Openid redirect loop in 1.2.0

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Openid redirect loop in 1.2.0

Timothée
Dear,

I'm trying to use OpenID authentication with Auth0.
But i'm stuck in redirecting loop between :
https://<domain>/guacamole/#/?id_token=3Dxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
and
https://<domain>/guacamole/#id_token=3Dxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

I used official guacamole 1.2.0 docker hub image.
'''
docker run --name some-guacamole \
         --link some-guacd:guacd \
         --link guacamole_db:postgres \
         -e POSTGRES_DATABASE=3Dguacamole_db \
         -e POSTGRES_USER=3D<username> \
         -e POSTGRES_PASSWORD=3D<password> \
         -e OPENID_AUTHORIZATION_ENDPOINT=3Dhttps://<tenant>.
eu.auth0.com/authorize \
         -e OPENID_JWKS_ENDPOINT=3Dhttps://<tenant>.
eu.auth0.com/.well-known.jwks.json \
         -e OPENID_ISSUER=3Dhttps://<tenant>.eu.auth0.com/ \
         -e OPENID_CLIENT_ID=3D<clientID> \
         -e OPENID_REDIRECT_URI=3Dhttps://<domain> /guacamole/ \
         -d -p 8080:8080 guacamole/guacamole
'''

From Auth0 logs, authentication is ok and i'm well redirected to guacamole
URL.

I made somes tests on ubuntu server with Auth0 and guacamole 1.2.0, and I
get the same result.
I also made some tests with GSuite both on container and ubuntu server and
after authentication, i'm redirected to guacamole with id_token in URL and
then back to the IDP.

With both IDP the " id_token" parameter is in first position in redirect
URL.

Is above setting correct ?
And is there any help about this issue ?

Thanks.

Timothée



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Openid redirect loop in 1.2.0

mjumper
Administrator
On Fri, Oct 23, 2020 at 12:38 AM Timothée <[hidden email]> wrote:
Dear,

I'm trying to use OpenID authentication with Auth0.
But i'm stuck in redirecting loop between :
https://<domain>/guacamole/#/?id_token=3Dxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
and
https://<domain>/guacamole/#id_token=3Dxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 
I think you are probably looping between Auth0 and Guacamole, even if some of that redirect is happening quickly enough that only the Guacamole-related URLs are seen, and that the repeated redirect back to Auth0 is occurring because the received ID token is failing validation.

What do you see in the Guacamole logs when this occurs?

- Mike

Reply | Threaded
Open this post in threaded view
|

Re: Openid redirect loop in 1.2.0

Timothée
Hi

Here the logs from tomcat localhost_access_logs file :

"GET / HTTP/1.1" 304 -
"GET /guacamole-1.2.0/app.css?v=1.2.0 HTTP/1.1" 304 -
"GET /guacamole-1.2.0/app.js?v=1.2.0 HTTP/1.1" 304 -
"GET
/guacamole-1.2.0/api/patches?token=845E35EC42579A24E81AC3ACC38DDD876FE6EB9C4F88FC8C78F95E3EB99864CD
HTTP/1.1" 200 352
"GET
/guacamole-1.2.0/api/languages?token=845E35EC42579A24E81AC3ACC38DDD876FE6EB9C4F88FC8C78F95E3EB99864CD
HTTP/1.1" 200 205
"GET /guacamole-1.2.0/translations/en.json HTTP/1.1" 200 47122
"GET /guacamole-1.2.0/translations/fr.json HTTP/1.1" 200 45037
"POST /guacamole-1.2.0/api/tokens HTTP/1.1" 403 571
"GET
/guacamole-1.2.0/api/patches?token=845E35EC42579A24E81AC3ACC38DDD876FE6EB9C4F88FC8C78F95E3EB99864CD
HTTP/1.1" 200 352
"GET
/guacamole-1.2.0/api/languages?token=845E35EC42579A24E81AC3ACC38DDD876FE6EB9C4F88FC8C78F95E3EB99864CD
HTTP/1.1" 200 205
"GET /guacamole-1.2.0/translations/fr.json HTTP/1.1" 200 45037
"GET /guacamole-1.2.0/translations/en.json HTTP/1.1" 200 47122
"POST /guacamole-1.2.0/api/tokens HTTP/1.1" 403 571
"GET
/guacamole-1.2.0/api/patches?token=845E35EC42579A24E81AC3ACC38DDD876FE6EB9C4F88FC8C78F95E3EB99864CD
HTTP/1.1" 200 352
"GET
/guacamole-1.2.0/api/languages?token=845E35EC42579A24E81AC3ACC38DDD876FE6EB9C4F88FC8C78F95E3EB99864CD
HTTP/1.1" 200 205
"POST /guacamole-1.2.0/api/tokens HTTP/1.1" 403 571
"GET /guacamole-1.2.0/translations/en.json HTTP/1.1" 200 47122
"GET /guacamole-1.2.0/translations/fr.json HTTP/1.1" 200 45037

