You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@guacamole.apache.org by "Michael Jumper (JIRA)" <ji...@apache.org> on 2018/05/03 22:15:00 UTC
[jira] [Updated] (GUACAMOLE-560) Include "state" parameter in
OpenID Connect authorization request
[ https://issues.apache.org/jira/browse/GUACAMOLE-560?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Michael Jumper updated GUACAMOLE-560:
-------------------------------------
Summary: Include "state" parameter in OpenID Connect authorization request (was: Support OIDC from Okta)
> Include "state" parameter in OpenID Connect authorization request
> -----------------------------------------------------------------
>
> Key: GUACAMOLE-560
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-560
> Project: Guacamole
> Issue Type: New Feature
> Components: guacamole-auth-openid
> Affects Versions: 0.9.14
> Reporter: Dave Smith
> Priority: Major
>
> {quote}i've tried to get this setup. Unfortunately it seems Okta insist (even with Single Page App (SPA)) to have state field in the POST even if (when using SPA) it's not actually used. The guacamole client just goes in a redirect loop with error in URL visible of "invalid state".
>
> With SPA the state parameter can even be some random letters, but must be there. Using OIDCDebugger.com gleans this:{quote}
> {quote}
> error=invalid_request
> error_description=The authentication request has an invalid 'state' parameter.
>
> yet by adding a bunch of x's to the state parameter..
>
> i get a much more positive response:
> state=xxxxxxxxxxxxx
> id_token=eyJraWQiOiI0NlpNbjlZZG5HQ1AxMGhDUWs5VWtvc2ljUmltTURJRDBBbVh1dWhHUUhrIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIwMHUxMDAxNnVwUzhFaENuMjJwNyIsInZlciI6MSwiaXNzIjoiaHR0cHM6Ly9hdG9zbXBjYXdzLm9rdGEuY29tIiwiYXVkIjoiMG9hMTIzZG8weXNibFN4dUoycDciLCJpYXQiOjE1MjQ3NTQwOTUsImV4cCI6MTUyNDc1NzY5NSwianRpIjoiSUQuRmZGYzFpZlA2VG
>
> I'd kindly ask that state could be added as an optional parameter to the guac properties file.{quote}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)