You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@guacamole.apache.org by "Nick Couchman (Jira)" <ji...@apache.org> on 2022/01/03 00:46:00 UTC

[jira] [Updated] (GUACAMOLE-1094) Allow override of response_type parameter value

     [ https://issues.apache.org/jira/browse/GUACAMOLE-1094?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Nick Couchman updated GUACAMOLE-1094:
-------------------------------------
    Affects Version/s:     (was: 1.1.0)

> Allow override of response_type parameter value
> -----------------------------------------------
>
>                 Key: GUACAMOLE-1094
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1094
>             Project: Guacamole
>          Issue Type: Improvement
>          Components: guacamole-auth-openid
>            Reporter: Ryan Lapchynski
>            Priority: Trivial
>              Labels: AWS, patch, ready-to-commit
>
> The OpenID Connect auth extension supports only the ["implicit" flow|[https://openid.net/specs/openid-connect-implicit-1_0.html#RequestParameters]],  and currently [hard-codes|https://github.com/apache/guacamole-client/blob/4fec4638fc8652b684eea069e9ee9fe423615bfa/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/form/TokenField.java#L80] the value of the "response_type" parameter as "id_token". According to the [OIDC spec|[https://openid.net/specs/openid-connect-core-1_0.html#IDToken]], the authentication server should return the user with an ID token but in some auth server implementations, other values of this parameter are required and they will not work otherwise, but still return the necessary information (the user's ID token in the id_token parameter) when given their required value.
> My particular use case involves authenticating against AWS Cognito. If the Cognito IdP receives a request with "response_type=id_token" rather than returning a sign-in page and authenticating the user, it returns a page showing just an "invalid request" error message. If instead "response_type=token" is used, authentication works as expected. In the [Cognito documentation|[https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html]] it is stated that "response_type must be {{code}} or {{token}}".
> I've only tested and confirmed that this is an issue with AWS Cognito, but according to the documentation for the OIDC identity providers on a couple other major cloud providers:
> GCP's Identity Platform [seems to require|[https://developers.google.com/identity/protocols/oauth2/openid-connect#response-type]] response_type to be "token id_token" or "id_token token" 
> Azure's Microsoft Identity Platform [requires|[https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow]] response_type to be "id_token" or "id_token token"
>  
> I'm submitting a PR that adds an optional guacamole.properties string parameter for the OpenID auth extension that allows overriding the default value of response_type. The default value is "id_token", so the behavior remains unchanged if the override parameter is left unspecified.
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)