You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Craig Bloodworth <cr...@theinformationlab.co.uk> on 2019/04/05 14:05:32 UTC
OpenID Auth Not Redirecting
Maybe I'm not fully understanding how the OpenID extension should work, but
I believe instead of logging in with the standard Guacamole client login
screen the user should be forwarded to the OpenID Connect IdP (in this case
Google) to authenticate and then be sent back to the Guacamole client. In
the case of my implementation this redirect isn't happening.
The extension is loaded:
09:00:44.048 [localhost-startStop-1] INFO
o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is "/etc/guacamole".
09:00:45.357 [localhost-startStop-1] INFO o.a.g.extension.ExtensionModule -
Extension "MySQL Authentication" loaded.
09:00:45.361 [localhost-startStop-1] INFO
o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is "/etc/guacamole".
09:00:45.533 [localhost-startStop-1] INFO o.a.g.extension.ExtensionModule -
Extension "OpenID Authentication Extension" loaded.
And the guacamole.properties file is configured:
openid-authorization-endpoint: https://accounts.google.com/o/oauth2/v2/auth
openid-jwks-endpoint: https://www.googleapis.com/oauth2/v3/certs
openid-issuer: https://accounts.google.com
openid-client-id:
xxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com
openid-redirect-uri: https://servers.xxxxxxxxxxxxxxxx.co.uk
openid-username-claim-type: email
openid-scope: openid email profile
openid-allowed-clock-skew: 60
openid-max-token-validity: 300
openid-max-nonce-validity: 10
But only the standard login screen is shown. What am I missing?
I've checked the browser console and there are no obvious errors other than
the 403 error from /api/tokens which is triggered because I'm not logged in.
Re: OpenID Auth Not Redirecting
Posted by cr...@theinformationlab.co.uk,
cr...@theinformationlab.co.uk.
Awesome! Perfect solution. Thanks :-)
Can I suggest the docs are updated to reflect this requirement? It wasn't clear at all IMHO.
Craig
On 2019/04/06 18:48:08, Mike Jumper <mj...@apache.org> wrote:
> On Sat, Apr 6, 2019 at 11:14 AM Nick Couchman <vn...@apache.org> wrote:
>
> > On Fri, Apr 5, 2019 at 10:05 AM Craig Bloodworth <
> > craig.bloodworth@theinformationlab.co.uk> wrote:
> >
> >> Maybe I'm not fully understanding how the OpenID extension should work,
> >> but I believe instead of logging in with the standard Guacamole client
> >> login screen the user should be forwarded to the OpenID Connect IdP (in
> >> this case Google) to authenticate and then be sent back to the Guacamole
> >> client. In the case of my implementation this redirect isn't happening.
> >>
> >> The extension is loaded:
> >>
> >> 09:00:44.048 [localhost-startStop-1] INFO
> >> o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is "/etc/guacamole".
> >> 09:00:45.357 [localhost-startStop-1] INFO
> >> o.a.g.extension.ExtensionModule - Extension "MySQL Authentication" loaded.
> >> 09:00:45.361 [localhost-startStop-1] INFO
> >> o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is "/etc/guacamole".
> >> 09:00:45.533 [localhost-startStop-1] INFO
> >> o.a.g.extension.ExtensionModule - Extension "OpenID Authentication
> >> Extension" loaded.
> >>
> >>
> > Anything else show, here, when you hit the login screen?
> >
> >
> >> And the guacamole.properties file is configured:
> >>
> >> openid-authorization-endpoint:
> >> https://accounts.google.com/o/oauth2/v2/auth
> >> openid-jwks-endpoint: https://www.googleapis.com/oauth2/v3/certs
> >> openid-issuer: https://accounts.google.com
> >> openid-client-id:
> >> xxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com
> >> openid-redirect-uri: https://servers.xxxxxxxxxxxxxxxx.co.uk
> >> openid-username-claim-type: email
> >> openid-scope: openid email profile
> >> openid-allowed-clock-skew: 60
> >> openid-max-token-validity: 300
> >> openid-max-nonce-validity: 10
> >>
> >> But only the standard login screen is shown. What am I missing?
> >>
> >> I've checked the browser console and there are no obvious errors other
> >> than the 403 error from /api/tokens which is triggered because I'm not
> >> logged in.
