Details
-
Bug
-
Status: Resolved
-
Minor
-
Resolution: Fixed
-
0.9.14, 1.0.0, 1.1.0
-
None
Description
As reported on the mailing list, there exist cases where Guacamole's OpenID support will redirect the user back to the IDP in a loop, despite the OpenID support being correctly configured and the IDP behaving correctly:
- Guacamole & OpenID (2018-12-06)
- Looping with Guacamole+Keycloak (2019-05-29)
This is because current implementation of Guacamole support for OpenID assumes that the id_token parameter provided by the IDP will be the first parameter in the URL, which is not guaranteed to be the case. If the IDP includes the id_token parameter elsewhere in the parameter list, the client erroneously redirects the user back to the IDP to obtain the id_token parameter that it believes is absent. This produces a redirect loop, with both the client and the IDP redirecting the user to each other.