and the same lines repeat again until i stop the loop.

- Timothée




--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Openid redirect loop in 1.2.0

vnick
On Tue, Oct 27, 2020 at 11:00 AM Timothée <[hidden email]> wrote:
Hi

Here the logs from tomcat localhost_access_logs file :


What about catalina.out?

-Nick
Reply | Threaded
Open this post in threaded view
|

Re: Openid redirect loop in 1.2.0

Timothée
Hi,

Here the logs from tomcat catalina.log file :

INFO [http-nio-8080-exec-4] org.apache.coyote.http11.Http11Processor.service
Error parsing HTTP request header
 Note: further occurrences of HTTP request parsing errors will be logged at
DEBUG level.
        java.lang.IllegalArgumentException: Invalid character found in the
request target. The valid characters are defined in RFC 7230 and RFC 3986
                at
org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:476)
                at
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:260)
                at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
                at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
                at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1639)
                at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
                at
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
                at
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
                at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
                at java.base/java.lang.Thread.run(Thread.java:834)

I do not find any catalina.out or localhost.log file as described in
documentation.

Regards

- Timothée




--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Openid redirect loop in 1.2.0

mjumper
Administrator
On Wed, Oct 28, 2020, 09:49 Timothée <[hidden email]> wrote:
Hi,

Here the logs from tomcat catalina.log file :

INFO [http-nio-8080-exec-4] org.apache.coyote.http11.Http11Processor.service
Error parsing HTTP request header
 Note: further occurrences of HTTP request parsing errors will be logged at
DEBUG level.
        java.lang.IllegalArgumentException: Invalid character found in the
request target. The valid characters are defined in RFC 7230 and RFC 3986
                at
org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:476)
                at
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:260)
                at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
                at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
                at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1639)
                at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
                at
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
                at
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
                at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
                at java.base/java.lang.Thread.run(Thread.java:834)

I do not find any catalina.out or localhost.log file as described in
documentation.

There should be way more messages than that, including informational messages logged by Guacamole during startup. There are basic messages that note where GUACAMOLE_HOME is, what extensions are being loaded, etc.

If you're not seeing anything like the above, you may need to consult the documentation of your distro to determine where Tomcat will be logging things. Some log to files in a subdirectory of /var/log, some log to syslog, some log to the systemd journal, Docker images log to the Docker logs. This is not something Guacamole itself controls, but a factor in how Tomcat was set up.

- Mike

Reply | Threaded
Open this post in threaded view
|

Re: Openid redirect loop in 1.2.0

Ghost_Knight
Could you verify your JWKS_ENDPOINT?  It looks like it is pointing to the
.well-known.jwks.json which is just a json file that I believe will have
urls in it.  Guacamole is expecting the actual URL here.

For example with my keycloak implementation I would go to:
https://some.domain.com/auth/realms/default/.well-known/openid-configuration

and extract:
{
  ...
  "jwks_uri":
"https://some.domain.com/auth/realms/default/protocol/openid-connect/certs",
  ...
}



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Openid redirect loop in 1.2.0

Timothée
Hi,

@Ghost_Knight
I changed the JWKS_ENDPOINT to
https://<tenant>.eu.auth0.com/.well-known/openid-configuration
but unfortunatly it doesn't resolve the loop problem.

