Uploaded image for project: 'Guacamole'
  1. Guacamole
  2. GUACAMOLE-805

OpenID authentication may redirect to IDP in a loop

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 0.9.14, 1.0.0, 1.1.0
    • Fix Version/s: 1.2.0
    • Component/s: guacamole-auth-openid
    • Labels:
      None

      Description

      As reported on the mailing list, there exist cases where Guacamole's OpenID support will redirect the user back to the IDP in a loop, despite the OpenID support being correctly configured and the IDP behaving correctly:

      This is because current implementation of Guacamole support for OpenID assumes that the id_token parameter provided by the IDP will be the first parameter in the URL, which is not guaranteed to be the case. If the IDP includes the id_token parameter elsewhere in the parameter list, the client erroneously redirects the user back to the IDP to obtain the id_token parameter that it believes is absent. This produces a redirect loop, with both the client and the IDP redirecting the user to each other.

        Attachments

          Activity

            People

            • Assignee:
              mjumper Mike Jumper
              Reporter:
              mjumper Mike Jumper
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: