certs
> "
>   OPENID_ISSUER: "
> https://authenticate.id-proxy.rp.de.1u1.local:8443/realms/master"
>   OPENID_CLIENT_ID: "guacamole-client"
>   OPENID_REDIRECT_URI: "http://guacamole:8080"
>
> We observed that the application URL is redirected to keycloak for
> authentication and then redirection to the application URL is failing with
> the below error message. But we didn't add keycloak certificates to
> guacamole container. Will it give any issue? if yes, please share the
> procedure to update the certificates.
>
> 13:13:57.927 [http-nio-8080-exec-2] INFO
> o.a.g.a.o.t.TokenValidationService - Rejected invalid OpenID token: JWT
> processing failed. Additional details: [[17] Unable to process JOSE object
> (cause: org.jose4j.lang.UnresolvableKeyException: Unable to find a suitable
> verification key for JWS w/ header {"alg":"RS256","typ" : "JWT","kid" :
> "b_miyK9tDisD--lStj4nX5AmaoX3EHsrvGysA9TVD8c"} due to an unexpected
> exception (java.net.SocketTimeoutException: connect timed out) while
> obtaining or using keys from JWKS endpoint at
> https://authenticate.id-proxy.rp.de.1u1.local:8443/realms/master/protocol/openid-connect/certs
>   ):
> <https://l0001spapka0005.rp.de.dmn.local/auth/realms/Symworld/protocol/openid-connect/certs):>
> JsonWebSignature{"alg":"RS256","typ" : "JWT","kid" :
> "b_miyK9tDisD--lStj4nX5AmaoX3EHsrvGysA9TVD8c"}->eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJiX21peUs5dERpc0QtLWxTdGo0blg1QW1hb1gzRUhzcnZHeXNBOVRWRDhjIn0.eyJleHAiOjE2Nzg4MDA0NTUsImlhdCI6MTY3ODc5OTU1NSwiYXV0aF90aW1lIjoxNjc4NzkzNTM5LCJqdGkiOiJjYTI5ZDhmMS1kZjkyLTRkM2QtYjQ3MC1mYjk5M2UzMjQ4MDUiLCJpc3MiOiJodHRwczovL2wwMDAxc3BhcGthMDAwNS5ycC5kZS5kbW4ubG9jYWwvYXV0aC9yZWFsbXMvU3ltd29ybGQiLCJhdWQiOiJQQU0iLCJzdWIiOiI0MjBhYTQwMC0yNDc3LTQ2OGItOTk2NC03YjhkYWiJJRCIsImF6cCI6IlBBTSIsIm5vbmNlIjoiazZsNTU1N3RlOThnaWVzNjIzcjRkcmExdTkiLCJzZXNzaW9uX3N0YXRlIjoiOGJlZDFjOWEtYTQ2OS00ZGFlLTgwZTUtYTQ5M2FhZGQxMTA1IiwiYWNyIjoiMCIsInNpZCI6IjhiZWQxYzlhLWE0NjktNGRhZS04MGU1LWE0OTNhYWRkMTEwNSIsImVtYWlsX3ZlcmlmaWVkIjp0cnhbWUiOiJLb25kYSIsImVtYWlsIjoidmVua2F0YS5rb25kYUByYWt1dGVuLmNvbSJ9.WVmBCulUiSVppZk5J59wFdThxWpfzmeMwG-jo_-8RyozWrtpNachLafZJtXxcLoFNEGbOi98hM3RK_RsQ0DgSuM9P85xe4Oho6-qIrmk3DIuLoBVN4YjTwALjvKwtKidIluQwMRyZjgvMBmtoF9_qpPQMx_0irTV7gbqDifI8zaIyHwafX_5gQT-pDPu5jeFRS1sR4swUJOvQiKbfe7u897289K4MZ8U-lQnv-wExtumXRvQaf3c7cVzttFgzSGo9XaT_IUI8rHdLj08EKQaf_9iQDuq-PTMpIxFNLSyO8_t-drUVDnmvbKWJS3wPrEuNwItx7E7ya2jZoBiKfWvFQ]
>
>
> Regards,
> Venkata
>

Re: Guacamole direction is failing after integrating with keycloak

Posted by Michael Jumper <mj...@apache.org>.

On Tue, Mar 14, 2023 at 10:30 AM Venkata Reddy <
k.venkatanarayanareddy@gmail.com> wrote:

>
> Hi Team,
>>
>
>> We are integrating guacamole 1.4.0 with keycloak by using the below
>> OPENID attributes.
>>
>>   OPENID_AUTHORIZATION_ENDPOINT: "
>> https://authenticate.id-proxy.rp.de.1u1.local:8443/realms/master/protocol/openid-connect/auth
>> "
>>   OPENID_JWKS_ENDPOINT: "
>> https://authenticate.id-proxy.rp.de.1u1.local:8443/realms/master/protocol/openid-connect/certs
>> "
>>   OPENID_ISSUER: "
>> https://authenticate.id-proxy.rp.de.1u1.local:8443/realms/master"
>>   OPENID_CLIENT_ID: "guacamole-client"
>>   OPENID_REDIRECT_URI: "http://guacamole:8080"
>>
>> We observed that the application URL is redirected to keycloak for
>> authentication and then redirection to the application URL is failing with
>> the below error message. But we didn't add keycloak certificates to
>> guacamole container. Will it give any issue? if yes, please share the
>> procedure to update the certificates.
>>
>> 13:13:57.927 [http-nio-8080-exec-2] INFO
>> o.a.g.a.o.t.TokenValidationService - Rejected invalid OpenID token: JWT
>> processing failed. Additional details: [[17] Unable to process JOSE object
>> (cause: org.jose4j.lang.UnresolvableKeyException: Unable to find a suitable
>> verification key for JWS w/ header {"alg":"RS256","typ" : "JWT","kid" :
>> "b_miyK9tDisD--lStj4nX5AmaoX3EHsrvGysA9TVD8c"} due to an unexpected
>> exception (java.net.SocketTimeoutException: connect timed out) while
>> obtaining or using keys from JWKS endpoint at
>> https://authenticate.id-proxy.rp.de.1u1.local:8443/realms/master/protocol/openid-connect/certs
>>   ):
>> <https://l0001spapka0005.rp.de.dmn.local/auth/realms/Symworld/protocol/openid-connect/certs):>
>>  ...
>>
>
Authentication is failing because Guacamole is not able to reach your
OpenID server over the network. It's trying to reach the JWKS endpoint
specified.

- Mike