[ https://issues.apache.org/jira/browse/GUACAMOLE-210?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Michael Jumper resolved GUACAMOLE-210. -------------------------------------- Resolution: Done Documented! > Add support for SSO via OpenID Connect > -------------------------------------- > > Key: GUACAMOLE-210 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-210 > Project: Guacamole > Issue Type: New Feature > Components: guacamole-client > Reporter: Michael Jumper > Assignee: Michael Jumper > Fix For: 0.9.14 > > > {panel:bgColor=#FFFFEE} > *The description of this issue was copied from > [GUAC-1485|https://glyptodon.org/jira/browse/GUAC-1485], an issue in the JIRA > instance used by the Guacamole project prior to its acceptance into the > Apache Incubator.* > Comments, attachments, related issues, and history from prior to acceptance > *have not been copied* and can be found instead at the original issue. > {panel} > It would be nice if Guacamole had OAuth2 authentication plugin. > OAuth2 is wide spread in web technologies and Guacamole deserves to have its > implementation of the protocol. > My company had this use case and for now we are using a custom authentication > plugin because implementing a generic OAuth2 compatible Guacamole > authentication plugin presents some difficulties. > h1. RedirectURI doesn't work because of Angular anchor system > OAuth2 requires clients (Guacamole in our case) to register a redirect URI so > that the OAuth2 server could callback the application when the user has been > identify (or rejected) on its side. It also passes along some informations > like tokens or reason of failure as part of the URL. If we set the Guacamole > index URL as the redirect URI then this data never get passed along to the > authenticate plugin. > Such redirect URI cannot contain any pound sign (#) because this sign in a > URI is a delimiter after which data are not sent to the server on HTTP > request. In the case of Guacamole, the Angular frontend uses those local URI > data to determine which page to display. > Angular behavior cannot be easilly turned off and would lead to heaver code > changes and uncompatibility with older browser. > h1. Retrieve to connection list on authentication > Connection list is retrieved at user login. It doesn't make sense to expect > the OAuth server to give such list as it would not be generic enough. > Fortunatly, connection lists get merged between authentication plugins and > this OAuth plugin could be paired with another one which goal would just be > to provide the connection list. > h1. Token invalidation > Upon a successful authentication, the OAuth2 server will issued an auth token. > First, this token needs to be invalidated by Guacamole when user explicitly > disconnects. > Second, there is no way for Guacamole to know if a stored auth token is still > valid. Leaving the user to freely keep on using its Guacamole session even > thought the token has expired. > I am just leaving these though here so the Guacamole community could start an > discussion on this matter. -- This message was sent by Atlassian JIRA (v6.4.14#64029)