Regards,

- Timothee



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Openid redirect loop in 1.2.0

Timothée
In reply to this post by mjumper
Hi,

@mjumper

I built a new clean server to not be impacted by all my previous tests and
so was able to find this logs :

---------------------------------------------------------------------------------------------------

04-Nov-2020 09:34:50.782 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Server version name:  
Apache Tomcat/9.0.31 (Ubuntu)
04-Nov-2020 09:34:50.793 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Server built:        
Oct 20 2020 12:27:39 UTC
04-Nov-2020 09:34:50.793 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Server version number:
9.0.31.0
04-Nov-2020 09:34:50.793 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log OS Name:              
Linux
04-Nov-2020 09:34:50.793 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log OS Version:          
5.4.0-1024-aws
04-Nov-2020 09:34:50.794 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Architecture:        
amd64
04-Nov-2020 09:34:50.794 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Java Home:            
/usr/lib/jvm/java-11-openjdk-amd64
04-Nov-2020 09:34:50.795 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log JVM Version:          
11.0.9+11-Ubuntu-0ubuntu1.20.04
04-Nov-2020 09:34:50.795 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor:          
Ubuntu
04-Nov-2020 09:34:50.796 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE:        
/var/lib/tomcat9
04-Nov-2020 09:34:50.796 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME:        
/usr/share/tomcat9
04-Nov-2020 09:34:50.817 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
--add-opens=java.base/java.lang=ALL-UNNAMED
04-Nov-2020 09:34:50.820 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
--add-opens=java.base/java.io=ALL-UNNAMED
04-Nov-2020 09:34:50.820 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
--add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
04-Nov-2020 09:34:50.821 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Djava.util.logging.config.file=/var/lib/tomcat9/conf/logging.properties
04-Nov-2020 09:34:50.821 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
04-Nov-2020 09:34:50.821 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Djava.awt.headless=true
04-Nov-2020 09:34:50.822 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Djdk.tls.ephemeralDHKeySize=2048
04-Nov-2020 09:34:50.823 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Djava.protocol.handler.pkgs=org.apache.catalina.webresources
04-Nov-2020 09:34:50.823 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Dorg.apache.catalina.security.SecurityListener.UMASK=0027
04-Nov-2020 09:34:50.823 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Dignore.endorsed.dirs=
04-Nov-2020 09:34:50.824 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Dcatalina.base=/var/lib/tomcat9
04-Nov-2020 09:34:50.824 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Dcatalina.home=/usr/share/tomcat9
04-Nov-2020 09:34:50.825 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Djava.io.tmpdir=/tmp
04-Nov-2020 09:34:50.825 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR
based Apache Tomcat Native library [1.2.23] using APR version [1.6.5].
04-Nov-2020 09:34:50.826 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR
capabilities: IPv6 [true], sendfile [true], accept filters [false], random
[true].
04-Nov-2020 09:34:50.828 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL
configuration: useAprConnector [false], useOpenSSL [true]
04-Nov-2020 09:34:50.835 INFO [main]
org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL
successfully initialized [OpenSSL 1.1.1f  31 Mar 2020]
04-Nov-2020 09:34:51.552 INFO [main] org.apache.coyote.AbstractProtocol.init
Initializing ProtocolHandler ["http-nio-8080"]
04-Nov-2020 09:34:51.619 INFO [main]
org.apache.catalina.startup.Catalina.load Server initialization in [1,344]
milliseconds
04-Nov-2020 09:34:51.741 INFO [main]
org.apache.catalina.core.StandardService.startInternal Starting service
[Catalina]
04-Nov-2020 09:34:51.742 INFO [main]
org.apache.catalina.core.StandardEngine.startInternal Starting Servlet
engine: [Apache Tomcat/9.0.31 (Ubuntu)]
04-Nov-2020 09:34:51.761 INFO [main]
org.apache.catalina.startup.HostConfig.deployDescriptor Deploying deployment
descriptor [/etc/tomcat9/Catalina/localhost/host-manager.xml]
04-Nov-2020 09:34:51.796 WARNING [main]
org.apache.catalina.startup.HostConfig.deployDescriptor The path attribute
with value [/host-manager] in deployment descriptor
[/etc/tomcat9/Catalina/localhost/host-manager.xml] has been ignored
04-Nov-2020 09:34:53.872 INFO [main]
org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned
for TLDs yet contained no TLDs. Enable debug logging for this logger for a
complete list of JARs that were scanned but no TLDs were found in them.
Skipping unneeded JARs during scanning can improve startup time and JSP
compilation time.
04-Nov-2020 09:38:13.821 WARNING [main]
org.apache.catalina.util.SessionIdGeneratorBase.createSecureRandom Creation
of SecureRandom instance for session ID generation using [SHA1PRNG] took
[199,940] milliseconds.
04-Nov-2020 09:38:13.866 INFO [main]
org.apache.catalina.startup.HostConfig.deployDescriptor Deployment of
deployment descriptor [/etc/tomcat9/Catalina/localhost/host-manager.xml] has
finished in [202,105] ms
04-Nov-2020 09:38:13.868 INFO [main]
org.apache.catalina.startup.HostConfig.deployDescriptor Deploying deployment
descriptor [/etc/tomcat9/Catalina/localhost/manager.xml]
04-Nov-2020 09:38:13.870 WARNING [main]
org.apache.catalina.startup.HostConfig.deployDescriptor The path attribute
with value [/manager] in deployment descriptor
[/etc/tomcat9/Catalina/localhost/manager.xml] has been ignored
04-Nov-2020 09:38:15.001 INFO [main]
org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned
for TLDs yet contained no TLDs. Enable debug logging for this logger for a
complete list of JARs that were scanned but no TLDs were found in them.
Skipping unneeded JARs during scanning can improve startup time and JSP
compilation time.
04-Nov-2020 09:38:15.005 INFO [main]
org.apache.catalina.startup.HostConfig.deployDescriptor Deployment of
deployment descriptor [/etc/tomcat9/Catalina/localhost/manager.xml] has
finished in [1,137] ms
04-Nov-2020 09:38:15.013 INFO [main]
org.apache.catalina.startup.HostConfig.deployWAR Deploying web application
archive [/var/lib/tomcat9/webapps/guacamole-1.2.0.war]
04-Nov-2020 09:38:17.273 INFO [main]
org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned
for TLDs yet contained no TLDs. Enable debug logging for this logger for a
complete list of JARs that were scanned but no TLDs were found in them.
Skipping unneeded JARs during scanning can improve startup time and JSP
compilation time.
04-Nov-2020 09:38:21.541 INFO [main]
com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.register
Registering org.apache.guacamole.rest.RESTExceptionMapper as a provider
class
04-Nov-2020 09:38:21.547 INFO [main]
com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.register
Registering org.apache.guacamole.rest.extension.ExtensionRESTService as a
root resource class
04-Nov-2020 09:38:21.548 INFO [main]
com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.register
Registering org.apache.guacamole.rest.language.LanguageRESTService as a root
resource class
04-Nov-2020 09:38:21.548 INFO [main]
com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.register
Registering org.apache.guacamole.rest.patch.PatchRESTService as a root
resource class
04-Nov-2020 09:38:21.552 INFO [main]
com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.register
Registering org.apache.guacamole.rest.auth.TokenRESTService as a root
resource class
04-Nov-2020 09:38:21.553 INFO [main]
com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.register
Registering org.apache.guacamole.rest.session.SessionRESTService as a root
resource class
04-Nov-2020 09:38:21.554 INFO [main]
com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.register
Registering org.codehaus.jackson.jaxrs.JacksonJsonProvider as a provider
class
04-Nov-2020 09:38:21.557 INFO [main]
com.sun.jersey.server.impl.application.WebApplicationImpl._initiate
Initiating Jersey application, version 'Jersey: 1.17.1 02/28/2013 12:47 PM'
04-Nov-2020 09:38:21.710 INFO [main]
com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.getComponentProvider
Binding org.apache.guacamole.rest.RESTExceptionMapper to
GuiceManagedComponentProvider with the scope "Singleton"
04-Nov-2020 09:38:21.717 INFO [main]
com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.getComponentProvider
Binding org.codehaus.jackson.jaxrs.JacksonJsonProvider to
GuiceManagedComponentProvider with the scope "Singleton"
04-Nov-2020 09:38:22.632 INFO [main]
com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.getComponentProvider
Binding org.apache.guacamole.rest.extension.ExtensionRESTService to
GuiceManagedComponentProvider with the scope "PerRequest"
04-Nov-2020 09:38:22.644 INFO [main]
com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.getComponentProvider
Binding org.apache.guacamole.rest.language.LanguageRESTService to
GuiceManagedComponentProvider with the scope "PerRequest"
04-Nov-2020 09:38:22.646 INFO [main]
com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.getComponentProvider
Binding org.apache.guacamole.rest.patch.PatchRESTService to
GuiceManagedComponentProvider with the scope "PerRequest"
04-Nov-2020 09:38:22.653 INFO [main]
com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.getComponentProvider
Binding org.apache.guacamole.rest.auth.TokenRESTService to
GuiceManagedComponentProvider with the scope "PerRequest"
04-Nov-2020 09:38:22.658 INFO [main]
com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.getComponentProvider
Binding org.apache.guacamole.rest.session.SessionRESTService to
GuiceManagedComponentProvider with the scope "PerRequest"
04-Nov-2020 09:38:22.693 INFO [main] org.webjars.servlet.WebjarsServlet.init
WebjarsServlet initialization completed
04-Nov-2020 09:38:22.710 INFO [main]
org.apache.catalina.startup.HostConfig.deployWAR Deployment of web
application archive [/var/lib/tomcat9/webapps/guacamole-1.2.0.war] has
finished in [7,697] ms
04-Nov-2020 09:38:22.713 INFO [main]
org.apache.catalina.startup.HostConfig.deployDirectory Deploying web
application directory [/var/lib/tomcat9/webapps/ROOT]
04-Nov-2020 09:38:23.736 INFO [main]
org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned
for TLDs yet contained no TLDs. Enable debug logging for this logger for a
complete list of JARs that were scanned but no TLDs were found in them.
Skipping unneeded JARs during scanning can improve startup time and JSP
compilation time.
04-Nov-2020 09:38:23.741 INFO [main]
org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web
application directory [/var/lib/tomcat9/webapps/ROOT] has finished in
[1,028] ms
04-Nov-2020 09:38:23.749 INFO [main]
org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler
["http-nio-8080"]
04-Nov-2020 09:38:23.788 INFO [main]
org.apache.catalina.startup.Catalina.start Server startup in [212,168]
milliseconds
04-Nov-2020 09:38:23.878 INFO [http-nio-8080-exec-1]
org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request
header Note: further occurrences of HTTP request parsing errors will be
logged at DEBUG level.java.lang.IllegalArgumentException: Invalid character
found in the request target. The valid characters are defined in RFC 7230
and RFC 3986
at
org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:476)
at
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:260)
at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1639)
at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:834)

