Re: SSH issue with Ubuntu 18.04 - updated detail

[ivanmarcus]

Apolgies for the brevity of my previous info - my email system is 
somewhat remote from the server instance and copy+paste wasn't working 
for some reason... I've now reversed my location; here's some more detail:


Firstly check the required packages for SSH are installed:

dpkg -l | grep -i pango
ii  libpango-1.0-0:amd64 1.40.14-1 amd64
Layout and rendering of internationalized text


dpkg -l | grep -i openssl
ii  libcurl4:amd64 7.58.0-2ubuntu3.2 amd64
easy-to-use client-side URL transfer library (OpenSSL flavour)
ii  libxmlsec1-openssl:amd64 1.2.25-1build1
amd64Openssl engine for the XML security library
ii  openssl 1.1.0g-2ubuntu4.1 amd64Secure 
Sockets Layer toolkit - cryptographic utility
ii  python3-openssl 17.5.0-1ubuntu1   all  
Python 3 wrapper around the OpenSSL library
ii  python3-service-identity 16.0.0-2  
all  Service identity verification for pyOpenSSL (Python 3 module)


dpkg -l | grep -i libssh
ii  libssh2-1:amd64 1.8.0-1   amd64SSH2 
client-side library



Then run ./configure:


root@ubuntu1804:/home/xxx/guacamole-server-0.9.14# ./configure
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking whether make supports nested variables... (cached) yes
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking how to print strings... printf
checking for style of include used by make... GNU
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking dependency style of gcc... gcc3
checking for a sed that does not truncate output... /bin/sed
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for fgrep... /bin/grep -F
checking for ld used by gcc... /usr/bin/x86_64-linux-gnu-ld
checking if the linker (/usr/bin/x86_64-linux-gnu-ld) is GNU ld... yes
checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
checking the name lister (/usr/bin/nm -B) interface... BSD nm
checking whether ln -s works... yes
checking the maximum length of command line arguments... 1572864
checking how to convert x86_64-unknown-linux-gnu file names to 
x86_64-unknown-linux-gnu format... func_convert_file_noop
checking how to convert x86_64-unknown-linux-gnu file names to toolchain 
format... func_convert_file_noop
checking for /usr/bin/x86_64-linux-gnu-ld option to reload object 
files... -r

checking for objdump... objdump
checking how to recognize dependent libraries... pass_all
checking for dlltool... no
checking how to associate runtime and link libraries... printf %s\n
checking for ar... ar
checking for archiver @FILE support... @
checking for strip... strip
checking for ranlib... ranlib
checking command to parse /usr/bin/nm -B output from gcc object... ok
checking for sysroot... no
checking for a working dd... /bin/dd
checking how to truncate binary pipes... /bin/dd bs=4096 count=1
checking for mt... mt
checking if mt is a manifest tool... no
checking how to run the C preprocessor... gcc -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking for dlfcn.h... yes
checking for objdir... .libs
checking if gcc supports -fno-rtti -fno-exceptions... no
checking for gcc option to produce PIC... -fPIC -DPIC
checking if gcc PIC flag -fPIC -DPIC works... yes
checking if gcc static flag -static works... yes
checking if gcc supports -c -o file.o... yes
checking if gcc supports -c -o file.o... (cached) yes
checking whether the gcc linker (/usr/bin/x86_64-linux-gnu-ld -m 
elf_x86_64) supports shared libraries... yes

checking whether -lc should be explicitly linked in... no
checking dynamic linker characteristics... GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking for shl_load... no
checking for shl_load in -ldld... no
checking for dlopen... no
checking for dlopen in -ldl... yes
checking whether a program can dlopen itself... yes
checking whether a statically linked 

Newbie having trouble getting RDP working

[Rhys Ferris]

Hello all,

Forgive me for any noob questions or omissions, I subscribe to a “learn it as I 
go” model.
I’m having trouble getting RDP to work on my Guacamole setup. I’m using it for 
KVM virtual machines on a bridged adapter. 
RDP works into the VM from my workstation that is not the same box as guacamole 
is running on.

