You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@guacamole.apache.org by hantuo <ha...@nature.ee.ncku.edu.tw> on 2023/03/06 17:25:39 UTC

Permission assigned via encrypted JSON is not stored in the database

Hi All,

I’m working on setting up Guacamole single sign-on. In my organization, 
user permission is maintained by a specific team. Therefore, I have to 
implement middleware to acquire permission information from the team. 
After that, I can assign Guacamole connections to corresponding users.

I enabled OpenId, encrypted JSON, and database authentication. I thought 
that permission can be assigned via encrypted JSON, and users can log in 
via OpenId afterward. However, it seems that encrypted JSON is a 
one-time password. The connections assigned by encrypted JSON were not 
stored in the database.

I have a few questions:

Is the procedure I thought feasible? Did I miss any configuration 
settings? Or do I have to modify the database manually?

Currently, I have to put the encrypted JSON result into the local 
storage of the browser manually. However, the middleware is a backend 
service. It is impossible to modify local storage via the middleware. Is 
there an alternative way to assign the token to local storage?

My Guacamole version is 1.4.0, and OS is Ubuntu 20.04 with MySQL 8.0.32. 
Any advice would be appreciated. Thank you.

Sincerely,
Han-Tuo Lin

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org

Re: Permission assigned via encrypted JSON is not stored in the database

Posted by Michael Jumper <mj...@apache.org>.

On Mon, Mar 6, 2023 at 9:26 AM hantuo <ha...@nature.ee.ncku.edu.tw> wrote:

> Hi All,
>
> I’m working on setting up Guacamole single sign-on. In my organization,
> user permission is maintained by a specific team. Therefore, I have to
> implement middleware to acquire permission information from the team.
> After that, I can assign Guacamole connections to corresponding users.
>
> I enabled OpenId, encrypted JSON, and database authentication. I thought
> that permission can be assigned via encrypted JSON, and users can log in
> via OpenId afterward. However, it seems that encrypted JSON is a
> one-time password. The connections assigned by encrypted JSON were not
> stored in the database.
>

When you authenticate a user with the encrypted JSON extension, you are
providing transient data that they will be able to access within their
session. The extension determines the user's identity from that JSON, and
the connections you declare within that JSON are independent of any
connections you declare within the database. They exist only in memory.

Have you considered using group memberships dictated by OpenID to determine
connection access?

- Mike