doc/1.5.2/gug/json-auth.html

<!DOCTYPE html> <html class="writer-html5" lang="en" > <head> <meta charset="utf-8" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <title>Encrypted JSON authentication — Apache Guacamole Manual v1.5.2</title> <link rel="stylesheet" href="_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="_static/css/theme.css" type="text/css" /> <link rel="stylesheet" href="_static/tabs.css" type="text/css" /> <link rel="stylesheet" href="_static/gug.css" type="text/css" />  <script data-url_root="./" id="documentation_options" src="_static/documentation_options.js"></script> <script src="_static/jquery.js"></script> <script src="_static/underscore.js"></script> <script src="_static/_sphinx_javascript_frameworks_compat.js"></script> <script src="_static/doctools.js"></script> <script src="_static/sphinx_highlight.js"></script> <script src="_static/tabs.js"></script> <script src="_static/js/theme.js"></script> <link rel="index" title="Index" href="genindex.html" /> <link rel="search" title="Search" href="search.html" /> <link rel="next" title="CAS Authentication" href="cas-auth.html" /> <link rel="prev" title="HTTP header authentication" href="header-auth.html" /> </head> <body class="wy-body-for-nav"> <div class="wy-grid-for-nav"> <nav data-toggle="wy-nav-shift" class="wy-nav-side"> <div class="wy-side-scroll"> <div class="wy-side-nav-search" > <a href="index.html" class="icon icon-home"> Apache Guacamole </a> <div class="version"> 1.5.2 </div> <div role="search"> <form id="rtd-search-form" class="wy-form" action="search.html" method="get"> <input type="text" name="q" placeholder="Search docs" /> <input type="hidden" name="check_keywords" value="yes" /> <input type="hidden" name="area" value="default" /> </form> </div> </div><div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="Navigation menu"> <p class="caption" role="heading"><span class="caption-text">Overview</span></p> <ul> <li class="toctree-l1"><a class="reference internal" href="introduction.html">Introduction</a></li> </ul> <p class="caption" role="heading"><span class="caption-text">User's Guide</span></p> <ul class="current"> <li class="toctree-l1"><a class="reference internal" href="guacamole-architecture.html">Implementation and architecture</a></li> <li class="toctree-l1"><a class="reference internal" href="installing-guacamole.html">Installing Guacamole natively</a></li> <li class="toctree-l1"><a class="reference internal" href="guacamole-docker.html">Installing Guacamole with Docker</a></li> <li class="toctree-l1"><a class="reference internal" href="reverse-proxy.html">Proxying Guacamole</a></li> <li class="toctree-l1"><a class="reference internal" href="configuring-guacamole.html">Configuring Guacamole</a></li> <li class="toctree-l1"><a class="reference internal" href="jdbc-auth.html">Database authentication</a></li> <li class="toctree-l1"><a class="reference internal" href="ldap-auth.html">LDAP authentication</a></li> <li class="toctree-l1"><a class="reference internal" href="vault.html">Retrieving secrets from a vault</a></li> <li class="toctree-l1"><a class="reference internal" href="duo-auth.html">Duo two-factor authentication</a></li> <li class="toctree-l1"><a class="reference internal" href="totp-auth.html">TOTP two-factor authentication</a></li> <li class="toctree-l1"><a class="reference internal" href="header-auth.html">HTTP header authentication</a></li> <li class="toctree-l1 current"><a class="current reference internal" href="#">Encrypted JSON authentication</a><ul> <li class="toctree-l2"><a class="reference internal" href="#downloading-the-json-authentication-extension">Downloading the JSON authentication extension</a></li> <li class="toctree-l2"><a class="reference internal" href="#installing-json-authentication">Installing JSON authentication</a><ul> <li class="toctree-l3"><a class="reference internal" href="#configuring-guacamole-to-accept-encrypted-json">Configuring Guacamole to accept encrypted JSON</a></li> <li class="toctree-l3"><a