---------------------------------------------------------------------------------------------------

Regards,

- Timothee



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Openid redirect loop in 1.2.0

Ghost_Knight
In reply to this post by Timothée
Timothée wrote
> @Ghost_Knight
> I changed the JWKS_ENDPOINT to
> https://
> <tenant>
> .eu.auth0.com/.well-known/openid-configuration
> but unfortunatly it doesn't resolve the loop problem.


Still looks incorrect, you are still pointing your JWKS_ENDPOINT to a json
file that is simply telling you what configuration options to use when
configuring your client.

Open https://<tenant>.eu.auth0.com/.well-known/openid-configuration in your
browser by hand and use the value of `jwks_uri` for the value when starting
the docker container.



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Openid redirect loop in 1.2.0

Timothée
Hi,

@Ghost

In this URL :
https://<tenant>.eu.auth0.com/.well-known/openid-configuration

You are right, i have a json structure with jwks_uri pointing to this URL :
https://<tenant>.eu.auth0.com/.well-known/jwks.json

(I realize that i made a typo in my first message replacing "/" between
.well-known and jwks.json by a ".". Sorry about that)

And inside of it i have a json structure like this :

{
    "keys": [
        {
            "alg": "RS256",
            "kty": "RSA",
            "use": "sig",
            "n": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
            "e": "AQAB",
            "kid": "xxxxxxxxxxxx",
            "x5t": "xxxxxxxxxxxx",
            "x5c": [
                "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
            ]
        },
        {
            "alg": "RS256",
            "kty": "RSA",
            "use": "sig",
            "n": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
            "e": "AQAB",
            "kid": "xxxxxxxxxxxx",
            "x5t": "xxxxxxxxxxxx",
            "x5c": [
                "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
            ]
        }
    ]
}

I replaced the JWKS_ENDPOINT by the URL inside of jwks_uri in
guacamole.properties config file.
Now when trying to connect i get an error saying that the action can't be
done.

I check the logs and get this :