Host: Ubuntu Server 18.04.1 LTS
Guest: Virtual Windows Server 2016 (VM I’m trying to RDP into)
Guacamole Version: 0.9.14
Libfreerdp-dev version: 1.1.0~git20140921.1.440916e+dfsg1-15ubuntu1

When I try to open through guacamole I get the following in the web browser:
“The remote desktop server is currently unreachable. If the problem persists, 
please notify your system administrator, or check your system logs.”

Syslog shows this:
Aug 12 20:53:49 odin guacd[4234]: Creating new client for protocol "rdp"
Aug 12 20:53:49 odin guacd[4234]: Connection ID is "
Aug 12 20:53:49 odin guacd[14988]: No security mode specified. Defaulting to 
RDP.
Aug 12 20:53:49 odin guacd[14988]: Resize method: none
Aug 12 20:53:49 odin guacd[14988]: User "@" joined connection 
"$" (1 users now present)
Aug 12 20:53:49 odin guacd[14988]: Loading keymap "base"
Aug 12 20:53:49 odin guacd[14988]: Loading keymap "en-us-qwerty"
Aug 12 20:53:49 odin guacd[14988]: Failed to load guacdr plugin. Drive 
redirection and printing will not work. Sound MAY not work.
Aug 12 20:53:49 odin guacd[14988]: Failed to load guacsnd alongside guacdr 
plugin. Sound will not work. Drive redirection and printing MAY not work.
Aug 12 20:53:52 odin guacd[14988]: Error connecting to RDP server
Aug 12 20:53:52 odin guacd[14988]: User "@" disconnected (0 users 
remain)
Aug 12 20:53:52 odin guacd[14988]: Last user of connection "$" 
disconnected
Aug 12 20:53:52 odin guacd[4234]: Connection "$" removed.

I do not show any failed attempts to connect in the event viewer. I’m looking 
in Applications and Services Logs > Microsoft > Windows > 
TerminalServices-LocalSessionsManager > Operational

My user.mapping for rdp is this:

rdp
172.16.99.162
3389
true


Use of the Google Machine found someone else with these exact errors some years 
ago and they fixed by removing the requirement for NLA on the server. Tried 
this, didn’t help.

VNC and SSH work fine.

Prerequisite check showed good for RDP before building
This is the first thing I’ve built like this. Used official documentation from 
the website.

Not sure where to go next for troubleshooting. Rebuild? I hope not. Any advice 
appreciated.

Thanks for any help.

Sent from Mail for Windows 10

Re: SAML 2.0 support for Apache Guacamole through CAS

[Daniel Storey]

Hi Nick,

Thanks for following this up for me! If you’d like a temporary key for F5 APM, 
please let me know and I’ll get you a 45 day temp key.

Mine is daniel.sto...@rededucation.com.  
Please email me if you’d like a temp key.

Cheers,

Daniel Storey


From: Nick Couchman 
Reply-To: "user@guacamole.apache.org" 
Date: Monday, 13 August 2018 at 4:32 am
To: "user@guacamole.apache.org" 
Subject: Re: SAML 2.0 support for Apache Guacamole through CAS

On Sat, Aug 11, 2018 at 10:20 AM Daniel Storey 
mailto:daniel.sto...@rededucation.com>> wrote:
Hi Nick,

Thanks for the speedy reply.

Sorry, not so speed the second time around :-/.


I’m trying to have an F5 BIG-IP APM authenticate through to Guacamole through 
CAS, so I thought SAML was the best solution.  To my knowledge, F5 doesn’t 
support CAS natively (and I’ve done some searching, so I’m pretty confident 
this is true).

Yeah, CAS isn't really all that universally supported, unfortunately, so I 
wouldn't be surprised if F5 doesn't support it.