class="reference internal" href="#completing-the-installation">Completing the installation</a></li> </ul> </li> <li class="toctree-l2"><a class="reference internal" href="#json-format">JSON format</a></li> <li class="toctree-l2"><a class="reference internal" href="#generating-encrypted-json">Generating encrypted JSON</a></li> <li class="toctree-l2"><a class="reference internal" href="#reference-implementation">Reference implementation</a></li> </ul> </li> <li class="toctree-l1"><a class="reference internal" href="cas-auth.html">CAS Authentication</a></li> <li class="toctree-l1"><a class="reference internal" href="openid-auth.html">OpenID Connect Authentication</a></li> <li class="toctree-l1"><a class="reference internal" href="saml-auth.html">SAML Authentication</a></li> <li class="toctree-l1"><a class="reference internal" href="radius-auth.html">RADIUS Authentication</a></li> <li class="toctree-l1"><a class="reference internal" href="adhoc-connections.html">Ad-hoc Connections</a></li> <li class="toctree-l1"><a class="reference internal" href="using-guacamole.html">Using Guacamole</a></li> <li class="toctree-l1"><a class="reference internal" href="recording-playback.html">Viewing session recordings in-browser</a></li> <li class="toctree-l1"><a class="reference internal" href="administration.html">Administration</a></li> <li class="toctree-l1"><a class="reference internal" href="troubleshooting.html">Troubleshooting</a></li> </ul> <p class="caption" role="heading"><span class="caption-text">Developer's Guide</span></p> <ul> <li class="toctree-l1"><a class="reference internal" href="guacamole-protocol.html">The Guacamole protocol</a></li> <li class="toctree-l1"><a class="reference internal" href="libguac.html">libguac</a></li> <li class="toctree-l1"><a class="reference internal" href="guacamole-common.html">guacamole-common</a></li> <li class="toctree-l1"><a class="reference internal" href="guacamole-common-js.html">guacamole-common-js</a></li> <li class="toctree-l1"><a class="reference internal" href="guacamole-ext.html">guacamole-ext</a></li> <li class="toctree-l1"><a class="reference internal" href="custom-protocols.html">Adding new protocols</a></li> <li class="toctree-l1"><a class="reference internal" href="custom-auth.html">Custom authentication</a></li> <li class="toctree-l1"><a class="reference internal" href="event-listeners.html">Event listeners</a></li> <li class="toctree-l1"><a class="reference internal" href="writing-you-own-guacamole-app.html">Writing your own Guacamole application</a></li> </ul> <p class="caption" role="heading"><span class="caption-text">Appendices</span></p> <ul> <li class="toctree-l1"><a class="reference internal" href="protocol-reference.html">Guacamole protocol reference</a></li> </ul> </div> </div> </nav> <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap"><nav class="wy-nav-top" aria-label="Mobile navigation menu" > <i data-toggle="wy-nav-top" class="fa fa-bars"></i> <a href="index.html">Apache Guacamole</a> </nav> <div class="wy-nav-content"> <div class="rst-content"> <div role="navigation" aria-label="Page navigation"> <ul class="wy-breadcrumbs"> <li><a href="index.html" class="icon icon-home"></a> »</li> <li>Encrypted JSON authentication</li> <li class="wy-breadcrumbs-aside"> <a href="_sources/json-auth.md.txt" rel="nofollow"> View page source</a> </li> </ul> <hr/> </div> <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article"> <div itemprop="articleBody"> <section id="encrypted-json-authentication"> <h1>Encrypted JSON authentication<a class="headerlink" href="#encrypted-json-authentication" title="Permalink to this heading"></a></h1> <p>Guacamole supports delegating authentication to an arbitrary external service, relying on receipt of JSON data which has been <span class="xref myst">signed using HMAC/SHA-256 and encrypted with 128-bit AES in CBC mode</span>. This JSON contains <span class="xref myst">all information describing the user being authenticated</span>, as well as any connections they have access to, and is accepted only if the configured secret key was used to sign and encrypt the data.