--------------------------------------------------------
16-Nov-2020 08:56:57.615 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Server version name:  
Apache Tomcat/9.0.31 (Ubuntu)
16-Nov-2020 08:56:57.623 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Server built:        
Oct 20 2020 12:27:39 UTC
16-Nov-2020 08:56:57.624 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Server version number:
9.0.31.0
16-Nov-2020 08:56:57.625 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log OS Name:              
Linux
16-Nov-2020 08:56:57.626 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log OS Version:          
5.4.0-1024-aws
16-Nov-2020 08:56:57.626 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Architecture:        
amd64
16-Nov-2020 08:56:57.627 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Java Home:            
/usr/lib/jvm/java-11-openjdk-amd64
16-Nov-2020 08:56:57.627 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log JVM Version:          
11.0.9.1+1-Ubuntu-0ubuntu1.20.04
16-Nov-2020 08:56:57.627 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor:          
Ubuntu
16-Nov-2020 08:56:57.627 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE:        
/var/lib/tomcat9
16-Nov-2020 08:56:57.628 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME:        
/usr/share/tomcat9
16-Nov-2020 08:56:57.654 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
--add-opens=java.base/java.lang=ALL-UNNAMED
16-Nov-2020 08:56:57.655 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
--add-opens=java.base/java.io=ALL-UNNAMED
16-Nov-2020 08:56:57.655 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
--add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
16-Nov-2020 08:56:57.655 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Djava.util.logging.config.file=/var/lib/tomcat9/conf/logging.properties
16-Nov-2020 08:56:57.656 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
16-Nov-2020 08:56:57.656 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Djava.awt.headless=true
16-Nov-2020 08:56:57.656 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Djdk.tls.ephemeralDHKeySize=2048
16-Nov-2020 08:56:57.657 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Djava.protocol.handler.pkgs=org.apache.catalina.webresources
16-Nov-2020 08:56:57.658 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Dorg.apache.catalina.security.SecurityListener.UMASK=0027
16-Nov-2020 08:56:57.658 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Dignore.endorsed.dirs=
16-Nov-2020 08:56:57.658 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Dcatalina.base=/var/lib/tomcat9
16-Nov-2020 08:56:57.659 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Dcatalina.home=/usr/share/tomcat9
16-Nov-2020 08:56:57.659 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Djava.io.tmpdir=/tmp
16-Nov-2020 08:56:57.659 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR
based Apache Tomcat Native library [1.2.23] using APR version [1.6.5].
16-Nov-2020 08:56:57.659 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR
capabilities: IPv6 [true], sendfile [true], accept filters [false], random
[true].
16-Nov-2020 08:56:57.660 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL
configuration: useAprConnector [false], useOpenSSL [true]
16-Nov-2020 08:56:57.663 INFO [main]
org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL
successfully initialized [OpenSSL 1.1.1f  31 Mar 2020]
16-Nov-2020 08:56:58.390 INFO [main] org.apache.coyote.AbstractProtocol.init
Initializing ProtocolHandler ["http-nio-8080"]
16-Nov-2020 08:56:58.458 INFO [main]
org.apache.catalina.startup.Catalina.load Server initialization in [1,350]
milliseconds
16-Nov-2020 08:56:58.590 INFO [main]
org.apache.catalina.core.StandardService.startInternal Starting service
[Catalina]
16-Nov-2020 08:56:58.591 INFO [main]
org.apache.catalina.core.StandardEngine.startInternal Starting Servlet
engine: [Apache Tomcat/9.0.31 (Ubuntu)]
16-Nov-2020 08:56:58.604 INFO [main]
org.apache.catalina.startup.HostConfig.deployDescriptor Deploying deployment
descriptor [/etc/tomcat9/Catalina/localhost/host-manager.xml]
16-Nov-2020 08:56:58.641 WARNING [main]
org.apache.catalina.startup.HostConfig.deployDescriptor The path attribute
with value [/host-manager] in deployment descriptor
[/etc/tomcat9/Catalina/localhost/host-manager.xml] has been ignored
16-Nov-2020 08:57:00.656 INFO [main]
