starting a specific connection via URL?

[Joachim Lindenberg <jo...@lindenberg.one>]

Hello,

I am wondering what is the best way to start a connection (with parameters
made available from my own authentication extension, but could be any) from
another web application. I am aware of the following approaches:

*       I can pass username & password via the URL, however I don´t know how
to pass the connection identifier or whether that is available to my
authentication extension). More important, I dislike the fact that username
and password are shown by the browser in the url, visible to anyone looking
at the screen.

*       There is an extension https://github.com/grncdr/guacamole-auth-hmac
that probably does something similar, but the code is unmaintained and I
don´t know whether it works with 0.9.14+.

*       I can generate a one-time-token in my web application, retrieve the
token from the URL in my authentication extension, use it to identify user
and connection, return just that one connection to Guacamole, and rely on
the convention that Guacamole starts the connection automatically if there
is just one. Not sure what life-time the token will need – e.g. will refresh
work if the token is no longer valid?

Any options I miss out? Any obstacles I haven´t seen?

Thanks & Best Regards,

Joachim

Re: starting a specific connection via URL?

[Mike Jumper <mj...@apache.org>]

On Sun, Aug 12, 2018, 00:20 Joachim Lindenberg <jo...@lindenberg.one>
wrote:

> Hello,
>
> I am wondering what is the best way to start a connection (with parameters
> made available from my own authentication extension, but could be any) from
> another web application. I am aware of the following approaches:
>
> ·       I can pass username & password via the URL, however I don´t know
> how to pass the connection identifier or whether that is available to my
> authentication extension). More important, I dislike the fact that username
> and password are shown by the browser in the url, visible to anyone looking
> at the screen.
>

I wouldn't recommend this approach for the reason cited.

While Guacamole does nicely pass URL parameters through to auth, that's
best used for auth mechanisms that don't use username/password.

·       There is an extension https://github.com/grncdr/guacamole-auth-hmac
> that probably does something similar, but the code is unmaintained and I
> don´t know whether it works with 0.9.14+.
>

Perhaps https://github.com/glyptodon/guacamole-auth-json would be a better
choice?

I wrote it some time ago for my day job when we were tasked with creating
an alternative to guacamole-auth-hmac which additionally would not expose
connection parameter details in the URL.

·       I can generate a one-time-token in my web application, retrieve the
> token from the URL in my authentication extension, use it to identify user
> and connection, return just that one connection to Guacamole, and rely on
> the convention that Guacamole starts the connection automatically if there
> is just one. Not sure what life-time the token will need – e.g. will
> refresh work if the token is no longer valid?
>

This would be the best approach.

You could accomplish this through writing your own extension, or through
generating temporary, encrypted JSON tokens with the extension linked above.

I would recommend using the anonymous username (just an empty string) so
the UI handles all session info as temporary and anonymous.

- Mike