On Tue, Nov 30, 2021 at 11:35 AM Barak, Tal <tal.ba...@honeywell.com.invalid> wrote:
> Thank you for the fast answer! > > Regarding the other part of my question - if and when token are expired, > do you know the answer by any chance? > > Sorry about that, Tal. To answer your questions specifically and a bit more completely: 1. Is this the only way when calling REST APIs? Isn’t it possible to add it to the body of the message (instead of adding it to the URL)? Today it's the only way, but that will be fixed in the next version (is already fixed in the Git repo, actually). 1. Isn’t it a security risk? Anyone which will sniff the communication will able to get the token this way, no? Only from a "shoulder surfing" perspective - that is, if someone is viewing your screen, or you're sharing your screen with someone, they could potentially capture and use that token. It's one of the primary reasons we're moving it out of there. However, as long as your communication is properly secured (HTTPS), then there's no additional risk of it being intercepted. If the token itself is intercepted along the wire, then the entire session (images, keystrokes, mouse movements, and file transfers) could also be intercepted, which means your connection is fundamentally insecure. But this is true of any TCP-based communication - encryption is a must. 1. What is the life span of a token? It is expired at some point? Yes, they are limited to 60 minutes by default. This can be controlled via the api-session-timeout setting in guacamole.properties: http://guacamole.apache.org/doc/gug/configuring-guacamole.html#initial-setup 1. Does the product support one-use-only tokens? This is a bit of a complicated question, because having a single-use token, in the sense that you're asking it, wouldn't really make sense. The Guacamole Client web application makes a lot of different calls to the API for various things - authentication, retrieving connection information, managing connections and users, etc., so to have a token that was literally only good for a single API call would be pretty useless - you'd get to log in, maybe see your home screen, and then you'd be kicked out. However, what I think you're looking for is more of a token that expires as soon as the connection is established, and thus the user is logged out as soon as they finish that connection. I don't know of a way to do this in the "stock" Guacamole Client, but I'm sure an extension could be implemented that would accomplish this. -Nick
