[
https://issues.apache.org/jira/browse/GUACAMOLE-1923?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mike Wyatt updated GUACAMOLE-1923:
----------------------------------
Description:
I'm trying to get my existing Guacamole installation working with OpenID. I've
got everything working correctly, but Guacamole is not requesting the `groups`
scope.
Here is the relevant environment variables from my docker-compose.yml:
{{ environment:}}
{{ - GUACD_HOSTNAME=${COMPOSE_PROJECT_NAME}-guacd-1}}
{{ - POSTGRESQL_HOSTNAME=${COMPOSE_PROJECT_NAME}-postgres-1}}
{{ - POSTGRESQL_DATABASE=postgres}}
{{ - POSTGRESQL_USER=postgres}}
{{ - POSTGRESQL_PASSWORD=postgres}}
{{ - POSTGRESQL_AUTO_CREATE_ACCOUNTS=true}}{{ -
OPENID_AUTHORIZATION_ENDPOINT=[https://auth.$|https://auth.$/]{HOMELAB_BASE_DOMAIN}/api/oidc/authorization?state=1234abcedfdhf}}
{{ -
OPENID_JWKS_ENDPOINT=[https://auth.$|https://auth.$/]{HOMELAB_BASE_DOMAIN}/jwks.json}}
{{{} -
OPENID_ISSUER=[https://auth.$|https://auth.$/]{HOMELAB_BASE_DOMAIN{}}}}
{{ - OPENID_CLIENT_ID=guacamole}}
{{{} -
OPENID_REDIRECT_URI=[https://remote-desktop-gateway.$|https://remote-desktop-gateway.$/]{HOMELAB_BASE_DOMAIN{}}}}
{{ - OPENID_USERNAME_CLAIM_TYPE=preferred_username}}
{{ - OPENID_GROUPS_CLAIM_TYPE=groups}}
{{ - OPENID_SCOPE=openid profile groups email}}
{{You can see the last line is setting `OPENID_SCOPE`, however, the generated
`guacamole.properties` does not contain `openid-scope`:}}
{{guacamole@78282607ee6c:/opt/guacamole$ cat
/home/guacamole/.guacamole/guacamole.properties}}
{{# guacamole.properties - generated Thu Feb 8 07:05:31 AM UTC 2024}}
{{guacd-hostname: remote-desktop-gateway-guacd-1}}
{{guacd-port: 4822}}
{{postgresql-username: postgres}}
{{postgresql-password: postgres}}
{{postgresql-database: postgres}}
{{postgresql-hostname: remote-desktop-gateway-postgres-1}}
{{postgresql-port: 5432}}
{{postgresql-auto-create-accounts: true}}
{{openid-authorization-endpoint:}}{{[
https://auth.example.com/api/oidc/authorization?state=1234abcedfdhf|https://auth.example.com/api/oidc/authorization?state=1234abcedfdhf]}}
{{openid-jwks-endpoint: [https://auth.example.com/jwks.json]}}
{{openid-issuer: [https://auth.example.com|https://auth.example.com/]}}
{{openid-client-id: guacamole}}
{{openid-redirect-uri:
[https://remote-desktop-gateway.example.com|https://remote-desktop-gateway.example.com/]}}
{{openid-username-claim-type: preferred_username}}
{{openid-groups-claim-type: groups}}
If I do manually edit the URL of the page I'm logging in with to add
`email` to the `scope` query parameter, groups are properly detected when
logging in. Without this, OpenID is a little hamstrung.
was:
I'm trying to get my existing Guacamole installation working with OpenID. I've
got everything working correctly, but Guacamole is not requesting the `groups`
scope.
Here is the relevant environment variables from my docker-compose.yml:
{{ environment:}}
{{ - GUACD_HOSTNAME=${COMPOSE_PROJECT_NAME}-guacd-1}}
{{ - POSTGRESQL_HOSTNAME=${COMPOSE_PROJECT_NAME}-postgres-1}}
{{ - POSTGRESQL_DATABASE=postgres}}
{{ - POSTGRESQL_USER=postgres}}
{{ - POSTGRESQL_PASSWORD=postgres}}
{{ - POSTGRESQL_AUTO_CREATE_ACCOUNTS=true}}{{ -
OPENID_AUTHORIZATION_ENDPOINT=https://auth.${HOMELAB_BASE_DOMAIN}/api/oidc/authorization?state=1234abcedfdhf}}
{{ - OPENID_JWKS_ENDPOINT=https://auth.${HOMELAB_BASE_DOMAIN}/jwks.json}}
{{ - OPENID_ISSUER=https://auth.${HOMELAB_BASE_DOMAIN}}}
{{ - OPENID_CLIENT_ID=guacamole}}
{{ -
OPENID_REDIRECT_URI=https://remote-desktop-gateway.${HOMELAB_BASE_DOMAIN}}}
{{ - OPENID_USERNAME_CLAIM_TYPE=preferred_username}}
{{ - OPENID_GROUPS_CLAIM_TYPE=groups}}
{{ - OPENID_SCOPE=openid profile groups email}}
{{You can see the last line is setting `OPENID_SCOPE`, however, the generated
`guacamole.properties` does not contain `openid-scope`:}}
{{guacamole@78282607ee6c:/opt/guacamole$ cat
/home/guacamole/.guacamole/guacamole.properties}}
{{# guacamole.properties - generated Thu Feb 8 07:05:31 AM UTC 2024}}
{{guacd-hostname: remote-desktop-gateway-guacd-1}}
{{guacd-port: 4822}}
{{postgresql-username: postgres}}
{{postgresql-password: postgres}}
{{postgresql-database: postgres}}
{{postgresql-hostname: remote-desktop-gateway-postgres-1}}
{{postgresql-port: 5432}}
{{postgresql-auto-create-accounts: true}}
{{openid-authorization-endpoint:}}
{{https://auth.example.com/api/oidc/authorization?state=1234abcedfdhf}}
{{openid-jwks-endpoint: https://auth.example.com/jwks.json}}
{{openid-issuer: https://auth.example.com}}
{{openid-client-id: guacamole}}
{{openid-redirect-uri: https://remote-desktop-gateway.example.com}}
{{openid-username-claim-type: preferred_username}}
{{openid-groups-claim-type: groups}}
If I do manually edit the URL of the page I'm logging in with to add
`email` to the `scope` query parameter, groups are properly detected when
logging in. Without this, OpenID is a little hamstrung.
