You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@guacamole.apache.org by "Alexander J. Lallier (JIRA)" <ji...@apache.org> on 2019/06/03 12:21:00 UTC

[jira] [Commented] (GUACAMOLE-805) OpenID authentication may redirect to IDP in a loop

    [ https://issues.apache.org/jira/browse/GUACAMOLE-805?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16854530#comment-16854530 ] 

Alexander J. Lallier commented on GUACAMOLE-805:
------------------------------------------------

I'm uniformed and ignorant of the release schedules on Guacamole but I see this fix is slated for 1.2.0. When is this planned to be released? I'm asking because I am unable to use OpenID because of this bug in current versions. This wouldn't get pushed up to a patch version at all?

> OpenID authentication may redirect to IDP in a loop
> ---------------------------------------------------
>
>                 Key: GUACAMOLE-805
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-805
>             Project: Guacamole
>          Issue Type: Bug
>          Components: guacamole-auth-openid
>    Affects Versions: 0.9.14, 1.0.0, 1.1.0
>            Reporter: Michael Jumper
>            Assignee: Michael Jumper
>            Priority: Minor
>             Fix For: 1.2.0
>
>
> As reported on the mailing list, there exist cases where Guacamole's OpenID support will redirect the user back to the IDP in a loop, despite the OpenID support being correctly configured and the IDP behaving correctly:
> * [Guacamole & OpenID|https://lists.apache.org/thread.html/cc0a9300086c55e25d59d73d025d6e0be07b42cc8903f4de1c1b48a5@%3Cuser.guacamole.apache.org%3E] (2018-12-06)
> * [Looping with Guacamole+Keycloak|https://lists.apache.org/thread.html/ef096a1e558b97c5f49fce0cdccaf97581e0c2344b799bdfd5984486@%3Cuser.guacamole.apache.org%3E] (2019-05-29)
> This is because current implementation of Guacamole support for OpenID assumes that the {{id_token}} parameter provided by the IDP will be the _first_ parameter in the URL, which is not guaranteed to be the case. If the IDP includes the {{id_token}} parameter elsewhere in the parameter list, the client erroneously redirects the user back to the IDP to obtain the {{id_token}} parameter that it believes is absent. This produces a redirect loop, with both the client and the IDP redirecting the user to each other.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)