On Sat, Mar 1, 2025 at 12:23 PM Cyrus <cyru...@gmail.com> wrote: > Hello!, > > Waiting for my Jira account to request the improvement, but wanted to > share the idea here to check if it makes sense. > > I'm trying to make OIDC work for me and I find that no matter what > authorization policies I set on Keycloak, Guacamole always lets a Keycloak > authenticated user to login. > > I would like to see a > > mysql-auto-create-accounts: user-with-valid-group > > Conditional alternative to > > mysql-auto-create-accounts: true > > For the MySQL module. > > The rationale would be to base authorization on group membership, if the > authenticated has at least 1 group coincidence (OIDC response vs groups in > DB), we accept the authentication and create the user in the DB. > > If the user has no group membership that matches a known group in the > database, we don't allow the user to be authenticated. This can reduce > attack vectors blocking any access to the application to users that are not > supposed to consume the service at all. > > Does it make sense?. > > I think I see what you're getting at, but I'm not sure this will actually achieve what you want. Blocking a user from being auto-created in the Guacamole MySQL database actually won't do anything to prevent a user from logging in to Guacamole - if the login is authenticated and accepted by the IdP (Keycloak, in your case), Guacamole will still log the user in, *regardless of whether or not an account for them exists or is created in the MySQL DB.* The auto-creation feature does not provide further access control, as you're asking for, it is there simply to ease the administrative burden of having to manually create users in the JDBC module when they are successfully authenticated by another module.
If you want to restrict access to Guacamole to certain users, this would have to be done within your IdP by filtering the accounts that have access to the system, there, only allowing users within groups that you authorized for Guacamole. Whether a user is able to log in to Guacamole or not, you still have to assign users and/or groups access to connections and connection groups, or grant them access to create those items, so just because a user can log in to Guacamole via Keycloak does not mean that they can use the resources, there. If you lack administrative access to Keycloak, you can still use the access control mechanisms within Guacamole limit which connections, connection groups, and other privileges users of the system have. -Nick
