Skip to content

GUACAMOLE-2258 : OpenID code flow, client secret and PKCE#1219

Open
adb014 wants to merge 20 commits into
apache:mainfrom
adb014:openid
Open

GUACAMOLE-2258 : OpenID code flow, client secret and PKCE#1219
adb014 wants to merge 20 commits into
apache:mainfrom
adb014:openid

Conversation

@adb014

@adb014 adb014 commented Jun 18, 2026

Copy link
Copy Markdown

CoPilot mistakenly lead me to believe I could create a new branch with my commits that were on my "main" branch without closing my existing pull request. Please refer to the conversation in #1198 for the discussion of this pull request.. Sorry to have lost the conversation

David Bateman and others added 20 commits June 18, 2026 16:41
… PKCE removing the need for local REST redirect and callback function
- Add openid-well-known-endpoint and treat it to automatically find the :
  * issuer,
  * authorization_endpoint,
  * token_endpoint,
  * jwks_uri
- Replace openid-flow-type with openid-response-type
- Use an Enum for openid-response-type to limit to the values 'id_token',
  'token' or 'code'
- Treat the response type as an implicit flow type allowing use of AWS
  Cognito
- Remove unused configuration getter functions
- Combine and simplify validateCode and validateToken
- Style fixes
- More JsDoc comments and consistent JsDoc style of comment blocks
- IOException and not GuacamoleException of URLreader function
…et.http.HttpClient, make the outboud url connection asynchronous
…fier-validity for consistency with openid-max-nonce-validity. Clarification in the comments.
- Style fixes
- Comment more code
- Use environment.getProperty to set default values rather than local code
- Add a latch to getters of well-known endpoint so that they stall rather than incorrectly returning null
The OpenID core specification notes the nonce as optional for code flow, but recommended to
reduce the risk of replay attacks. So include the nonce with code flow as well.
  - Allow store the full URI in RequestDetails
  - Add methods to get/set originalURI in AuthenticatedUser and derived classes
  - Set the originalURI in JDBC base class
  - Promote session manager to base SSO class; Use it to store the originalURI in openid
  - Allow redirection to be stored in GuacamoleSession iff new login
  - Store the redirection in the GuacamoleSession the AuthenticationService
  - If redirection set in GuacamoleSession pass it back on the /api/tokens REST endpoint
  - In the javascript in the redirection is set on the /api/tokens endpoint, redirect after authentication
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant