On Thu, Feb 8, 2018 at 10:00 AM, Justin Gauthier <jus...@justin-tech.com>
wrote:
> Hello everyone,
>
> I have discovered that I had a the openid-redirect-uri incorrectly
> specified. That issue has now been resolved, and I get a login screen
> now.
>
> Now, when I get that login screen, I can login with credentials stored
> in the postgres database, but I do not get redirected to Keycloak. I
> see a 403 message with the following information:
>
> {"message":"Invalid login","translatableMessage":{"key":"Invalid
> login","variables":null},"statusCode":null,"expected":[{"name":"usernam
> e","type":"USERNAME"},{"name":"password","type":"PASSWORD"}],"type":"IN
> VALID_CREDENTIALS"}
>
> My understanding is that Guacamole should be redirecting me to Keycloak
> to authenticate, and then I should be redirected back to Guacamole with
> the authentication token, and it would not ask for the username and
> password?
>
Justin,
Authentication extensions are loaded in alphabetical order, which means the
OpenID extension is being loaded (and evaluated) after the JDBC extension.
I suggest that you rename the OpenID extension to something that will force
it to load first - when I do this with modules, I usually prefix a number
on to them. For example, in the GUACAMOLE_HOME/extensions folder, instead
of installing it as "gaucamole-auth-openid-0.9.14.jar, install it as
"guacamole-auth-0-openid-0.9.14.jar" - the -0 before the -openid will cause
it to be loaded and evaluated prior to the -jdbc JAR, and perhaps allow the
redirect to happen properly.
Regards,
Nick
