[jira] [Updated] (GUACAMOLE-1923) `OPENID_SCOPE` environment variable in Docker not working

Mike Wyatt (Jira) Wed, 07 Feb 2024 23:34:04 -0800


     [ 
https://issues.apache.org/jira/browse/GUACAMOLE-1923?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Mike Wyatt updated GUACAMOLE-1923:
----------------------------------
    Description: 
I'm trying to get my existing Guacamole installation working with OpenID. I've 
got everything working correctly, but Guacamole is not requesting the `groups` 
scope.

Here is the relevant environment variables from my docker-compose.yml:

{{```}}
{{    environment:}}
{{      - GUACD_HOSTNAME=${COMPOSE_PROJECT_NAME}-guacd-1}}
{{      - POSTGRESQL_HOSTNAME=${COMPOSE_PROJECT_NAME}-postgres-1}}
{{      - POSTGRESQL_DATABASE=postgres}}
{{      - POSTGRESQL_USER=postgres}}
{{      - POSTGRESQL_PASSWORD=postgres}}
{{      - POSTGRESQL_AUTO_CREATE_ACCOUNTS=true}}{{      - 
OPENID_AUTHORIZATION_ENDPOINT=https://auth.${HOMELAB_BASE_DOMAIN}/api/oidc/authorization?state=1234abcedfdhf}}
{{      - OPENID_JWKS_ENDPOINT=https://auth.${HOMELAB_BASE_DOMAIN}/jwks.json}}
{{      - OPENID_ISSUER=https://auth.${HOMELAB_BASE_DOMAIN}}}
{{      - OPENID_CLIENT_ID=guacamole}}
{{      - 
OPENID_REDIRECT_URI=https://remote-desktop-gateway.${HOMELAB_BASE_DOMAIN}}}
{{      - OPENID_USERNAME_CLAIM_TYPE=preferred_username}}
{{      - OPENID_GROUPS_CLAIM_TYPE=groups}}
{{      - OPENID_SCOPE=openid profile groups email}}
{{```}}

You can see the last line is setting `OPENID_SCOPE`, however, the generated 
`guacamole.properties` does not contain `openid-scope`:

{{```}}
{{guacamole@78282607ee6c:/opt/guacamole$ cat 
/home/guacamole/.guacamole/guacamole.properties}}
{{# guacamole.properties - generated Thu Feb  8 07:05:31 AM UTC 2024}}
{{guacd-hostname: remote-desktop-gateway-guacd-1}}
{{guacd-port: 4822}}
{{postgresql-username: postgres}}
{{postgresql-password: postgres}}
{{postgresql-database: postgres}}
{{postgresql-hostname: remote-desktop-gateway-postgres-1}}
{{postgresql-port: 5432}}
{{postgresql-auto-create-accounts: true}}
{{openid-authorization-endpoint: 
https://auth.example.com/api/oidc/authorization?state=1234abcedfdhf}}
{{openid-jwks-endpoint: https://auth. example.com/jwks.json}}
{{openid-issuer: https://auth. example.com}}
{{openid-client-id: guacamole}}
{{openid-redirect-uri: https://remote-desktop-gateway. example.com}}
{{openid-username-claim-type: preferred_username}}
{{openid-groups-claim-type: groups}}
{{```}}

  was:
I'm trying to get my existing Guacamole installation working with OpenID. I've 
got everything working correctly, but Guacamole is not requesting the `groups` 
scope.

Here is the relevant environment variables from my docker-compose.yml:

```
    environment:
      - GUACD_HOSTNAME=${COMPOSE_PROJECT_NAME}-guacd-1
      - POSTGRESQL_HOSTNAME=${COMPOSE_PROJECT_NAME}-postgres-1
      - POSTGRESQL_DATABASE=postgres
      - POSTGRESQL_USER=postgres
      - POSTGRESQL_PASSWORD=postgres
      - POSTGRESQL_AUTO_CREATE_ACCOUNTS=true

      - 
OPENID_AUTHORIZATION_ENDPOINT=https://auth.${HOMELAB_BASE_DOMAIN}/api/oidc/authorization?state=1234abcedfdhf
      - OPENID_JWKS_ENDPOINT=https://auth.${HOMELAB_BASE_DOMAIN}/jwks.json
      - OPENID_ISSUER=https://auth.${HOMELAB_BASE_DOMAIN}
      - OPENID_CLIENT_ID=guacamole
      - 
OPENID_REDIRECT_URI=https://remote-desktop-gateway.${HOMELAB_BASE_DOMAIN}
      - OPENID_USERNAME_CLAIM_TYPE=preferred_username
      - OPENID_GROUPS_CLAIM_TYPE=groups
      - OPENID_SCOPE=openid profile groups email
```