org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned
for TLDs yet contained no TLDs. Enable debug logging for this logger for a
complete list of JARs that were scanned but no TLDs were found in them.
Skipping unneeded JARs during scanning can improve startup time and JSP
compilation time.
16-Nov-2020 08:57:08.462 WARNING [main]
org.apache.catalina.util.SessionIdGeneratorBase.createSecureRandom Creation
of SecureRandom instance for session ID generation using [SHA1PRNG] took
[7,798] milliseconds.
16-Nov-2020 08:57:08.505 INFO [main]
org.apache.catalina.startup.HostConfig.deployDescriptor Deployment of
deployment descriptor [/etc/tomcat9/Catalina/localhost/host-manager.xml] has
finished in [9,901] ms
16-Nov-2020 08:57:08.506 INFO [main]
org.apache.catalina.startup.HostConfig.deployDescriptor Deploying deployment
descriptor [/etc/tomcat9/Catalina/localhost/manager.xml]
16-Nov-2020 08:57:08.508 WARNING [main]
org.apache.catalina.startup.HostConfig.deployDescriptor The path attribute
with value [/manager] in deployment descriptor
[/etc/tomcat9/Catalina/localhost/manager.xml] has been ignored
16-Nov-2020 08:57:09.596 INFO [main]
org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned
for TLDs yet contained no TLDs. Enable debug logging for this logger for a
complete list of JARs that were scanned but no TLDs were found in them.
Skipping unneeded JARs during scanning can improve startup time and JSP
compilation time.
16-Nov-2020 08:57:09.603 INFO [main]
org.apache.catalina.startup.HostConfig.deployDescriptor Deployment of
deployment descriptor [/etc/tomcat9/Catalina/localhost/manager.xml] has
finished in [1,097] ms
16-Nov-2020 08:57:09.606 INFO [main]
org.apache.catalina.startup.HostConfig.deployWAR Deploying web application
archive [/var/lib/tomcat9/webapps/guacamole-1.2.0.war]
16-Nov-2020 08:57:11.870 INFO [main]
org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned
for TLDs yet contained no TLDs. Enable debug logging for this logger for a
complete list of JARs that were scanned but no TLDs were found in them.
Skipping unneeded JARs during scanning can improve startup time and JSP
compilation time.
16-Nov-2020 08:57:16.213 INFO [main]
com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.register
Registering org.apache.guacamole.rest.RESTExceptionMapper as a provider
class
16-Nov-2020 08:57:16.218 INFO [main]
com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.register
Registering org.apache.guacamole.rest.extension.ExtensionRESTService as a
root resource class
16-Nov-2020 08:57:16.219 INFO [main]
com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.register
Registering org.apache.guacamole.rest.language.LanguageRESTService as a root
resource class
16-Nov-2020 08:57:16.219 INFO [main]
com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.register
Registering org.apache.guacamole.rest.patch.PatchRESTService as a root
resource class
16-Nov-2020 08:57:16.220 INFO [main]
com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.register
Registering org.apache.guacamole.rest.auth.TokenRESTService as a root
resource class
16-Nov-2020 08:57:16.220 INFO [main]
com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.register
Registering org.apache.guacamole.rest.session.SessionRESTService as a root
resource class
16-Nov-2020 08:57:16.221 INFO [main]
com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.register
Registering org.codehaus.jackson.jaxrs.JacksonJsonProvider as a provider
class
16-Nov-2020 08:57:16.224 INFO [main]
com.sun.jersey.server.impl.application.WebApplicationImpl._initiate
Initiating Jersey application, version 'Jersey: 1.17.1 02/28/2013 12:47 PM'
16-Nov-2020 08:57:16.376 INFO [main]
com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.getComponentProvider
Binding org.apache.guacamole.rest.RESTExceptionMapper to
GuiceManagedComponentProvider with the scope "Singleton"
16-Nov-2020 08:57:16.388 INFO [main]
com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.getComponentProvider
Binding org.codehaus.jackson.jaxrs.JacksonJsonProvider to
GuiceManagedComponentProvider with the scope "Singleton"
16-Nov-2020 08:57:17.280 INFO [main]
com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.getComponentProvider
Binding org.apache.guacamole.rest.extension.ExtensionRESTService to
GuiceManagedComponentProvider with the scope "PerRequest"
16-Nov-2020 08:57:17.291 INFO [main]
com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.getComponentProvider
