[
https://issues.apache.org/jira/browse/GUACAMOLE-1773?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17712483#comment-17712483
]
Mike Jumper commented on GUACAMOLE-1773:
----------------------------------------
This doesn't look like something wrong with Guacamole itself, but something not
quite right with the configuration. The logs report:
{code:none}
15:46:25.708 [http-nio-8080-exec-5] INFO o.a.g.a.o.t.TokenValidationService -
Rejected invalid OpenID token: JWT processing failed. Additional details: [[17]
Unable to process JOSE object (cause: org.jose4j.lang.UnresolvableKeyException:
Unable to find a suitable verification key for JWS w/ header
{"alg":"RS256","kid":"38e6d6414add281da3472362a82d6b29","typ":"JWT"} due to an
unexpected exception (java.io.IOException: Non 200 status code (403 Forbidden)
returned from https://authentik.ourcoolhive.com/application/o/guacamole/jwks/)
while obtaining or using keys from JWKS endpoint at
https://authentik.ourcoolhive.com/application/o/guacamole/jwks/):
JsonWebSignature{"alg":"RS256","kid":"38e6d6414add281da3472362a82d6b29","typ":"JWT"}->...snip...]
15:46:25.709 [http-nio-8080-exec-5] DEBUG o.a.g.a.o.t.TokenValidationService -
Invalid JWT received.
org.jose4j.jwt.consumer.InvalidJwtException: JWT processing failed. Additional
details: [[17] Unable to process JOSE object (cause:
org.jose4j.lang.UnresolvableKeyException: Unable to find a suitable
verification key for JWS w/ header
{"alg":"RS256","kid":"38e6d6414add281da3472362a82d6b29","typ":"JWT"} due to an
unexpected exception (java.io.IOException: Non 200 status code (403 Forbidden)
returned from https://authentik.ourcoolhive.com/application/o/guacamole/jwks/)
while obtaining or using keys from JWKS endpoint at
https://authentik.ourcoolhive.com/application/o/guacamole/jwks/):
JsonWebSignature{"alg":"RS256","kid":"38e6d6414add281da3472362a82d6b29","typ":"JWT"}->...snip...]
at
org.jose4j.jwt.consumer.JwtConsumer.processContext(JwtConsumer.java:264)
at org.jose4j.jwt.consumer.JwtConsumer.process(JwtConsumer.java:426)
...
{code}
>From above:
{quote}
Non 200 status code (403 Forbidden) returned from
https://authentik.ourcoolhive.com/application/o/guacamole/jwks/) while
obtaining or using keys from JWKS endpoint at
https://authentik.ourcoolhive.com/application/o/guacamole/jwks/
{quote}
It looks like your IdP is not allowing keys to be retrieved.
> OpenID Login Stopped Working With 1.5.0
> ---------------------------------------
>
> Key: GUACAMOLE-1773
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1773
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole-auth-openid, guacamole-docker
> Affects Versions: 1.5.0, 1.5.1
> Reporter: Jason Bean
> Priority: Major
> Attachments: catalina.out
>
>
> Since upgrading from 1.4.0 to 1.5.0 and now 1.5.1 my OpenID configuration
> with Authentik stopped working. If I downgrade to 1.4.0 it starts working
> again. I've attached the output from Tomcat. The exception it gets seems to
> be related to the jwks response but since this works fine from 1.4.0 I can
> only assume there's something wrong with the request being sent from 1.5.0.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
