[GUACAMOLE-805] OpenID authentication may redirect to IDP in a loop - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: 0.9.14, 1.0.0, 1.1.0
Fix Version/s: 1.2.0
Component/s: guacamole-auth-openid
Labels:
None

Description

As reported on the mailing list, there exist cases where Guacamole's OpenID support will redirect the user back to the IDP in a loop, despite the OpenID support being correctly configured and the IDP behaving correctly:

Guacamole & OpenID (2018-12-06)
Looping with Guacamole+Keycloak (2019-05-29)

This is because current implementation of Guacamole support for OpenID assumes that the id_token parameter provided by the IDP will be the first parameter in the URL, which is not guaranteed to be the case. If the IDP includes the id_token parameter elsewhere in the parameter list, the client erroneously redirects the user back to the IDP to obtain the id_token parameter that it believes is absent. This produces a redirect loop, with both the client and the IDP redirecting the user to each other.

Attachments

Activity

People

Assignee:: Mike Jumper

Reporter:: Mike Jumper

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 02/Jun/19 22:58

Updated:: 03/Jun/19 15:55

Resolved:: 03/Jun/19 00:19