CAS has come in to the solution as middleware of sorts – converting the 
authentication from SAML into something Guacamole can understand (native CAS 
authentication through the CAS protocol.). My company isn’t using CAS at the 
moment – we’d be deploying it for this project only, which uses usernames and 
passwords to authenticate that are stored in the internal F5 database.  Hence 
the guy in my team recommending SAML2.0 between F5 and CAS and then Native CAS 
authentication for Guacamole, if that’s possible.


So, let me make sure I understand what you're trying to do.  You'd like to have 
users authenticate through the F5 appliance (to CAS, via SAML), and then be 
able to hit Guacamole and have the authentication into Guacamole happen 
"automagically" because you've already authenticated to the SSO server from the 
F5?

I don't know if this will work or not.  It's possible it will, if CAS is "smart 
enough" to pick up on the fact that you've already authenticated based on 
session or cookie information in the browser.  But, because it's using a 
different client procotocol (SAML vs. CAS), it may not work.  I actually don't 
really know how that works out with CAS - every time I've used it I've been 
focused on either one protocol or another and not been trying it across 
protocols.  I would think the CAS server would be smart enough to figure this 
out, but I'm not sure.

I'm also not familiar with the F5 Big-IP APM, so I'm not entirely sure how it's 
doing the SSO through SAML.

If I have a chance to spin stuff up to try it out, I will, I just don't know 
how quickly I'd be able to make that happen.  I don't have a F5 APM, but it 
looks like it might be something that I can download and try out.

-Nick

Re: Guacamole web application crashes when trying to use DB auth

[doyouhas]

Sorry, not sure why my properties and log excerpt didnt show up in my
postlets try that again

*guacamole.properties:*
# Hostname and port of guacamole proxy
guacd-hostname: localhost
guacd-port: 4822

# MySQL properties
mysql-hostname: 192.168.56.101
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
mysql-password: partytime
mysql-user-required: true

*catalina[date].log*
12-Aug-2018 14:34:14.001 SEVERE [http-nio-8080-exec-4]
com.sun.jersey.spi.container.ContainerResponse.logException Mapped exception
to response: 500 (Internal Server Error)
 org.apache.guacamole.rest.APIException
at
org.apache.guacamole.rest.RESTExceptionWrapper.invoke(RESTExceptionWrapper.java:202)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
at
com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
at
com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
at
com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
at
com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108)
at
com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
at
com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
at
com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1511)
at
com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1442)
at
com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1391)
at
com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1381)
at
com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416)
at
com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538)
at
com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:716)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
at
com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:263)
at
com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:178)
at
com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:91)
at
com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:62)
at
com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:118)
at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:113)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:494)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:522)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1095)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:672)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1520)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1476)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)





--
Sent from: 

Re: SSH issue with Ubuntu 18.04

[ivanmarcus]

Not sure if it helps but I just ran up a bare 18.04 VM, installed MySQL 
and tried that script. I note the install has a working ssh client already.


The script gave me an error saying that libssh2-1-dev is not available 
etc, and it fails. There were other errors too but that's probably the 
most pertinent.


That suggests to me there's something in the script that's looking for a 
specific version of ssh and failing when it can't find it. I've not 
looked at the script (no expert here) but perhaps it's worth 
investigating that and modifying as needed to suit 18.04?


Cheers.


On 13/08/2018 6:39 a.m., Nate Evans wrote:

I've got these two packages for libssh installed

libssh2-1/bionic,now 1.8.0-1 amd64 [installed]
libssh2-1-dev/bionic,now 1.8.0-1 amd64 [installed]

As for the version of guacd I installed Guacamole 0.9.14 using the 
MysticRyuujin install script here is a link to it. 
https://github.com/MysticRyuujin/guac-install


I've installed this successfully before without issue, but I did a new 
OS install and restored guacamole from a backup and it's had issues 
with ssh ever since. Other protocols work fine, I can RDP into my 
windows machines without issue it's only the ssh protocol that is 
having issues.


On Fri, Aug 10, 2018 at 11:26 AM Nick Couchman > wrote:




On Thu, Aug 9, 2018 at 3:07 PM Nate Evans mailto:nate...@gmail.com>> wrote:

I'm having an issue connecting to my linux server using SSH in
guacamole, RDP works fine but when I try to ssh to my machine
it attempts then times out.

catalina.out has this error

[http-nio-8080-exec-5] ERROR
o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request
failed: Connection to guacd timed out.

Syslog has this error

guacd[4235]: Creating new client for protocol "ssh"
guacd[25016]: Support for protocol "ssh" is not installed

The required ssh libraries are installed, and I'm at a loss as
to why I can't ssh into my server, Can anyone help with this
issue?


Did you install the libssh2-dev package?  Also, what version of
guacd are you installing, and how are you installing it?

-Nick

Re: Guacamole web application crashes when trying to use DB auth

[Mike Jumper]

The web application is not crashing, however any errors in your config will
result in the auth process aborting, resulting in no login screen.

Your logs aren't actually in your post, so please either reattempt sending
those or post them elsewhere and send a link to that.

I recommend checking both the Tomcat logs (which may be in journalctl) and
your audit logs if your distro has SELinux. There may be additional rules
you need to add to allow the Tomcat process running guac to connect to your
database.

- Mike


On Sun, Aug 12, 2018, 12:48 doyouhas  wrote:

> Hello again,
>
> I am now dealing with some issues trying to configure database
> authentication for guacamole. I have successfully logged into the mysql
> console from the machine in question, so I know there is no networking
> errors running amuck. I created a skeletal properties file as follows:
>
>
>
>
> Once I made these changes to the properties file and restarted tomcat, I
> was
> greeted with a blank page when trying to access the web interface. Here is
> the relevant section from catalina[date].log
>
>
>
>
>
> My question to you fine folks is there some property I am missing which is
> causing the app to fail? I made sure to follow the docs to a tee after
> several failed attempts, I feel like I'm at the end of my java
> troubleshooting abilities. Any help would be greatly appreciated.
>
>
>
>
> --
> Sent from:
> http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
>

Re: SSH issue with Ubuntu 18.04

[Nick Couchman]

On Sun, Aug 12, 2018 at 2:54 PM Nate Evans  wrote:

> When you say the config setup are you talking about the install script, or
> an output from guacamole itself? If it's the latter I'm not exactly sure
> how to get that info, I looked around for commands to get that info but was
> unable to find it.
>
>>
>>
The install script - there's a step in that script that runs the
"./configure" command before the "make" and "make install" commands, and
the output from that will be useful in figuring out if it's running into
issues trying to find the libssh2 includes or library.

-Nick

Re: SSH issue with Ubuntu 18.04

[Nate Evans]

I've got these two packages for libssh installed

libssh2-1/bionic,now 1.8.0-1 amd64 [installed]
libssh2-1-dev/bionic,now 1.8.0-1 amd64 [installed]

As for the version of guacd I installed Guacamole 0.9.14 using the
MysticRyuujin
install script here is a link to it.
https://github.com/MysticRyuujin/guac-install

I've installed this successfully before without issue, but I did a new OS
install and restored guacamole from a backup and it's had issues with ssh
ever since. Other protocols work fine, I can RDP into my windows machines
without issue it's only the ssh protocol that is having issues.

On Fri, Aug 10, 2018 at 11:26 AM Nick Couchman  wrote:

>
>
> On Thu, Aug 9, 2018 at 3:07 PM Nate Evans  wrote:
>
>> I'm having an issue connecting to my linux server using SSH in guacamole,
>> RDP works fine but when I try to ssh to my machine it attempts then times
>> out.
>>
>> catalina.out has this error
>>
>> [http-nio-8080-exec-5] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP
>> tunnel request failed: Connection to guacd timed out.
>>
>> Syslog has this error
>>
>> guacd[4235]: Creating new client for protocol "ssh"
>> guacd[25016]: Support for protocol "ssh" is not installed
>>
>> The required ssh libraries are installed, and I'm at a loss as to why I
>> can't ssh into my server, Can anyone help with this issue?
>>
>>
> Did you install the libssh2-dev package?  Also, what version of guacd are
> you installing, and how are you installing it?
>
> -Nick
>

Re: SAML 2.0 support for Apache Guacamole through CAS

[Nick Couchman]

On Sat, Aug 11, 2018 at 10:20 AM Daniel Storey <
daniel.sto...@rededucation.com> wrote:

> Hi Nick,
>
>
> Thanks for the speedy reply.
>

Sorry, not so speed the second time around :-/.


