RE: OpenID and NoAuth / user-mapping.xml ?

Thu, 22 Aug 2019 15:59:04 -0700 

Yes, I think that's the intent of the authentication provider/extension-ing 
mechanism. I'm spit-balling here but I think if the username matches up, it 
won't matter where the information comes from; all the information related to 
that user will be accessible. I have tried it with openid + jdbc (and the 
connections from jdbc are available) and json + jdbc (similar) and they work 
together just fine. The openid extension out of the box precludes logging out 
(the logout link takes you to the main sign in screen that auto signs you back 
in). The json extension logs you out of an existing session if you try to open 
a new session alongside the current one (2 separate connections at the same 
time by the same user via separate tabs) because it kills the auth token of the 
first session when it creates the next one. I peeked around a bit but didn't 
see an obvious way around it without getting into the JS app itself. [I should 
probably tee up a separate question for that, but maybe the dev forum is the 
right place, but I bet there are a few on here who have ideas there.] 
-Ryan

-----Original Message-----
From: Mike Sollanych <msollan...@dwavesys.com> 
Sent: Thursday, August 22, 2019 1:48 PM
To: user@guacamole.apache.org
Subject: Re: OpenID and NoAuth / user-mapping.xml ?

Do you know if it is possible to layer this with OpenID so that I don’t have to 
provide passwords or usernames and just supply connection information here that 
works for anyone who gets past the OpenID challenge?

> On Aug 21, 2019, at 6:55 PM, Ryan Underwood <r...@greymarketlabs.com> wrote:
> 
> auth-json lives here last I saw: 
> https://github.com/glyptodon/guacamole-auth-json
> It works just fine.
> -Ryan
> 
> -----Original Message-----
> From: Nick Couchman <vn...@apache.org> 
> Sent: Tuesday, August 20, 2019 12:27 PM
> To: user@guacamole.apache.org
> Subject: Re: OpenID and NoAuth / user-mapping.xml ?
> 
> On Tue, Aug 20, 2019 at 12:20 PM Mike Sollanych <msollan...@dwavesys.com 
> <mailto:msollan...@dwavesys.com> > wrote:
> 
> 
>    Thanks for your response, Nick.
> 
>    > However, I wonder does the Consul service discovery have any sort of API 
> that could be leveraged to dynamically pull connection information?
>    
> 
>    Yes, it's intended for exactly this kind of thing. 
> https://www.consul.io/api/index.html <https://www.consul.io/api/index.html>  
> is the tip of the iceberg. Most likely it would make sense for the user to 
> create a Prepared Query https://www.consul.io/api/query.html and then provide 
> the ID of that to Guacamole or whatever piece of middleware in order to have 
> it run the query and get back the right set of services. This should provide 
> good abstraction and save the middleware from having to implement a lot of 
> logic.
> 
> 
> 
> Yeah, I started poking at it a bit last night - I had never heard of Consul 
> before, but it looks really cool, and the API looks reasonably easy to use.
> 
> In your implementation, would you be trying to leverage any sort of access 
> control as provided by Consul, or do you just want any user who logs in with 
> OpenID to see any of the services available from Consul?
> 
> 
>    > Sounds like Consul can spit out formatted output - XML, maybe JSON.  An 
> extension could be written to leverage this - I'd lean toward JSON output, 
> myself, but probably doesn't matter that much.
>    
> 
>    This is often done via another complementary product, Consul Template - 
> https://github.com/hashicorp/consul-template 
> <https://github.com/hashicorp/consul-template>  - which can read data from 
> Consul and render it out using the Go Template syntax into literally any kind 
> of format. JSON is supported with a built in serializer, so the template 
> would be very succinct. We can source data from service registrations, which 
> have tags that would make it easy to pass data along. Passwords for VNC etc. 
> can be sourced from Hashicorp Vault for the security-conscious or via some 
> other mechanism if that's overkill for the environment in question.
>    
> 
>    > it it actually shouldn't be too bad to write scripts in one of several 
> languages, or even some SQL procedures in your DB of choice that would ease 
> this. 
>    
> 
>    I've thought about doing this and am confident it could be done - 
> automation to pre-seed the database when I am reconstructing the entire 
> environment from scratch is pretty straightforward with your SQL script 
> generator, and then it's just a matter of using Consul-Template to spit out a 
> database script that truncates a table and repopulates it. It just seems a 
> little bit hackish / non-idiomatic and I don't want to build something here 
> that I'm going to have to do a lot of maintenance on later.
>    
> 
> 
> 
> Oh, yes, I agree it is hackish, particularly since Consul provides an API.
> 
> 
>    If there is in fact some JSON-based extension around that I could try for 
> this, I would appreciate a link to it!
> 
> 
> Mike will have to provide this - he's referenced it, but I'm not entirely 
> sure where it lives at the moment, what it's working state is, or even how to 
> use it.
> 
> -Nick
> 
> 
> B�KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB��[��X��ܚX�KK[XZ[
�\�\�][��X��ܚX�P�XX�[[�K�\X�K�ܙ�B��܈Y][ۘ[��[X[��K[XZ[
�\�\�Z[�XX�[[�K�\X�K�ܙ�B
B�KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB��[��X��ܚX�KK[XZ[
�\�\�][��X��ܚX�P�XX�[[�K�\X�K�ܙ�B��܈Y][ۘ[��[X[��K[XZ[
�\�\�Z[�XX�[[�K�\X�K�ܙ�B

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Reply via email to