BeryJu
commented
3 months ago The reason why we haven't added this to the guacamole documentation is because in theory this applies to all applications using OAuth/OIDC.
Open typkrft opened 10 months ago
BeryJu
commented
3 months ago The reason why we haven't added this to the guacamole documentation is because in theory this applies to all applications using OAuth/OIDC.
authentik-automation[bot]
commented
1 month ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Is your feature request related to a problem? Please describe. Because cloudflare is such a common service it might be worth mentioning the Browser Integrity Check Resolution in #4082. The 403 issue was off topic from the original issue in that thread I believe, but I've been able to reproduce and resolve the issue as described by creating a page rule and turning off the check for https://authentik.tld/application/o/guacamole/jwks/. It feels wrong to degrade security though. Even a quick link in the docs to the gh issue would suffice probably.
Ultimately 403 issue results in the same behavior of looping between authentik and guacamole.
Cloudflare says it challenges non standard agents and commonly abused headers. I don't completely understand the exchange or where the problem lies, but maybe there is a more holistic solution that could be implemented through guacamole or authentik or possibly the reverse proxy through header manipulation. When I have some time I'll do some more digging.