[
https://issues.apache.org/jira/browse/GUACAMOLE-210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16038900#comment-16038900
]
Nick Couchman commented on GUACAMOLE-210:
-----------------------------------------
I'll throw a suggestion out there - maybe it makes sense to combine all of
these requests into a single "SSO" module (guacamole-auth-sso)? SAML and
OAuth2 have been requested, and I implemented a CAS module, and I would guess
that there is going to be enough overlap that we could probably have a single
module responsible for all SSO-type functionality that then implements a
handful of different classes for the specific protocols. It would also allow
for easy expansion later on.
Thoughts?
> OAuth2 authentication plugin
> ----------------------------
>
> Key: GUACAMOLE-210
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-210
> Project: Guacamole
> Issue Type: New Feature
> Components: guacamole-client
> Reporter: Michael Jumper
> Assignee: Michael Jumper
>
> {panel:bgColor=#FFFFEE}
> *The description of this issue was copied from
> [GUAC-1485|https://glyptodon.org/jira/browse/GUAC-1485], an issue in the JIRA
> instance used by the Guacamole project prior to its acceptance into the
> Apache Incubator.*
> Comments, attachments, related issues, and history from prior to acceptance
> *have not been copied* and can be found instead at the original issue.
> {panel}
> It would be nice if Guacamole had OAuth2 authentication plugin.
> OAuth2 is wide spread in web technologies and Guacamole deserves to have its
> implementation of the protocol.
> My company had this use case and for now we are using a custom authentication
> plugin because implementing a generic OAuth2 compatible Guacamole
> authentication plugin presents some difficulties.
> h1. RedirectURI doesn't work because of Angular anchor system
> OAuth2 requires clients (Guacamole in our case) to register a redirect URI so
> that the OAuth2 server could callback the application when the user has been
> identify (or rejected) on its side. It also passes along some informations
> like tokens or reason of failure as part of the URL. If we set the Guacamole
> index URL as the redirect URI then this data never get passed along to the
> authenticate plugin.
> Such redirect URI cannot contain any pound sign (#) because this sign in a
> URI is a delimiter after which data are not sent to the server on HTTP
> request. In the case of Guacamole, the Angular frontend uses those local URI
> data to determine which page to display.
> Angular behavior cannot be easilly turned off and would lead to heaver code
> changes and uncompatibility with older browser.
> h1. Retrieve to connection list on authentication
> Connection list is retrieved at user login. It doesn't make sense to expect
> the OAuth server to give such list as it would not be generic enough.
> Fortunatly, connection lists get merged between authentication plugins and
> this OAuth plugin could be paired with another one which goal would just be
> to provide the connection list.
> h1. Token invalidation
> Upon a successful authentication, the OAuth2 server will issued an auth token.
> First, this token needs to be invalidated by Guacamole when user explicitly
> disconnects.
> Second, there is no way for Guacamole to know if a stored auth token is still
> valid. Leaving the user to freely keep on using its Guacamole session even
> thought the token has expired.
> I am just leaving these though here so the Guacamole community could start an
> discussion on this matter.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
