You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@guacamole.apache.org by quegu <qu...@gmx.net> on 2021/04/02 15:16:01 UTC

openid connect loop problem

Hello

I am experiencing a looping problem with the Openid connection extension
with Keycloak. I have searched the forums and see this problem but without
any solution. I am running guacamole 1.3.0 with extension 1.3.0 . 

my experience is exactly the same as this user: 

https://issues.apache.org/jira/browse/GUACAMOLE-1251

the only thing i see in logs is:

DEBUG o.a.g.rest.RESTExceptionMapper - Client request rejected: Invalid
login.
DEBUG o.a.g.r.auth.AuthenticationService - Anonymous authentication attempt
from x.x.x.x failed.

the looping is between these two URIs:


https://keycloakexample.com/auth/realms/demo/protocol/openid-connect/auth?scope=openid+email+profile&response_type=id_token&client_id=guacamole&redirect_uri=http://example.com:8080/guacamole/%23/

http://example.com:8080/guacamole/#/&id_token=kjhkhjkj...

i see in jira :

https://issues.apache.org/jira/browse/GUACAMOLE-560

so is it possible for it to work with Keycloak currently? or its broken for
now?

thank you






--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org

Re: openid connect loop problem

Posted by Nick Couchman <vn...@apache.org>.

On Wed, Apr 21, 2021 at 4:55 AM quegu <qu...@gmx.net> wrote:

> i have fixed this problem. For those who might be experiencing the same
> issue, here is the solution in my case.
>
> the logs were a bit confusing:
>
> rejected due to invalid claims. Additional details: [Issuer (iss) claim
> value (https://auth.example.com/auth/realms/demo) doesn't match expected
> value of https://auth.example.com/auth/realms/demo
>
> on closer inspection of guacamole.properties, i had whitespace/special char
> after the openid-issuer config entry (copy/paste error i think)
>
>
>
Thank you for sharing your solution with the community - glad you were able
to figure it out!

-Nick

Re: openid connect loop problem

Posted by quegu <qu...@gmx.net>.

i have fixed this problem. For those who might be experiencing the same
issue, here is the solution in my case.

the logs were a bit confusing:

rejected due to invalid claims. Additional details: [Issuer (iss) claim
value (https://auth.example.com/auth/realms/demo) doesn't match expected
value of https://auth.example.com/auth/realms/demo

on closer inspection of guacamole.properties, i had whitespace/special char
after the openid-issuer config entry (copy/paste error i think)







--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org

Re: openid connect loop problem

Posted by quegu <qu...@gmx.net>.

thank you for taking the time to reply.

yes, it seems that the token is correctly returned from the idP.

i have checked clocks and run ntpdate to be sure on both sides. openid
related config in guacamole is:

# OpenIDC properties
openid-authorization-endpoint:
https://authexample.com/auth/realms/demo/protocol/openid-connect/auth
openid-client-id: guacamole
openid-redirect-uri: http://guacamole.example.com:8080/guacamole/#/
openid-jwks-endpoint:
https://authexample.com/auth/realms/demo/protocol/openid-connect/certs
openid-issuer: https://authexample.com/auth/realms/demo                                         
openid-username-claim-type: username
openid-scope: openid email profile
openid-allowed-clock-skew: 500


i have tried previous suggestions regarding openid-redirect-id (include #,
remove it , include trailing /, remove it etc) . i cant see what else there
is incorrect. 

tomcat/guacamole log is here: https://pastebin.com/margaVjs (this is from
startup to redirect problem)

thank you



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org

Re: openid connect loop problem

Posted by Mike Jumper <mi...@glyptodon.com>.

On Fri, Apr 2, 2021 at 8:16 AM quegu <qu...@gmx.net> wrote:

> Hello
>
> I am experiencing a looping problem with the Openid connection extension
> with Keycloak. I have searched the forums and see this problem but without
> any solution. I am running guacamole 1.3.0 with extension 1.3.0 .
>
> my experience is exactly the same as this user:
>
> https://issues.apache.org/jira/browse/GUACAMOLE-1251
>
> the only thing i see in logs is:
>
> DEBUG o.a.g.rest.RESTExceptionMapper - Client request rejected: Invalid
> login.
> DEBUG o.a.g.r.auth.AuthenticationService - Anonymous authentication attempt
> from x.x.x.x failed.
>
> the looping is between these two URIs:
>
>
>
> https://keycloakexample.com/auth/realms/demo/protocol/openid-connect/auth?scope=openid+email+profile&response_type=id_token&client_id=guacamole&redirect_uri=http://example.com:8080/guacamole/%23/
>
> http://example.com:8080/guacamole/#/&id_token=kjhkhjkj...
>
>
Can you provide your full Guacamole logs? Is the system clock of your
Guacamole server correct? What values are you providing for the various
OpenID configuration properties in guacamole.properties?

If Keycloak is sending you back to Guacamole with an ID token, and
Guacamole is sending you back to Keycloak to get a new token, this means
that Guacamole is unable to verify the token provided by Keycloak. If the
token appears to be invalid, Guacamole redirects you back to the IdP with
the expectation that the token is just stale and you will be sent back with
a valid token.

i see in jira :
>
> https://issues.apache.org/jira/browse/GUACAMOLE-560
>
> so is it possible for it to work with Keycloak currently? or its broken
> for now?
>

It's not broken and should work. The JIRA issue you point to deals with
adding support for the optional "state" request parameter that Okta's
OpenID implementation requires. If Keycloak is sending you back to
Guacamole with an ID token, then it has accepted the authentication request
and verified your identity. If it required the "state" parameter, it would
have rejected the request for authentication would not have sent you back
with a token.

Michael Jumper
CEO, Lead Developer
Glyptodon Inc <https://glyp.to/>.