You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by hantuo <ha...@nature.ee.ncku.edu.tw> on 2023/03/06 17:25:39 UTC
Permission assigned via encrypted JSON is not stored in the database
Hi All,
I’m working on setting up Guacamole single sign-on. In my organization,
user permission is maintained by a specific team. Therefore, I have to
implement middleware to acquire permission information from the team.
After that, I can assign Guacamole connections to corresponding users.
I enabled OpenId, encrypted JSON, and database authentication. I thought
that permission can be assigned via encrypted JSON, and users can log in
via OpenId afterward. However, it seems that encrypted JSON is a
one-time password. The connections assigned by encrypted JSON were not
stored in the database.
I have a few questions:
Is the procedure I thought feasible? Did I miss any configuration
settings? Or do I have to modify the database manually?
Currently, I have to put the encrypted JSON result into the local
storage of the browser manually. However, the middleware is a backend
service. It is impossible to modify local storage via the middleware. Is
there an alternative way to assign the token to local storage?
My Guacamole version is 1.4.0, and OS is Ubuntu 20.04 with MySQL 8.0.32.
Any advice would be appreciated. Thank you.
Sincerely,
Han-Tuo Lin
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Permission assigned via encrypted JSON is not stored in the database
Posted by Michael Jumper <mj...@apache.org>.
On Mon, Mar 6, 2023 at 9:26 AM hantuo <ha...@nature.ee.ncku.edu.tw> wrote:
> Hi All,
>
> I’m working on setting up Guacamole single sign-on. In my organization,
> user permission is maintained by a specific team. Therefore, I have to
> implement middleware to acquire permission information from the team.
> After that, I can assign Guacamole connections to corresponding users.
>
> I enabled OpenId, encrypted JSON, and database authentication. I thought
> that permission can be assigned via encrypted JSON, and users can log in
> via OpenId afterward. However, it seems that encrypted JSON is a
> one-time password. The connections assigned by encrypted JSON were not
> stored in the database.
>
When you authenticate a user with the encrypted JSON extension, you are
providing transient data that they will be able to access within their
session. The extension determines the user's identity from that JSON, and
the connections you declare within that JSON are independent of any
connections you declare within the database. They exist only in memory.
Have you considered using group memberships dictated by OpenID to determine
connection access?
- Mike