On Tue, Feb 11, 2025 at 8:47 AM Röösli Marco <[email protected]> wrote:
> Hello Guacamole Community, > > We are currently working on a web application where users log in and > receive a JWT token that contains information about the authenticated user. > In our application, we want to embed Guacamole either as an iframe or as a > button that opens a new browser tab with Guacamole. > > What we need is a custom authentication module that can handle this > workflow. Specifically: > > 1. The custom authentication module should accept our JWT token as a > URL parameter (URL-encoded base64) passed from the iframe or the button. > 2. It should validate the JWT token by checking its signature to > confirm its validity. > 3. There should be a configuration file that maps the username in the > JWT token to a Guacamole user (note: the usernames in our web application > and the Guacamole usernames are not the same). > 4. If the mapping exists, the module should log the user into Guacamole > automatically. > > The goal: If a user is already logged into our web application, they > should not need to log in again and should directly access their Guacamole > session. > > Could anyone in the community help us develop such a module? If so, what > would the cost be? > Alternatively, are there better ways to achieve this goal? > > There might be better ways to achieve this - specifically, perhaps use one of the existing authentication modules :-). What you're trying to do actually sounds a lot like what the JSON authentication module is built to do: https://guacamole.apache.org/doc/gug/json-auth.html Basically, the module is designed to take cryptographically signed JSON input that contains a username and some amount of connection data and automatically log the specified user into the Guacamole interface with the provided connections. Other than that, I'd suggest looking into the SSO modules and see if any of those will work for you - OpenID Connect or SAML. If you can integrate both the application you're building and Guacamole into the SSO provider, then you can seamlessly authenticate users between the two and not have to worry about a custom authentication extension. -Nick
