Uploaded image for project: 'Guacamole'
  1. Guacamole
  2. GUACAMOLE-805

OpenID authentication may redirect to IDP in a loop

Agile BoardAttach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Minor
    • Resolution: Fixed
    • 0.9.14, 1.0.0, 1.1.0
    • 1.2.0
    • guacamole-auth-openid
    • None

    Description

      As reported on the mailing list, there exist cases where Guacamole's OpenID support will redirect the user back to the IDP in a loop, despite the OpenID support being correctly configured and the IDP behaving correctly:

      This is because current implementation of Guacamole support for OpenID assumes that the id_token parameter provided by the IDP will be the first parameter in the URL, which is not guaranteed to be the case. If the IDP includes the id_token parameter elsewhere in the parameter list, the client erroneously redirects the user back to the IDP to obtain the id_token parameter that it believes is absent. This produces a redirect loop, with both the client and the IDP redirecting the user to each other.

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            mjumper Mike Jumper
            mjumper Mike Jumper
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment