New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GUACAMOLE-1949 Nextcloud JWT Auth extension #984
base: main
Are you sure you want to change the base?
Conversation
|
||
}; | ||
|
||
private static final StringListProperty NEXTCLOUD_JWT_ALLOWED_USER = new StringListProperty() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Missing a comment for this property.
return environment.getProperty(NEXTCLOUD_JWT_TRUSTED_NETWORKS, Collections.<String>emptyList()); | ||
} | ||
|
||
public Collection<String> getAllowedUser() throws GuacamoleException { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Missing a comment for this property as well.
|
||
} | ||
|
||
private boolean isValidJWT(final String token) throws GuacamoleException { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These functions all need to be documented.
public UserData fromCredentials(Credentials credentials) { | ||
|
||
// String json; | ||
// byte[] correctSignature; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No commented out code please - if this function is unused, it should be removed.
* Service for handling cryptography-related operations. | ||
*/ | ||
// @Inject | ||
// private CryptoService cryptoService; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please remove this if it's unused.
* via the Guacamole protocol handshake). Only connections with defined IDs | ||
* are tracked here. | ||
*/ | ||
private final ConcurrentHashMap<String, String> activeConnections = |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why does this extension have its own internal tracking of connections? The ticket and PR description describe this extension to be for allowing an external service to control whether a user can log in or not, which shouldn't require any of this.
Most of the code here looks like it was just copied from the guacamole-auth-json ConnectionService
class. If all this functionality is indeed needed here, maybe it could be moved to a shared class in guacamole-ext
that both extensions can use, rather than just duplicating it here.
Hi all,
I have built a small extension for myself and would like to share it with you. Maybe this is a function that would go well with Guacamole.
I use a self-hosted Nextcloud and the plugin “External Sites”. This plugin offers the possibility to send a JWT to an embedded website. This JWT is (Nextcloud) user-related and always valid for 1 minute. If the JWT is missing or has expired, an excpetion will be thrown. The extension validates the JWT and if it is valid, the Guacamole login screen is displayed. Everything else then proceeds as usual. Additionally, I have implemented that only certain Nextcloud users are allowed this access, independent of a valid JWT.
I have decided to not make the login screen accessible worldwide, that's why an exception will be thrown if anyone call the guacamole client directly (
https://example.com/guacamole
) and a login is only possible within the Nextcloud (https://cloud.example.com/
).Another small additional use case in my environment: The login screen should still be displayed for a few clients (via IP addresses), so the IP address will be checked and validated.
Jira Ticket GUACAMOLE-1949