You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@guacamole.apache.org by "Michael Jumper (JIRA)" <ji...@apache.org> on 2018/09/03 14:04:00 UTC

[jira] [Commented] (GUACAMOLE-618) Azure OpenID with parameter token RDP in NLA does not work.

    [ https://issues.apache.org/jira/browse/GUACAMOLE-618?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16602201#comment-16602201 ] 

Michael Jumper commented on GUACAMOLE-618:
------------------------------------------

{quote}
I suspect the password token was passed incorrectly when using OpenID, I can see that the guacd tried to RDP using the correct username. 
{quote}

The password originally used to authenticate via OpenID is not available to Guacamole for use as a token. This is not a bug, but rather a fact of OpenID. An OpenID identity provider will provide only the user's identity, not their credentials.

It would be rather scary if a downstream user of an OpenID service (say a webapp which integrates with Google) could retrieve your plaintext password purely through you signing in.

{quote}
A similar issue has been raised in the mailing list a few months ago, has anyone made any progress on this? Any advice is much appreciated. 

https://lists.apache.org/thread.html/%3CCAFjj6005HcQXeHHByPJnAPx+2iOnvdgE+eUwHpZ3U8sPN21P6Q@mail.gmail.com%3E
{quote}

The mailing list thread above dealt with finding the correct parameters to authenticate with an RDP server that was joined to Azure AD. This also was not a bug, but a question / request for assistance. In the case above, OpenID was not involved.

> Azure OpenID with parameter token RDP in NLA does not work. 
> ------------------------------------------------------------
>
>                 Key: GUACAMOLE-618
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-618
>             Project: Guacamole
>          Issue Type: Bug
>          Components: guacamole-auth-openid
>    Affects Versions: 0.9.14
>         Environment: centos 7.4
>            Reporter: Neo Lee
>            Priority: Major
>              Labels: security, usability
>
> Hello everyone,
> We came across an issue where Azure AD (OpenID) parameter token does not work with RDP in NLA mode. 
> I suspect the password token was passed incorrectly when using OpenID, I can see that the guacd tried to RDP using the correct username. 
> A similar issue has been raised in the mailing list a few months ago, has anyone made any progress on this? Any advice is much appreciated. 
> [https://lists.apache.org/thread.html/%3CCAFjj6005HcQXeHHByPJnAPx+2iOnvdgE+eUwHpZ3U8sPN21P6Q@mail.gmail.com%3E]
>  
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)