You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@guacamole.apache.org by "Michael Jumper (JIRA)" <ji...@apache.org> on 2018/05/03 22:15:00 UTC

[jira] [Commented] (GUACAMOLE-560) Support OIDC from Okta

    [ https://issues.apache.org/jira/browse/GUACAMOLE-560?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16463137#comment-16463137 ] 

Michael Jumper commented on GUACAMOLE-560:
------------------------------------------

{quote}
I'd kindly ask that state could be added as an optional parameter to the guac properties file.
{quote}

If we're going to start using the {{state}} parameter, we'll have to go all the way and fully implement that parameter. It can't just contain a pre-configured value from a config file like {{guacamole.properties}}. Though optional, if it's included in the request, the response from the server has to be correctly verified as containing the same (cryptographically generated) state value, or we'll be violating the OpenID Connect spec.

From [http://openid.net/specs/openid-connect-implicit-1_0.html]:

{quote}
... Clients MUST verify that the state value is equal to the value of state parameter in the Authorization Request.
{quote}

> Support OIDC from Okta
> ----------------------
>
>                 Key: GUACAMOLE-560
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-560
>             Project: Guacamole
>          Issue Type: New Feature
>          Components: guacamole-auth-openid
>    Affects Versions: 0.9.14
>            Reporter: Dave Smith
>            Priority: Major
>
> {quote}i've tried to get this setup. Unfortunately it seems Okta insist (even with Single Page App (SPA)) to have state field in the POST even if (when using SPA) it's not actually used. The guacamole client just goes in a redirect loop with error in URL visible of "invalid state".
>  
> With SPA the state parameter can even be some random letters, but must be there. Using OIDCDebugger.com gleans this:{quote}
> {quote} 
> error=invalid_request
> error_description=The authentication request has an invalid &#x27;state&#x27; parameter.
>  
> yet by adding a bunch of x's to the state parameter..
>  
> i get a much more positive response:
> state=xxxxxxxxxxxxx
> id_token=eyJraWQiOiI0NlpNbjlZZG5HQ1AxMGhDUWs5VWtvc2ljUmltTURJRDBBbVh1dWhHUUhrIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIwMHUxMDAxNnVwUzhFaENuMjJwNyIsInZlciI6MSwiaXNzIjoiaHR0cHM6Ly9hdG9zbXBjYXdzLm9rdGEuY29tIiwiYXVkIjoiMG9hMTIzZG8weXNibFN4dUoycDciLCJpYXQiOjE1MjQ3NTQwOTUsImV4cCI6MTUyNDc1NzY5NSwianRpIjoiSUQuRmZGYzFpZlA2VG
>  
> I'd kindly ask that state could be added as an optional parameter to the guac properties file.{quote}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)