>
>
> I’m trying to have an F5 BIG-IP APM authenticate through to Guacamole
> through CAS, so I thought SAML was the best solution.  To my knowledge, F5
> doesn’t support CAS natively (and I’ve done some searching, so I’m pretty
> confident this is true).
>

Yeah, CAS isn't really all that universally supported, unfortunately, so I
wouldn't be surprised if F5 doesn't support it.


>
>
> CAS has come in to the solution as middleware of sorts – converting the
> authentication from SAML into something Guacamole can understand (native
> CAS authentication through the CAS protocol.). My company isn’t using CAS
> at the moment – we’d be deploying it for this project only, which uses
> usernames and passwords to authenticate that are stored in the internal F5
> database.  Hence the guy in my team recommending SAML2.0 between F5 and CAS
> and then Native CAS authentication for Guacamole, if that’s possible.
>
>
>
So, let me make sure I understand what you're trying to do.  You'd like to
have users authenticate through the F5 appliance (to CAS, via SAML), and
then be able to hit Guacamole and have the authentication into Guacamole
happen "automagically" because you've already authenticated to the SSO
server from the F5?

I don't know if this will work or not.  It's possible it will, if CAS is
"smart enough" to pick up on the fact that you've already authenticated
based on session or cookie information in the browser.  But, because it's
using a different client procotocol (SAML vs. CAS), it may not work.  I
actually don't really know how that works out with CAS - every time I've
used it I've been focused on either one protocol or another and not been
trying it across protocols.  I would think the CAS server would be smart
enough to figure this out, but I'm not sure.

I'm also not familiar with the F5 Big-IP APM, so I'm not entirely sure how
it's doing the SSO through SAML.

If I have a chance to spin stuff up to try it out, I will, I just don't
know how quickly I'd be able to make that happen.  I don't have a F5 APM,
but it looks like it might be something that I can download and try out.

-Nick

Re: starting a specific connection via URL?

[Mike Jumper]

On Sun, Aug 12, 2018, 00:20 Joachim Lindenberg 
wrote:

> Hello,
>
> I am wondering what is the best way to start a connection (with parameters
> made available from my own authentication extension, but could be any) from
> another web application. I am aware of the following approaches:
>
> ·   I can pass username & password via the URL, however I don´t know
> how to pass the connection identifier or whether that is available to my
> authentication extension). More important, I dislike the fact that username
> and password are shown by the browser in the url, visible to anyone looking
> at the screen.
>

I wouldn't recommend this approach for the reason cited.

While Guacamole does nicely pass URL parameters through to auth, that's
best used for auth mechanisms that don't use username/password.

·   There is an extension https://github.com/grncdr/guacamole-auth-hmac
> that probably does something similar, but the code is unmaintained and I
> don´t know whether it works with 0.9.14+.
>

Perhaps https://github.com/glyptodon/guacamole-auth-json would be a better
choice?

I wrote it some time ago for my day job when we were tasked with creating
an alternative to guacamole-auth-hmac which additionally would not expose
connection parameter details in the URL.

·   I can generate a one-time-token in my web application, retrieve the
> token from the URL in my authentication extension, use it to identify user
> and connection, return just that one connection to Guacamole, and rely on
> the convention that Guacamole starts the connection automatically if there
> is just one. Not sure what life-time the token will need – e.g. will
> refresh work if the token is no longer valid?
>

This would be the best approach.

You could accomplish this through writing your own extension, or through
generating temporary, encrypted JSON tokens with the extension linked above.

I would recommend using the anonymous username (just an empty string) so
the UI handles all session info as temporary and anonymous.

- Mike