> >>
> >
> > Everything looks good to me, but I've never configured OpenID
> > authentication before, so I'm not entirely sure. Maybe others on the list
> > will have more hints.
> >
>
> The OpenID extension .jar will need to be renamed such that it is loaded
> before the MySQL extension .jar:
>
> 000-guacamole-auth-openid.jar
> 001-guacamole-auth-jdbc-mysql.jar
>
> As the MySQL extension is loading first, its request for username+password
> credentials is given priority over the OpenID extension's request for a
> token.
>
> Related thought: it might be good to modify the OpenID extension to
> optionally add an arbitrary "Sign in with _____" button, rather than the
> current all-or-nothing approach.
>
> - Mike
>
Re: OpenID Auth Not Redirecting
Posted by Mike Jumper <mj...@apache.org>.
On Sat, Apr 6, 2019 at 11:14 AM Nick Couchman <vn...@apache.org> wrote:
> On Fri, Apr 5, 2019 at 10:05 AM Craig Bloodworth <
> craig.bloodworth@theinformationlab.co.uk> wrote:
>
>> Maybe I'm not fully understanding how the OpenID extension should work,
>> but I believe instead of logging in with the standard Guacamole client
>> login screen the user should be forwarded to the OpenID Connect IdP (in
>> this case Google) to authenticate and then be sent back to the Guacamole
>> client. In the case of my implementation this redirect isn't happening.
>>
>> The extension is loaded:
>>
>> 09:00:44.048 [localhost-startStop-1] INFO
>> o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is "/etc/guacamole".
>> 09:00:45.357 [localhost-startStop-1] INFO
>> o.a.g.extension.ExtensionModule - Extension "MySQL Authentication" loaded.
>> 09:00:45.361 [localhost-startStop-1] INFO
>> o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is "/etc/guacamole".
>> 09:00:45.533 [localhost-startStop-1] INFO
>> o.a.g.extension.ExtensionModule - Extension "OpenID Authentication
>> Extension" loaded.
>>
>>
> Anything else show, here, when you hit the login screen?
>
>
>> And the guacamole.properties file is configured:
>>
>> openid-authorization-endpoint:
>> https://accounts.google.com/o/oauth2/v2/auth
>> openid-jwks-endpoint: https://www.googleapis.com/oauth2/v3/certs
>> openid-issuer: https://accounts.google.com
>> openid-client-id:
>> xxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com
>> openid-redirect-uri: https://servers.xxxxxxxxxxxxxxxx.co.uk
>> openid-username-claim-type: email
>> openid-scope: openid email profile
>> openid-allowed-clock-skew: 60
>> openid-max-token-validity: 300
>> openid-max-nonce-validity: 10
>>
>> But only the standard login screen is shown. What am I missing?
>>
>> I've checked the browser console and there are no obvious errors other
>> than the 403 error from /api/tokens which is triggered because I'm not
>> logged in.
>>
>
> Everything looks good to me, but I've never configured OpenID
> authentication before, so I'm not entirely sure. Maybe others on the list
> will have more hints.
>
The OpenID extension .jar will need to be renamed such that it is loaded
before the MySQL extension .jar:
000-guacamole-auth-openid.jar
001-guacamole-auth-jdbc-mysql.jar
As the MySQL extension is loading first, its request for username+password
credentials is given priority over the OpenID extension's request for a
token.
Related thought: it might be good to modify the OpenID extension to
optionally add an arbitrary "Sign in with _____" button, rather than the
current all-or-nothing approach.
- Mike
RE: OpenID Auth Not Redirecting
Posted by Ryan Underwood <ry...@greymarketlabs.com>.
The redirect happens immediately after hitting the login url. IIRC the OpenID extension needs to load alphabetically first for this to work (depending on the other extensions). This is handled in the docker image automatically but otherwise you'll need to rename it to prepend something like 1_ or a_ so that it does load first. I haven't used Google's OpenID connection but the first page I googled said it supported "server flow;" Guacamole only supports "implicit flow." Google probably supports it somehow. Regardless you should see the redirect in the browser. Make sure you tell Chrome, Firefox, etc. developer tools to "Preserve log" so you don't lose them in the redirect shuffle.
When you cherry-pick the server output log it's hard to tell if something else loaded first or later or even what version is being used.
You'll eventually need to make sure the user exists via some other mechanism in Guacamole (jdbc, maybe AD, not sure), based on the username that google is returning. That's a problem for after the redirect is happening.
