[
https://issues.apache.org/jira/browse/GUACAMOLE-2140?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18021385#comment-18021385
]
Tom P edited comment on GUACAMOLE-2140 at 9/19/25 7:20 PM:
-----------------------------------------------------------
[~vnick], thanks. Happy to clarify:
h2. Not globally enabled
*Not globally enabled*: the TOTP extension is not loaded at all. The guacamole
container is started with the env var {{TOTP_ENABLED=false}}.
h2. Automated user creation
Yes, I am using the scripted, API-based creation of user accounts. I want to
avoid making direct database modifications for security, safety, and
maintainability.
When guacamole is running without the TOTP extension loaded, it appears that
TOTP attributes are ignored by the API:
1. Create user {{bob-totp-disabled}} (with TOTP disabled attribute)
{code:python}
api_attributes = {"guac-totp-disabled": "true"}
client.create_user("bob-totp-disabled", "password", api_attributes)
{code}
2. Get user attributes
*Issue*: {{guac-totp-disabled}} attribute is *NOT SET*
{{client.get_user_attributes("bob-totp-disabled")}} ->
{code:json}
{
"guac-email-address": null,
"guac-organizational-role": null,
"guac-full-name": null,
"expired": null,
"timezone": null,
"access-window-start": null,
"guac-organization": null,
"access-window-end": null,
"valid-until": null,
"valid-from": null
}
{code}
This means that after enabling the TOTP extension by updating the docker
compose file with {{TOTP_ENABLED=true}} and deploying, user
{{bob-totp-disabled}} still gets the enrol prompt on first login unless I
modify the database.
was (Author: JIRAUSER310831):
[~vnick], thanks. Happy to clarify:
h2. Not globally enabled
*Not globally enabled*: the TOTP extension is not loaded at all. The guacamole
container is started with the env var {{TOTP_ENABLED=false}}.
h2. Automated user creation
Yes, I am using the scripted, API-based creation of user accounts. I want to
avoid making direct database modifications for security, safety, and
maintainability.
When guacamole is running without the TOTP extension loaded, it appears that
TOTP attributes are ignored by the API:
1. Create user {{bob-totp-disabled}} (with TOTP disabled attribute)
{code:python}
api_attributes = {"guac-totp-disabled": "true"}
client.create_user("bob-totp-disabled", "password", api_attributes)
{code}
2. Get user attributes
*Issue*: {{guac-totp-disabled}} attribute is *NOT SET*
{{client.get_user_attributes("bob-totp-disabled")}} ->
{code:json}
{
"guac-email-address": null,
"guac-organizational-role": null,
"guac-full-name": null,
"expired": null,
"timezone": null,
"access-window-start": null,
"guac-organization": null,
"access-window-end": null,
"valid-until": null,
"valid-from": null
}
{code}
This means that after enabling the TOTP extension by updating the docker
compose file with {{TOTP_ENABLED=false}} and deploying, user
{{bob-totp-disabled}} still gets the enrol prompt on first login unless I
modify the database.
> API support for persisting TOTP disable attributes when TOTP is globally
> enabled
> --------------------------------------------------------------------------------
>
> Key: GUACAMOLE-2140
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-2140
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole, guacamole-auth-jdbc, guacamole-auth-totp
> Environment: Guacamole Version: 1.6.0
> Deployment: Docker containers with two-phase deployment
> Authentication: Database with TOTP extension
> Reporter: Tom P
> Priority: Minor
>
> h2. Summary
> Requesting API support for persisting TOTP disable attributes when TOTP is
> globally enabled, avoiding database workarounds during automated deployment.
> _Edit: clarified API behaviour after further testing._
> h2. Use Case: Automated Deployment
> Our deployment scenario requires:
> * {*}Global TOTP{*}: Enabled for all new users by default{*}{*}
> * {*}API automation user{*}: TOTP disabled for programmatic access
> * {*}Custom admin user{*}: TOTP enabled for interactive use
> This configuration enables automation workflows that cannot handle
> interactive TOTP challenges.
> h2. Current Problem
> Automated installed is done in 2 phases
> # Automated user creation with TOTP disabled attribute
> # Enabling TOTP
> When TOTP is *not globally enabled* ('Phase 1'), the REST API does not store
> TOTP disable attributes:
> {code:python}
> # This this call works during Phase 1 (TOTP not globally enabled)
> api_attributes = {"guac-totp-disabled": "true"}
> client.create_user(api_user, api_pass, api_attributes)
> client.update_user_attributes(api_user, {"guac-totp-disabled": "true"})
> {code}
> However, when TOTP is *globally enabled* ('Phase 2'), TOTP is still enabled
> for all users as the attribute was not saved
> h3. Root Cause
> API does not save TOTP user attributes when TOTP extension is not enabled.
> h2. Current Workaround
> Database manipulation is required to restore the disable attribute:
> {code:sql}
> -- Restore the disable attribute
> INSERT INTO guacamole_user_attribute (user_id, attribute_name,
> attribute_value)
> VALUES (user_id, 'guac-totp-disabled', 'true')
> ON DUPLICATE KEY UPDATE attribute_value='true';
> -- Clear forced enrolment
> DELETE FROM guacamole_user_attribute
> WHERE user_id = user_id
> AND attribute_name IN ('guac-totp-key-secret', 'guac-totp-key-confirmed');
> {code}
> h2. Proposed Improvement
> Modify the API module to save {{guac-totp-disabled}} attributes for new and
> updated users, even when global TOTP is disabled.
> h2. Benefits
> * Eliminates need for database workarounds
> * Simplifies automated deploys
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