Binding org.apache.guacamole.rest.language.LanguageRESTService to
GuiceManagedComponentProvider with the scope "PerRequest"
16-Nov-2020 08:57:17.296 INFO [main]
com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.getComponentProvider
Binding org.apache.guacamole.rest.patch.PatchRESTService to
GuiceManagedComponentProvider with the scope "PerRequest"
16-Nov-2020 08:57:17.301 INFO [main]
com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.getComponentProvider
Binding org.apache.guacamole.rest.auth.TokenRESTService to
GuiceManagedComponentProvider with the scope "PerRequest"
16-Nov-2020 08:57:17.304 INFO [main]
com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.getComponentProvider
Binding org.apache.guacamole.rest.session.SessionRESTService to
GuiceManagedComponentProvider with the scope "PerRequest"
16-Nov-2020 08:57:17.335 INFO [main] org.webjars.servlet.WebjarsServlet.init
WebjarsServlet initialization completed
16-Nov-2020 08:57:17.358 INFO [main]
org.apache.catalina.startup.HostConfig.deployWAR Deployment of web
application archive [/var/lib/tomcat9/webapps/guacamole-1.2.0.war] has
finished in [7,752] ms
16-Nov-2020 08:57:17.362 INFO [main]
org.apache.catalina.startup.HostConfig.deployDirectory Deploying web
application directory [/var/lib/tomcat9/webapps/ROOT]
16-Nov-2020 08:57:18.365 INFO [main]
org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned
for TLDs yet contained no TLDs. Enable debug logging for this logger for a
complete list of JARs that were scanned but no TLDs were found in them.
Skipping unneeded JARs during scanning can improve startup time and JSP
compilation time.
16-Nov-2020 08:57:18.373 INFO [main]
org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web
application directory [/var/lib/tomcat9/webapps/ROOT] has finished in
[1,011] ms
16-Nov-2020 08:57:18.377 INFO [main]
org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler
["http-nio-8080"]
16-Nov-2020 08:57:18.417 INFO [main]
org.apache.catalina.startup.Catalina.start Server startup in [19,955]
milliseconds
16-Nov-2020 08:57:18.478 INFO [http-nio-8080-exec-3]
org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request
header
 Note: further occurrences of HTTP request parsing errors will be logged at
DEBUG level.
        java.lang.IllegalArgumentException: Invalid character found in the
request target. The valid characters are defined in RFC 7230 and RFC 3986
                at
org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:476)
                at
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:260)
                at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
                at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
                at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1639)
                at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
                at
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
                at
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
                at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
                at java.base/java.lang.Thread.run(Thread.java:834)
16-Nov-2020 08:57:18.479 INFO [http-nio-8080-exec-2]
org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request
header
 Note: further occurrences of HTTP request parsing errors will be logged at
DEBUG level.
        java.lang.IllegalArgumentException: Invalid character found in the
request target. The valid characters are defined in RFC 7230 and RFC 3986
                at
org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:476)
                at
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:260)
                at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
                at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
                at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1639)
                at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
                at
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
                at
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
                at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
                at java.base/java.lang.Thread.run(Thread.java:834)
--------------------------------------------------------

It's look to be the same error.

Regards




--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]