adb014 opened a new pull request, #1198: URL: https://github.com/apache/guacamole-client/pull/1198
The existing OpenID extension only supports OpenID implicit flow. Knowing that this method is deprecated in OAuth2 due to its poor security, Guacamole really needs to add code flow authorization to its OpenID extension. This pull request add code flow, but also allows for pkce challenges to be passed to the authorization endpoint and pkce verifiers and client secrets to be passed to the token endpoint. This options for this are ``` openid-flow-type: implicit | code openid-authorization-endpoint: https://identity-provider/auth openid-token-endpoint: https://identity-provider/token openid-jwks-endpoint: https://identity-provider/jwks openid-issuer: identity-provider openid-client-id: my-client-id openid-client-secret: my-client-secret | null openid-pkce-required: true | false openid-redirect-uri: https://example.net/guacamole ``` Allowing the existing implicit flow code to be used by default without changes to existing configurations. One problem I had is that the getLoginURI method didn't seem to allow me to save the PKCE verifier and in any case I didn't want the code returned by the identity provider to appear in the browser navigation bar. So I created a local REST redirect api to talk to the identity provider and receive the response. If you know how to use the AuthenticationSessionManager within getLoginURI and hide the returned code in the navigation bar this might be done differently. There is a draft JAR built against guacamole 1.6.0 on my fork of guacamole-client -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
