You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@guacamole.apache.org by "Salatiel Filho (Jira)" <ji...@apache.org> on 2021/05/14 17:29:00 UTC
[jira] [Created] (GUACAMOLE-1348) Guacamole OIDC can not login if
403 custom error page is sent by the frontend
Salatiel Filho created GUACAMOLE-1348:
-----------------------------------------
Summary: Guacamole OIDC can not login if 403 custom error page is sent by the frontend
Key: GUACAMOLE-1348
URL: https://issues.apache.org/jira/browse/GUACAMOLE-1348
Project: Guacamole
Issue Type: Bug
Components: guacamole, guacamole-auth-openid
Affects Versions: 1.3.0
Reporter: Salatiel Filho
If one set guacamole ( 1.3.0 container) to authenticate using oidc, but there is an external frontend that return nice custom error pages for code HTTP 403, you will not be able to be redirected to the OIDC.
In my setup I have k8s ingress globally configured to return customized error pages in case of 403,404,500,502 http error codes ( the code is still sent correctly, just the page content will be different). When I try to access guacamole, I get this on browser:
{code:java}
Error : An error has occurred and this action cannot be completed. If
the problem persists, please notify your system administrator or check
your system logs.
{code}
Container logs show:
{code:java}
[http-nio-8080-exec-2] DEBUG
o.a.g.r.auth.AuthenticationService - Anonymous authentication attempt
[http-nio-8080-exec-2] DEBUG
o.a.g.rest.RESTExceptionMapper - Client request rejected: Invalid
login.
{code}
If I override the guacamole ingress to not touch the 403 custom error page, I am correctly redirected to the OIDC. ( Keycloak in my case )
{code:java}
# override global custom errors removing the 403 from the list
nginx.ingress.kubernetes.io/custom-http-errors: 404,500,503
{code}
Apparently guacamole *requires* that the 403 message returns the json:
{"message":"Invalid login.","translatableMessage":...,"translatableMessage":\{"key":"LOGIN.INFO_OID_PENDING_REDIRECT","variables":null}}],"type":"INVALID_CREDENTIALS"}
If this is not considered a Bug I think it could be someplace in the documentation.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)