Hello, I am trying to adapt Guacamole with Keycloak using guacamole-auth-openid-1.0.0.jar. My current settings in Guacamole properties are:
Guacamole Properties: openid-authorization-endpoint:http://10.0.2.4:8080/auth/realms/Guacamole-Client/protocol/openid-connect/auth openid-jwks-endpoint: http://10.0.2.4:8080/auth/realms/Guacamole-Client/protocol/openid-connect/certs openid-issuer: http://10.0.2.4:8080/auth/realms/Guacamole-Client openid-client-id: Guacamole openid-redirect-uri : http://10.0.2.6:8080/guacamole/ I have also renamed the guacamole-auth-openid module in order to load first. In Keycloak i have created a client for guacamole according to the above settings: Client ID: Guacamole Access Type: public Standard Flow Enabled: Off Implicit Flow Enabled: On Direct Access Grants Enabled: Off Authorization Enabled: Off Valid Redirect URIs: http://10.0.2.6:8080/guacamole/* Base UrL: http://10.0.2.6:8080/guacamole/ So far when i am trying to access guacamole i am getting the login screen of keycloak, so the open id Module seems to work fine. When i enter the user's credential to keycloak and i press login, i get into a redirect Loop. In this loop keycloak is trying to do a POST request to Guacamole and i keep getting invalid login response.More specifically the content of response is : ,\"expected\":[{\"name\":\"id_token\",\"type\":\"GUAC_OPENID_TOKEN\",\"authorizationURI\":\"http://10.0.2.7:8080/auth/realms/nodejs-example/protocol/openid-connect/auth?scope=openid+profile&response_type=id_token&client_id=Guacamole&redirect_uri=http%3A%2F%2F10.0.2.6%3A8080%2Fguacamole%2F%23%2F&nonce=4797kjoq9jdccrgboupkpv9sau\"}] There is also another thread in this mailing list about this loop but no one gave a clear answer.(http://mail-archives.apache.org/mod_mbox/guacamole-user/201802.mbox/%[email protected]%3E) After reading a bit about guacamole i tried to send credentials with different names using Keylcoak mappers and even changed the openid-username-claim-type on guacamole properties but still i haven't managed to solve this problem. Also, i don't know if the user must be in Guacamole postgres Database before the login from OpenId Thank you for your time, Konstantinos