-----Original Message-----
From: Nick Couchman <vn...@apache.org>
Sent: Saturday, April 06, 2019 2:14 PM
To: user@guacamole.apache.org
Subject: Re: OpenID Auth Not Redirecting
On Fri, Apr 5, 2019 at 10:05 AM Craig Bloodworth <craig.bloodworth@theinformationlab.co.uk <ma...@theinformationlab.co.uk> > wrote:
Maybe I'm not fully understanding how the OpenID extension should work, but I believe instead of logging in with the standard Guacamole client login screen the user should be forwarded to the OpenID Connect IdP (in this case Google) to authenticate and then be sent back to the Guacamole client. In the case of my implementation this redirect isn't happening.
The extension is loaded:
09:00:44.048 [localhost-startStop-1] INFO o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is "/etc/guacamole".
09:00:45.357 [localhost-startStop-1] INFO o.a.g.extension.ExtensionModule - Extension "MySQL Authentication" loaded.
09:00:45.361 [localhost-startStop-1] INFO o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is "/etc/guacamole".
09:00:45.533 [localhost-startStop-1] INFO o.a.g.extension.ExtensionModule - Extension "OpenID Authentication Extension" loaded.
Anything else show, here, when you hit the login screen?
And the guacamole.properties file is configured:
openid-authorization-endpoint: https://accounts.google.com/o/oauth2/v2/auth
openid-jwks-endpoint: https://www.googleapis.com/oauth2/v3/certs
openid-issuer: https://accounts.google.com <https://accounts.google.com/>
openid-client-id: xxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com <http://xxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com/>
openid-redirect-uri: https://servers.xxxxxxxxxxxxxxxx.co.uk <https://servers.xxxxxxxxxxxxxxxx.co.uk/>
openid-username-claim-type: email
openid-scope: openid email profile
openid-allowed-clock-skew: 60
openid-max-token-validity: 300
openid-max-nonce-validity: 10
But only the standard login screen is shown. What am I missing?
I've checked the browser console and there are no obvious errors other than the 403 error from /api/tokens which is triggered because I'm not logged in.
Everything looks good to me, but I've never configured OpenID authentication before, so I'm not entirely sure. Maybe others on the list will have more hints.
-Nick
Re: OpenID Auth Not Redirecting
Posted by Nick Couchman <vn...@apache.org>.
On Fri, Apr 5, 2019 at 10:05 AM Craig Bloodworth <
craig.bloodworth@theinformationlab.co.uk> wrote:
> Maybe I'm not fully understanding how the OpenID extension should work,
> but I believe instead of logging in with the standard Guacamole client
> login screen the user should be forwarded to the OpenID Connect IdP (in
> this case Google) to authenticate and then be sent back to the Guacamole
> client. In the case of my implementation this redirect isn't happening.
>
> The extension is loaded:
>
> 09:00:44.048 [localhost-startStop-1] INFO
> o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is "/etc/guacamole".
> 09:00:45.357 [localhost-startStop-1] INFO o.a.g.extension.ExtensionModule
> - Extension "MySQL Authentication" loaded.
> 09:00:45.361 [localhost-startStop-1] INFO
> o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is "/etc/guacamole".
> 09:00:45.533 [localhost-startStop-1] INFO o.a.g.extension.ExtensionModule
> - Extension "OpenID Authentication Extension" loaded.
>
>
Anything else show, here, when you hit the login screen?
> And the guacamole.properties file is configured:
>
> openid-authorization-endpoint:
> https://accounts.google.com/o/oauth2/v2/auth
> openid-jwks-endpoint: https://www.googleapis.com/oauth2/v3/certs
> openid-issuer: https://accounts.google.com
> openid-client-id:
> xxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com
> openid-redirect-uri: https://servers.xxxxxxxxxxxxxxxx.co.uk
> openid-username-claim-type: email
> openid-scope: openid email profile
> openid-allowed-clock-skew: 60
> openid-max-token-validity: 300
> openid-max-nonce-validity: 10
>
> But only the standard login screen is shown. What am I missing?
>
> I've checked the browser console and there are no obvious errors other
> than the 403 error from /api/tokens which is triggered because I'm not
> logged in.
>
Everything looks good to me, but I've never configured OpenID
authentication before, so I'm not entirely sure. Maybe others on the list
will have more hints.
-Nick
>