</p> <section id="downloading-the-json-authentication-extension"> <span id="json-downloading"></span><h2>Downloading the JSON authentication extension<a class="headerlink" href="#downloading-the-json-authentication-extension" title="Permalink to this heading"></a></h2> <p>The JSON authentication extension is available separately from the main <code class="docutils literal notranslate"><span class="pre">guacamole.war</span></code>. The link for this and all other officially-supported and compatible extensions for a particular version of Guacamole are provided on the release notes for that version. You can find the release notes for current versions of Guacamole here: <a class="reference external" href="http://guacamole.apache.org/releases/">http://guacamole.apache.org/releases/</a>.</p> <p>The JSON authentication extension is packaged as a <code class="docutils literal notranslate"><span class="pre">.tar.gz</span></code> file containing only the extension itself, <code class="docutils literal notranslate"><span class="pre">guacamole-auth-json-1.5.2.jar</span></code>, which must ultimately be placed in <code class="docutils literal notranslate"><span class="pre">GUACAMOLE_HOME/extensions</span></code>.</p> </section> <section id="installing-json-authentication"> <span id="installing-json-auth"></span><h2>Installing JSON authentication<a class="headerlink" href="#installing-json-authentication" title="Permalink to this heading"></a></h2> <p>Guacamole extensions are self-contained <code class="docutils literal notranslate"><span class="pre">.jar</span></code> files which are located within the <code class="docutils literal notranslate"><span class="pre">GUACAMOLE_HOME/extensions</span></code> directory. <em>If you are unsure where <code class="docutils literal notranslate"><span class="pre">GUACAMOLE_HOME</span></code> is located on your system, please consult <a class="reference internal" href="configuring-guacamole.html"><span class="doc std std-doc">Configuring Guacamole</span></a> before proceeding.</em></p> <p>To install the JSON authentication extension, you must:</p> <ol class="arabic simple"> <li><p>Create the <code class="docutils literal notranslate"><span class="pre">GUACAMOLE_HOME/extensions</span></code> directory, if it does not already exist.</p></li> <li><p>Copy <code class="docutils literal notranslate"><span class="pre">guacamole-auth-json-1.5.2.jar</span></code> within <code class="docutils literal notranslate"><span class="pre">GUACAMOLE_HOME/extensions</span></code>.</p></li> <li><p>Configure Guacamole to use JSON authentication, as described below.</p></li> </ol> <section id="configuring-guacamole-to-accept-encrypted-json"> <span id="json-config"></span><h3>Configuring Guacamole to accept encrypted JSON<a class="headerlink" href="#configuring-guacamole-to-accept-encrypted-json" title="Permalink to this heading"></a></h3> <p>To verify and decrypt the received signed and encrypted JSON, a secret key must be generated which will be shared by both the Guacamole server and systems that will generate the JSON data. As guacamole-auth-json uses 128-bit AES, this key must be 128 bits.</p> <p>An easy way of generating such a key is to echo a passphrase through the “md5sum” utility. This is the technique OpenSSL itself uses to generate 128-bit keys from passphrases. For example:</p> <div class="highlight-none notranslate"><div class="highlight"><pre><span></span>$ echo -n "ThisIsATest" | md5sum 4c0b569e4c96df157eee1b65dd0e4d41 - </pre></div> </div> <p>The generated key must then be saved within <a class="reference internal" href="configuring-guacamole.html#initial-setup"><span class="std std-ref"><code class="docutils literal notranslate"><span class="pre">guacamole.properties</span></code></span></a> as the full 32-digit hex value using the <code class="docutils literal notranslate"><span class="pre">json-secret-key</span></code> property:</p> <div class="highlight-none notranslate"><div class="highlight"><pre><span></span>json-secret-key: 4c0b569e4c96df157eee1b65dd0e4d41 </pre></div> </div> </section> <section id="completing-the-installation"> <span id="completing-json-install"></span><h3>Completing the installation<a class="headerlink" href="#completing-the-installation" title="Permalink to this heading"></a></h3> <p>Guacamole will only reread <code class="docutils literal notranslate"><span class="pre">guacamole.properties</span></code> and load newly-installed extensions during startup, so your servlet container will need to be restarted before JSON authentication can be used. <em>Doing this will disconnect all active users, so be sure that it is safe to do so prior to attempting installation.</em> When ready, restart your servlet container and give the new authentication a try.</p> </section> </section> <section id="json-format"> <span id="id1"></span><h2>JSON format<a class="headerlink" href="#json-format" title="Permalink to this heading"></a></h2> <p>The general format of the JSON (prior to being encrypted, signed, and sent to Guacamole), is as follows:</p> <div class="highlight-none notranslate"><div class="highlight"><pre><span></span>{ "username" : "arbitraryUsername", "expires" : TIMESTAMP, "connections" : { "Connection Name" : { "protocol" : "PROTOCOL", "parameters" : { "name1" : "value1", "name2" : "value2", ... } }, ... } } </pre></div> </div> <p>where <code class="docutils literal notranslate"><span class="pre">TIMESTAMP</span></code> is a standard UNIX epoch timestamp with millisecond resolution (the number of milliseconds since midnight of January 1, 1970 UTC) and <code class="docutils literal notranslate"><span class="pre">PROTOCOL</span></code> is the internal name of any of Guacamole’s supported protocols, such as <code class="docutils literal notranslate"><span class="pre">vnc</span></code>, <code class="docutils literal notranslate"><span class="pre">rdp</span></code>, or <code class="docutils literal notranslate"><span class="pre">ssh</span></code>.</p> <p>The JSON will cease to be accepted as valid after the server time passes the timestamp. If no timestamp is specified, the data will not expire.</p> <p>The top-level JSON object which must be submitted to Guacamole has the following properties:</p> <table class="colwidths-auto docutils align-default"> <thead> <tr class="row-odd"><th class="head"><p>Property name</p></th> <th class="head"><p>Type</p></th> <th class="head"><p>Description</p></th> </tr> </thead> <tbody> <tr class="row-even"><td><p><code class="docutils literal notranslate"><span class="pre">username</span></code></p></td> <td><p><code class="docutils literal notranslate"><span class="pre">string</span></code></p></td> <td><p>The unique username of the user authenticated by the JSON. If the user is anonymous, this should be the empty string (<code class="docutils literal notranslate"><span class="pre">""</span></code>).</p></td> </tr> <tr class="row-odd"><td><p><code class="docutils literal notranslate"><span class="pre">expires</span></code></p></td> <td><p><code class="docutils literal notranslate"><span class="pre">number</span></code></p></td> <td><p>The absolute time after which the JSON should no longer be accepted, even if the signature is valid, as a standard UNIX epoch timestamp with millisecond resolution (the number of milliseconds since midnight of January 1, 1970 UTC).</p></td> </tr> <tr class="row-even"><td><p><code class="docutils literal notranslate"><span class="pre">connections</span></code></p></td> <td><p><code class="docutils literal notranslate"><span class="pre">object</span></code></p></td> <td><p>The set of connections which should be exposed to the user by their corresponding, unique names. If no connections will be exposed to the user, this can simply be an empty object (<code class="docutils literal notranslate"><span class="pre">{}</span></code>).