[ https://issues.apache.org/jira/browse/GUACAMOLE-1773?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17712483#comment-17712483 ]
Mike Jumper commented on GUACAMOLE-1773: ---------------------------------------- This doesn't look like something wrong with Guacamole itself, but something not quite right with the configuration. The logs report: {code:none} 15:46:25.708 [http-nio-8080-exec-5] INFO o.a.g.a.o.t.TokenValidationService - Rejected invalid OpenID token: JWT processing failed. Additional details: [[17] Unable to process JOSE object (cause: org.jose4j.lang.UnresolvableKeyException: Unable to find a suitable verification key for JWS w/ header {"alg":"RS256","kid":"38e6d6414add281da3472362a82d6b29","typ":"JWT"} due to an unexpected exception (java.io.IOException: Non 200 status code (403 Forbidden) returned from https://authentik.ourcoolhive.com/application/o/guacamole/jwks/) while obtaining or using keys from JWKS endpoint at https://authentik.ourcoolhive.com/application/o/guacamole/jwks/): JsonWebSignature{"alg":"RS256","kid":"38e6d6414add281da3472362a82d6b29","typ":"JWT"}->...snip...] 15:46:25.709 [http-nio-8080-exec-5] DEBUG o.a.g.a.o.t.TokenValidationService - Invalid JWT received. org.jose4j.jwt.consumer.InvalidJwtException: JWT processing failed. Additional details: [[17] Unable to process JOSE object (cause: org.jose4j.lang.UnresolvableKeyException: Unable to find a suitable verification key for JWS w/ header {"alg":"RS256","kid":"38e6d6414add281da3472362a82d6b29","typ":"JWT"} due to an unexpected exception (java.io.IOException: Non 200 status code (403 Forbidden) returned from https://authentik.ourcoolhive.com/application/o/guacamole/jwks/) while obtaining or using keys from JWKS endpoint at https://authentik.ourcoolhive.com/application/o/guacamole/jwks/): JsonWebSignature{"alg":"RS256","kid":"38e6d6414add281da3472362a82d6b29","typ":"JWT"}->...snip...] at org.jose4j.jwt.consumer.JwtConsumer.processContext(JwtConsumer.java:264) at org.jose4j.jwt.consumer.JwtConsumer.process(JwtConsumer.java:426) ... {code} >From above: {quote} Non 200 status code (403 Forbidden) returned from https://authentik.ourcoolhive.com/application/o/guacamole/jwks/) while obtaining or using keys from JWKS endpoint at https://authentik.ourcoolhive.com/application/o/guacamole/jwks/ {quote} It looks like your IdP is not allowing keys to be retrieved. > OpenID Login Stopped Working With 1.5.0 > --------------------------------------- > > Key: GUACAMOLE-1773 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-1773 > Project: Guacamole > Issue Type: Bug > Components: guacamole-auth-openid, guacamole-docker > Affects Versions: 1.5.0, 1.5.1 > Reporter: Jason Bean > Priority: Major > Attachments: catalina.out > > > Since upgrading from 1.4.0 to 1.5.0 and now 1.5.1 my OpenID configuration > with Authentik stopped working. If I downgrade to 1.4.0 it starts working > again. I've attached the output from Tomcat. The exception it gets seems to > be related to the jwks response but since this works fine from 1.4.0 I can > only assume there's something wrong with the request being sent from 1.5.0. -- This message was sent by Atlassian Jira (v8.20.10#820010)