You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@guacamole.apache.org by "Michael Jumper (JIRA)" <ji...@apache.org> on 2018/09/03 14:04:00 UTC
[jira] [Commented] (GUACAMOLE-618) Azure OpenID with parameter
token RDP in NLA does not work.
[ https://issues.apache.org/jira/browse/GUACAMOLE-618?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16602201#comment-16602201 ]
Michael Jumper commented on GUACAMOLE-618:
------------------------------------------
{quote}
I suspect the password token was passed incorrectly when using OpenID, I can see that the guacd tried to RDP using the correct username.
{quote}
The password originally used to authenticate via OpenID is not available to Guacamole for use as a token. This is not a bug, but rather a fact of OpenID. An OpenID identity provider will provide only the user's identity, not their credentials.
It would be rather scary if a downstream user of an OpenID service (say a webapp which integrates with Google) could retrieve your plaintext password purely through you signing in.
{quote}
A similar issue has been raised in the mailing list a few months ago, has anyone made any progress on this? Any advice is much appreciated.
https://lists.apache.org/thread.html/%3CCAFjj6005HcQXeHHByPJnAPx+2iOnvdgE+eUwHpZ3U8sPN21P6Q@mail.gmail.com%3E
{quote}
The mailing list thread above dealt with finding the correct parameters to authenticate with an RDP server that was joined to Azure AD. This also was not a bug, but a question / request for assistance. In the case above, OpenID was not involved.
> Azure OpenID with parameter token RDP in NLA does not work.
> ------------------------------------------------------------
>
> Key: GUACAMOLE-618
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-618
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole-auth-openid
> Affects Versions: 0.9.14
> Environment: centos 7.4
> Reporter: Neo Lee
> Priority: Major
> Labels: security, usability
>
> Hello everyone,
> We came across an issue where Azure AD (OpenID) parameter token does not work with RDP in NLA mode.
> I suspect the password token was passed incorrectly when using OpenID, I can see that the guacd tried to RDP using the correct username.
> A similar issue has been raised in the mailing list a few months ago, has anyone made any progress on this? Any advice is much appreciated.
> [https://lists.apache.org/thread.html/%3CCAFjj6005HcQXeHHByPJnAPx+2iOnvdgE+eUwHpZ3U8sPN21P6Q@mail.gmail.com%3E]
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)