</p></td> </tr> </tbody> </table> <p>Each normal connection defined within each submitted JSON object has the following properties:</p> <table class="colwidths-auto docutils align-default"> <thead> <tr class="row-odd"><th class="head"><p>Property name</p></th> <th class="head"><p>Type</p></th> <th class="head"><p>Description</p></th> </tr> </thead> <tbody> <tr class="row-even"><td><p><code class="docutils literal notranslate"><span class="pre">id</span></code></p></td> <td><p><code class="docutils literal notranslate"><span class="pre">string</span></code></p></td> <td><p>An optional opaque value which uniquely identifies this connection across all other connections which may be active at any given time. This property is only required if you wish to allow the connection to be shared or shadowed.</p></td> </tr> <tr class="row-odd"><td><p><code class="docutils literal notranslate"><span class="pre">protocol</span></code></p></td> <td><p><code class="docutils literal notranslate"><span class="pre">string</span></code></p></td> <td><p>The internal name of a supported protocol, such as <code class="docutils literal notranslate"><span class="pre">vnc</span></code>, <code class="docutils literal notranslate"><span class="pre">rdp</span></code>, or <code class="docutils literal notranslate"><span class="pre">ssh</span></code>.</p></td> </tr> <tr class="row-even"><td><p><code class="docutils literal notranslate"><span class="pre">parameters</span></code></p></td> <td><p><code class="docutils literal notranslate"><span class="pre">object</span></code></p></td> <td><p>An object representing the connection parameter name/value pairs to apply to the connection, as documented in <a class="reference internal" href="configuring-guacamole.html#connection-configuration"><span class="std std-ref">Configuring connections</span></a>.</p></td> </tr> </tbody> </table> <p>Connections which share or shadow other connections use a <code class="docutils literal notranslate"><span class="pre">join</span></code> property instead of a <code class="docutils literal notranslate"><span class="pre">protocol</span></code> property, where <code class="docutils literal notranslate"><span class="pre">join</span></code> contains the value of the <code class="docutils literal notranslate"><span class="pre">id</span></code> property of the connection being joined:</p> <table class="colwidths-auto docutils align-default"> <thead> <tr class="row-odd"><th class="head"><p>Property name</p></th> <th class="head"><p>Type</p></th> <th class="head"><p>Description</p></th> </tr> </thead> <tbody> <tr class="row-even"><td><p><code class="docutils literal notranslate"><span class="pre">id</span></code></p></td> <td><p><code class="docutils literal notranslate"><span class="pre">string</span></code></p></td> <td><p>An optional opaque value which uniquely identifies this connection across all other connections which may be active at any given time. This property is only required if you wish to allow the connection to be shared or shadowed. (Yes, a connection which shadows another connection may itself be shadowed.)</p></td> </tr> <tr class="row-odd"><td><p><code class="docutils literal notranslate"><span class="pre">join</span></code></p></td> <td><p><code class="docutils literal notranslate"><span class="pre">string</span></code></p></td> <td><p>The opaque ID given within the <code class="docutils literal notranslate"><span class="pre">id</span></code> property of the connection being joined (shared / shadowed).</p></td> </tr> <tr class="row-even"><td><p><code class="docutils literal notranslate"><span class="pre">parameters</span></code></p></td> <td><p><code class="docutils literal notranslate"><span class="pre">object</span></code></p></td> <td><p>An object representing the connection parameter name/value pairs to apply to the connection, as documented in <a class="reference internal" href="configuring-guacamole.html#connection-configuration"><span class="std std-ref">Configuring connections</span></a>.