You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@guacamole.apache.org by Ferron Nijland - Switch IT Solutions <f....@switch.nl> on 2018/02/05 08:41:20 UTC

OpenID

Hello Everyone,
I'm very pleased to see that the OpendID mechanism is implemented.
I've copied the extension to the extension folder (catalina logs shows it's loaded).
In my guacamole.properties I've the following lines for OpenID:
openid-authorization-endpoint: https://login.microsoftonline.com/75f7be0b-9c85-4006-bdcd-311ad74301a06/oauth2/authorize
openid-jwks-endpoint: https://login.microsoftonline.com/common/discovery/keys
openid-issuer: https://sts.windows.net/75f7be0b-9c85-4006-bdcd-311ad74301a06/
openid-client-id: db0b3b3d-2570-4301-9adb3-bfbf59234568
openid-redirect-uri: http://10.70.212.41:8080/guacamole
I'm missing the openid-client-secret attribute to authenticate. Is it not yet documented or implemented?
When a user want's to authenticate using the OpenID extension should they access another URL (than the default guacamole url) or is guacamole always trying to authenticate using SSO?

- Ferron Nijland

Re: OpenID

Posted by Mike Jumper <mi...@guac-dev.org>.

On Mon, Feb 5, 2018 at 6:05 AM, Nick Couchman <vn...@apache.org> wrote:

>
> I’m missing the openid-client-secret attribute to authenticate. Is it not
>> yet documented or implemented?
>>
> There is no openid-client-secret attribute - either implemented or
> documented.  Do you know that Microsoft is actually implementing OpenID, or
> is it some other Oauth implementation?
>

The OpenID Connect extension for Guacamole implements the "implicit flow".
I believe the use of a client secret is specific to the "authorization
flow" of OpenID Connect, which is not used in this case.

- Mike

Re: OpenID

Posted by Nick Couchman <vn...@apache.org>.

> I’m missing the openid-client-secret attribute to authenticate. Is it not
> yet documented or implemented?
>
There is no openid-client-secret attribute - either implemented or
documented.  Do you know that Microsoft is actually implementing OpenID, or
is it some other Oauth implementation?


> When a user want’s to authenticate using the OpenID extension should they
> access another URL (than the default guacamole url) or is guacamole always
> trying to authenticate using SSO?
>
When a user wants to log in to Guacamole via any SSO  module, including
OpenID, they should go to the Guacamole URL and then the SSO module will
redirect to the SSO login or verification page, which will then redirect
back to Guacamole after SSO authentication succeeds.

-Nick