> `OPENID_SCOPE` environment variable in Docker not working
> ---------------------------------------------------------
>
> Key: GUACAMOLE-1923
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1923
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole-auth-openid
> Affects Versions: 1.5.4
> Environment: Docker
> Reporter: Mike Wyatt
> Priority: Minor
>
> I'm trying to get my existing Guacamole installation working with OpenID.
> I've got everything working correctly, but Guacamole is not requesting the
> `groups` scope.
> Here is the relevant environment variables from my docker-compose.yml:
> {{ environment:}}
> {{ - GUACD_HOSTNAME=${COMPOSE_PROJECT_NAME}-guacd-1}}
> {{ - POSTGRESQL_HOSTNAME=${COMPOSE_PROJECT_NAME}-postgres-1}}
> {{ - POSTGRESQL_DATABASE=postgres}}
> {{ - POSTGRESQL_USER=postgres}}
> {{ - POSTGRESQL_PASSWORD=postgres}}
> {{ - POSTGRESQL_AUTO_CREATE_ACCOUNTS=true}}{{ -
> OPENID_AUTHORIZATION_ENDPOINT=[https://auth.$|https://auth.$/]{HOMELAB_BASE_DOMAIN}/api/oidc/authorization?state=1234abcedfdhf}}
> {{ -
> OPENID_JWKS_ENDPOINT=[https://auth.$|https://auth.$/]{HOMELAB_BASE_DOMAIN}/jwks.json}}
> {{{} -
> OPENID_ISSUER=[https://auth.$|https://auth.$/]{HOMELAB_BASE_DOMAIN{}}}}
> {{ - OPENID_CLIENT_ID=guacamole}}
> {{{} -
> OPENID_REDIRECT_URI=[https://remote-desktop-gateway.$|https://remote-desktop-gateway.$/]{HOMELAB_BASE_DOMAIN{}}}}
> {{ - OPENID_USERNAME_CLAIM_TYPE=preferred_username}}
> {{ - OPENID_GROUPS_CLAIM_TYPE=groups}}
> {{ - OPENID_SCOPE=openid profile groups email}}
> {{You can see the last line is setting `OPENID_SCOPE`, however, the generated
> `guacamole.properties` does not contain `openid-scope`:}}
> {{guacamole@78282607ee6c:/opt/guacamole$ cat
> /home/guacamole/.guacamole/guacamole.properties}}
> {{# guacamole.properties - generated Thu Feb 8 07:05:31 AM UTC 2024}}
> {{guacd-hostname: remote-desktop-gateway-guacd-1}}
> {{guacd-port: 4822}}
> {{postgresql-username: postgres}}
> {{postgresql-password: postgres}}
> {{postgresql-database: postgres}}
> {{postgresql-hostname: remote-desktop-gateway-postgres-1}}
> {{postgresql-port: 5432}}
> {{postgresql-auto-create-accounts: true}}
> {{openid-authorization-endpoint:}}{{[
> https://auth.example.com/api/oidc/authorization?state=1234abcedfdhf|https://auth.example.com/api/oidc/authorization?state=1234abcedfdhf]}}
> {{openid-jwks-endpoint: [https://auth.example.com/jwks.json]}}
> {{openid-issuer: [https://auth.example.com|https://auth.example.com/]}}
> {{openid-client-id: guacamole}}
> {{openid-redirect-uri:
> [https://remote-desktop-gateway.example.com|https://remote-desktop-gateway.example.com/]}}
> {{openid-username-claim-type: preferred_username}}
> {{openid-groups-claim-type: groups}}
> If I do manually edit the URL of the page I'm logging in with to add
> `email` to the `scope` query parameter, groups are properly detected when
> logging in. Without this, OpenID is a little hamstrung.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
