You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@guacamole.apache.org by "Salatiel Filho (Jira)" <ji...@apache.org> on 2021/05/14 17:29:00 UTC

[jira] [Created] (GUACAMOLE-1348) Guacamole OIDC can not login if 403 custom error page is sent by the frontend

Salatiel Filho created GUACAMOLE-1348:
-----------------------------------------

             Summary: Guacamole OIDC can not login if 403 custom error page is sent by the frontend
                 Key: GUACAMOLE-1348
                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1348
             Project: Guacamole
          Issue Type: Bug
          Components: guacamole, guacamole-auth-openid
    Affects Versions: 1.3.0
            Reporter: Salatiel Filho


If one  set guacamole ( 1.3.0 container) to authenticate using oidc, but there is an external frontend that return nice custom error pages for  code HTTP 403, you will not be able to be redirected to the OIDC.

In my setup I have k8s ingress globally configured to return customized error pages in case of 403,404,500,502 http error codes ( the code is still sent correctly, just the page content will be different). When I try to access guacamole, I get this on browser:

 
{code:java}
Error : An error has occurred and this action cannot be completed. If
the problem persists, please notify your system administrator or check
your system logs.
{code}
 

Container logs show:
{code:java}
 
[http-nio-8080-exec-2] DEBUG
 o.a.g.r.auth.AuthenticationService - Anonymous authentication attempt
[http-nio-8080-exec-2] DEBUG
o.a.g.rest.RESTExceptionMapper - Client request rejected: Invalid
login.
{code}
 

 

 

If I override the guacamole ingress to not touch the 403 custom error page, I am correctly redirected to the OIDC. ( Keycloak in my case )

 
{code:java}
# override global custom errors removing the 403 from the list
nginx.ingress.kubernetes.io/custom-http-errors: 404,500,503

{code}
 

Apparently guacamole *requires* that the 403 message returns the json:

{"message":"Invalid login.","translatableMessage":...,"translatableMessage":\{"key":"LOGIN.INFO_OID_PENDING_REDIRECT","variables":null}}],"type":"INVALID_CREDENTIALS"}

 

If this is not considered a Bug I think it could be someplace in the documentation.

 

 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)