You can see the last line is setting `OPENID_SCOPE`, however, the generated 
`guacamole.properties` does not contain `openid-scope`:

```
guacamole@78282607ee6c:/opt/guacamole$ cat 
/home/guacamole/.guacamole/guacamole.properties
# guacamole.properties - generated Thu Feb  8 07:05:31 AM UTC 2024
guacd-hostname: remote-desktop-gateway-guacd-1
guacd-port: 4822
postgresql-username: postgres
postgresql-password: postgres
postgresql-database: postgres
postgresql-hostname: remote-desktop-gateway-postgres-1
postgresql-port: 5432
postgresql-auto-create-accounts: true
openid-authorization-endpoint: 
https://auth.example.com/api/oidc/authorization?state=1234abcedfdhf
openid-jwks-endpoint: https://auth. example.com/jwks.json
openid-issuer: https://auth. example.com
openid-client-id: guacamole
openid-redirect-uri: https://remote-desktop-gateway. example.com
openid-username-claim-type: preferred_username
openid-groups-claim-type: groups
```


> `OPENID_SCOPE` environment variable in Docker not working
> ---------------------------------------------------------
>
>                 Key: GUACAMOLE-1923
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1923
>             Project: Guacamole
>          Issue Type: Bug
>          Components: guacamole-auth-openid
>    Affects Versions: 1.5.4
>         Environment: Docker
>            Reporter: Mike Wyatt
>            Priority: Minor
>
> I'm trying to get my existing Guacamole installation working with OpenID. 
> I've got everything working correctly, but Guacamole is not requesting the 
> `groups` scope.
> Here is the relevant environment variables from my docker-compose.yml:
> {{```}}
> {{    environment:}}
> {{      - GUACD_HOSTNAME=${COMPOSE_PROJECT_NAME}-guacd-1}}
> {{      - POSTGRESQL_HOSTNAME=${COMPOSE_PROJECT_NAME}-postgres-1}}
> {{      - POSTGRESQL_DATABASE=postgres}}
> {{      - POSTGRESQL_USER=postgres}}
> {{      - POSTGRESQL_PASSWORD=postgres}}
> {{      - POSTGRESQL_AUTO_CREATE_ACCOUNTS=true}}{{      - 
> OPENID_AUTHORIZATION_ENDPOINT=https://auth.${HOMELAB_BASE_DOMAIN}/api/oidc/authorization?state=1234abcedfdhf}}
> {{      - OPENID_JWKS_ENDPOINT=https://auth.${HOMELAB_BASE_DOMAIN}/jwks.json}}
> {{      - OPENID_ISSUER=https://auth.${HOMELAB_BASE_DOMAIN}}}
> {{      - OPENID_CLIENT_ID=guacamole}}
> {{      - 
> OPENID_REDIRECT_URI=https://remote-desktop-gateway.${HOMELAB_BASE_DOMAIN}}}
> {{      - OPENID_USERNAME_CLAIM_TYPE=preferred_username}}
> {{      - OPENID_GROUPS_CLAIM_TYPE=groups}}
> {{      - OPENID_SCOPE=openid profile groups email}}
> {{```}}
> You can see the last line is setting `OPENID_SCOPE`, however, the generated 
> `guacamole.properties` does not contain `openid-scope`:
> {{```}}
> {{guacamole@78282607ee6c:/opt/guacamole$ cat 
> /home/guacamole/.guacamole/guacamole.properties}}
> {{# guacamole.properties - generated Thu Feb  8 07:05:31 AM UTC 2024}}
> {{guacd-hostname: remote-desktop-gateway-guacd-1}}
> {{guacd-port: 4822}}
> {{postgresql-username: postgres}}
> {{postgresql-password: postgres}}
> {{postgresql-database: postgres}}
> {{postgresql-hostname: remote-desktop-gateway-postgres-1}}
> {{postgresql-port: 5432}}
> {{postgresql-auto-create-accounts: true}}
> {{openid-authorization-endpoint: 
> https://auth.example.com/api/oidc/authorization?state=1234abcedfdhf}}
> {{openid-jwks-endpoint: https://auth. example.com/jwks.json}}
> {{openid-issuer: https://auth. example.com}}
> {{openid-client-id: guacamole}}
> {{openid-redirect-uri: https://remote-desktop-gateway. example.com}}
> {{openid-username-claim-type: preferred_username}}
> {{openid-groups-claim-type: groups}}
> {{```}}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (GUACAMOLE-1923) `OPENID_SCOPE` environment variable in Docker not working

Reply via email to