</p> <p>Most of the connection configuration is inherited from the connection being joined. In general, the only property relevant to joining connections is <code class="docutils literal notranslate"><span class="pre">read-only</span></code>.</p> </td> </tr> </tbody> </table> <p>If a connection is configured to join another connection, that connection will only be usable if the connection being joined is currently active. If two connections are established having the same <code class="docutils literal notranslate"><span class="pre">id</span></code> value, only the last connection will be joinable using the given <code class="docutils literal notranslate"><span class="pre">id</span></code>.</p> </section> <section id="generating-encrypted-json"> <span id="id2"></span><h2>Generating encrypted JSON<a class="headerlink" href="#generating-encrypted-json" title="Permalink to this heading"></a></h2> <p>To authenticate a user with the above JSON format, the JSON must be both signed and encrypted using the same 128-bit secret key specified with the <code class="docutils literal notranslate"><span class="pre">json-secret-key</span></code> within <code class="docutils literal notranslate"><span class="pre">guacamole.properties</span></code>:</p> <ol class="arabic"> <li><p>Generate JSON in the format described above</p></li> <li><p>Sign the JSON using the secret key (the same 128-bit key stored within <code class="docutils literal notranslate"><span class="pre">guacamole.properties</span></code> with the <code class="docutils literal notranslate"><span class="pre">json-secret-key</span></code> property) with <strong>HMAC/SHA-256</strong>. Prepend the binary result of the signing process to the plaintext JSON that was signed.</p></li> <li><p>Encrypt the result of (2) above using <strong>AES in CBC mode</strong>, with the initial vector (IV) set to all zero bytes.</p></li> <li><p>Encode the encrypted result using base64.</p></li> <li><p>POST the encrypted result to the <code class="docutils literal notranslate"><span class="pre">/api/tokens</span></code> REST endpoint as the value of an HTTP parameter named <code class="docutils literal notranslate"><span class="pre">data</span></code> (or include it in the URL of any Guacamole page as a query parameter named <code class="docutils literal notranslate"><span class="pre">data</span></code>).</p> <p>For example, if Guacamole is running on localhost at <code class="docutils literal notranslate"><span class="pre">/guacamole</span></code>, and <code class="docutils literal notranslate"><span class="pre">BASE64_RESULT</span></code> is the result of the above process, the equivalent run of the “curl” utility would be:</p> <div class="highlight-none notranslate"><div class="highlight"><pre><span></span>$ curl --data-urlencode "data=BASE64_RESULT" http://localhost:8080/guacamole/api/tokens </pre></div> </div> <p><strong>NOTE:</strong> Be sure to URL-encode the base64-encoded result prior to POSTing it to <code class="docutils literal notranslate"><span class="pre">/api/tokens</span></code> or including it in the URL. Base64 can contain both “+” and “=” characters, which have special meaning within URLs.</p> </li> </ol> <p>If the data is invalid in any way, if the signature does not match, if decryption or signature verification fails, or if the submitted data has expired, the REST service will return an invalid credentials error and fail without user-visible explanation. Details describing the error that occurred will be in the Tomcat logs, however.