GUACAMOLE-1949 Nextcloud JWT Auth extension #984
Conversation
|
|
||
| }; | ||
|
|
||
| private static final StringListProperty NEXTCLOUD_JWT_ALLOWED_USER = new StringListProperty() { |
There was a problem hiding this comment.
Missing a comment for this property.
| return environment.getProperty(NEXTCLOUD_JWT_TRUSTED_NETWORKS, Collections.<String>emptyList()); | ||
| } | ||
|
|
||
| public Collection<String> getAllowedUser() throws GuacamoleException { |
There was a problem hiding this comment.
Missing a comment for this property as well.
|
|
||
| } | ||
|
|
||
| private boolean isValidJWT(final String token) throws GuacamoleException { |
There was a problem hiding this comment.
These functions all need to be documented.
| public UserData fromCredentials(Credentials credentials) { | ||
|
|
||
| // String json; | ||
| // byte[] correctSignature; |
There was a problem hiding this comment.
No commented out code please - if this function is unused, it should be removed.
| * Service for handling cryptography-related operations. | ||
| */ | ||
| // @Inject | ||
| // private CryptoService cryptoService; |
There was a problem hiding this comment.
Please remove this if it's unused.
| * via the Guacamole protocol handshake). Only connections with defined IDs | ||
| * are tracked here. | ||
| */ | ||
| private final ConcurrentHashMap<String, String> activeConnections = |
There was a problem hiding this comment.
Why does this extension have its own internal tracking of connections? The ticket and PR description describe this extension to be for allowing an external service to control whether a user can log in or not, which shouldn't require any of this.
Most of the code here looks like it was just copied from the guacamole-auth-json ConnectionService class. If all this functionality is indeed needed here, maybe it could be moved to a shared class in guacamole-ext that both extensions can use, rather than just duplicating it here.
Hi all,
I have built a small extension for myself and would like to share it with you. Maybe this is a function that would go well with Guacamole.
I use a self-hosted Nextcloud and the plugin “External Sites”. This plugin offers the possibility to send a JWT to an embedded website. This JWT is (Nextcloud) user-related and always valid for 1 minute. If the JWT is missing or has expired, an excpetion will be thrown. The extension validates the JWT and if it is valid, the Guacamole login screen is displayed. Everything else then proceeds as usual. Additionally, I have implemented that only certain Nextcloud users are allowed this access, independent of a valid JWT.
I have decided to not make the login screen accessible worldwide, that's why an exception will be thrown if anyone call the guacamole client directly (
https://example.com/guacamole) and a login is only possible within the Nextcloud (https://cloud.example.com/).Another small additional use case in my environment: The login screen should still be displayed for a few clients (via IP addresses), so the IP address will be checked and validated.
Jira Ticket GUACAMOLE-1949