Hi,
I'm currently connecting Guacamole to another application via the JSON
Auth plugin to form ad-hoc connections. While implementing this, I
noticed two issues that I think should be resolved:
1. The JSON Auth plugin has the functionality to specify that a given
connection or configuration may only be used once via a boolean
singleUse property. This property has existed for more than 5 years but
is currently not documented in
https://guacamole.apache.org/doc/gug/json-auth.html#json-format . Is
there are reason for that, or is this an oversight?
2. When using JSON Auth to form ad-hoc connections, the straight-forward
way is to open a new tab with an authentication token with only one
connection. The connection is then automatically opened. This works fine
for the first connection. However, if the user closes the tab without
logging out and tries to use a new token, the authentication token with
the new connection is not parsed as the user is still logged in. This
happens even if the old token has expired, leaving the user with an
empty list of connections.
The problem has also been described in the ticketĀ GUACAMOLE-1871 from
2023. A workaround is to send "" as the username, creating an anonymous
session. However, this severely restricts the information in the
Guacamole connection log.
In my opinion, the best option to fix this issue would be to
automatically re-authenticate/log out all users which do not have any
valid connections. If a user does not have any connections, the only
thing they can do is log out anyway. Combined with the singleUse
property, this change would be sufficient to support the ad-hoc
connections usecase with usernames, as it would automatically as any
user that logs in via JSON Auth with only one connection that is marked
as single use would automatically be logged out or re-authenticated once
they reload/reopen the page.
If this solution is ok, I can prepare a PR to solve GUACAMOLE-1871 this way.
Regards,
Tobias Gaisser