</p> </section> <section id="reference-implementation"> <h2>Reference implementation<a class="headerlink" href="#reference-implementation" title="Permalink to this heading"></a></h2> <p>The source includes a shell script, <a class="reference external" href="https://raw.githubusercontent.com/apache/guacamole-client/master/extensions/guacamole-auth-json/doc/encrypt-json.sh"><code class="docutils literal notranslate"><span class="pre">doc/encrypt-json.sh</span></code></a>, which uses the OpenSSL command-line utility to encrypt and sign JSON in the manner that guacamole-auth-json requires. It is thoroughly commented and should work well as a reference implementation, for testing, and as a point of comparison for development. The script is run as:</p> <div class="highlight-none notranslate"><div class="highlight"><pre><span></span>$ ./encrypt-json.sh HEX_ENCRYPTION_KEY file-to-sign-and-encrypt.json </pre></div> </div> <p>For example, if you have a file called <code class="docutils literal notranslate"><span class="pre">auth.json</span></code> containing the following:</p> <div class="highlight-none notranslate"><div class="highlight"><pre><span></span>{ "username" : "test", "expires" : "1446323765000", "connections" : { "My Connection" : { "protocol" : "rdp", "parameters" : { "hostname" : "10.10.209.63", "port" : "3389", "ignore-cert": "true", "recording-path": "/recordings", "recording-name": "My-Connection-${GUAC_USERNAME}-${GUAC_DATE}-${GUAC_TIME}" } }, "My OTHER Connection" : { "protocol" : "rdp", "parameters" : { "hostname" : "10.10.209.64", "port" : "3389", "ignore-cert": "true", "recording-path": "/recordings", "recording-name": "My-OTHER-Connection-${GUAC_USERNAME}-${GUAC_DATE}-${GUAC_TIME}" } } } } </pre></div> </div> <p>and you run:</p> <div class="highlight-none notranslate"><div class="highlight"><pre><span></span>$ ./encrypt-json.sh 4C0B569E4C96DF157EEE1B65DD0E4D41 auth.json </pre></div> </div> <p>You will receive the following output:</p> <div class="highlight-none notranslate"><div class="highlight"><pre><span></span>A2Pf5Kpmm97I2DT1PifIrfU6q3yzoGcIbNXEd60WNangT8DAVjAl6luaqwhBJnCK uqcf9ZZlRo3uDxTHvUM3eq1YvdghL0GbosOn8Mn38j2ydOMk+Cd15a8ggb4/ddt/ yIBK4DxrN7MNbouZ091KYtXC6m20E6sGzLy676BlMSg1cmsENRIihOynsSLSCvo0 diif6H7T+ZuIqF7B5SW+adGfMaHlfknlIvSpLGHhrIP4aMYE/ZU2vYNg8ez27sCS wDBWu5lERtfCYFyU4ysjRU5Hyov+yKa+O7jcRYpw3N+fHbCg7/dxVNW07qNOKssv pzUciGvDPUCPpa02WmPJNEBowwQireO1952/MNAI77cW2UepbljD/bwOiZl2THJz LrENo7K5acimBa+EjWEesgn7lx/WTCF3zxR6TH1CWrQM8Et1aUK1Nf8K11xEQbTy klyaNtCmTfyahRZ/fUPxDNrdJVpPOSELkf7RJO5tOdK/FFIFIbze3ZUyXgRq+pHY owpgOmudDBTBlxhXiONdutRI/RZbFM/7GBMdmI8AR/401OCV3nsI4jLhukjMXH3V f3pQg+xKMhi/QExHhDk8VTNYk7GurK4vgehn7HQ0oSGh8pGcmxB6W43cz+hyn6VQ On6i90cSnIhRO8SysZt332LwJCDm7I+lBLaI8NVHU6bnAY1Axx5oH3YTKc4qzHls HEAFYLkD6aHMvHkF3b798CMravjxiJV3m7hsXDbaFN6AFhn8GIkMRRrjuevfZ+q9 enWN14s24vt5OVg69DljzALobUNKUXFx69SR8EpSBvUcKq8s/OgbDpFvKbwsDY57 HGT4T0CuRIA0TGUI075uerKBNApVhuBA1BmWJIrI4JXw5MuX6pdBe+MYccO3vfo+ /frazj8rHdkDa/IbueMbvq+1ozV2+UuxrbaTrV2i4jSRgd74U0QzOh9e8Q0i7vOi l3hnIfOfg+v1oULmZmJSeiAYWxeGvPptp+n7rNFqHGM= </pre></div> </div> <p>The resulting base64 data above, if submitted using the <code class="docutils literal notranslate"><span class="pre">data</span></code> parameter to Guacamole, will authenticate a user and grant them access to the connections described in the JSON (at least until the expires timestamp is reached, at which point the JSON will no longer be accepted).</p> </section> </section> </div> </div> <footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer"> <a href="header-auth.html" class="btn btn-neutral float-left" title="HTTP header authentication" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a> <a href="cas-auth.html" class="btn btn-neutral float-right" title="CAS Authentication" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a> </div> <hr/> <div role="contentinfo"> <p>Copyright © 2023 <a href="http://www.apache.org/">The Apache Software Foundation</a>, Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. Apache Guacamole, Guacamole, Apache, the Apache feather logo, and the Apache Guacamole project logo are trademarks of The Apache Software Foundation.</p> </div> Built with <a href="https://www.sphinx-doc.org/">Sphinx</a> using a <a href="https://github.com/readthedocs/sphinx_rtd_theme">theme</a> provided by <a href="https://readthedocs.org">Read the Docs</a>. </footer> </div> </div> </section> </div> <script> jQuery(function () { SphinxRtdTheme.Navigation.enable(true); }); </script> </body> </html>

doc/1.5.2/gug/json-auth.html (433 lines of code) (raw):