Nick, I have completed that step, however now I am in an redirect loop.
Once I get home I'll take a look at the logs and provide that information. Thanks for the help, Justin ________________________________ From: Nick Couchman <vn...@apache.org> Sent: Thursday, February 8, 2018 11:27:05 AM To: user@guacamole.apache.org Subject: Re: OpenID-Connect HTTP 500 On Thu, Feb 8, 2018 at 10:00 AM, Justin Gauthier <jus...@justin-tech.com<mailto:jus...@justin-tech.com>> wrote: Hello everyone, I have discovered that I had a the openid-redirect-uri incorrectly specified. That issue has now been resolved, and I get a login screen now. Now, when I get that login screen, I can login with credentials stored in the postgres database, but I do not get redirected to Keycloak. I see a 403 message with the following information: {"message":"Invalid login","translatableMessage":{"key":"Invalid login","variables":null},"statusCode":null,"expected":[{"name":"usernam e","type":"USERNAME"},{"name":"password","type":"PASSWORD"}],"type":"IN VALID_CREDENTIALS"} My understanding is that Guacamole should be redirecting me to Keycloak to authenticate, and then I should be redirected back to Guacamole with the authentication token, and it would not ask for the username and password? Justin, Authentication extensions are loaded in alphabetical order, which means the OpenID extension is being loaded (and evaluated) after the JDBC extension. I suggest that you rename the OpenID extension to something that will force it to load first - when I do this with modules, I usually prefix a number on to them. For example, in the GUACAMOLE_HOME/extensions folder, instead of installing it as "gaucamole-auth-openid-0.9.14.jar, install it as "guacamole-auth-0-openid-0.9.14.jar" - the -0 before the -openid will cause it to be loaded and evaluated prior to the -jdbc JAR, and perhaps allow the redirect to happen properly. Regards, Nick
