GUACAMOLE-1364: Refactor all SSO extensions beneath common base.

extensions/guacamole-auth-sso/modules/guacamole-auth-sso-openid/.gitignore

@@ -0,0 +1,3 @@
+*~
+target/
+src/main/resources/generated/

extensions/guacamole-auth-sso/modules/guacamole-auth-sso-openid/pom.xml

@@ -0,0 +1,132 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
+                        http://maven.apache.org/maven-v4_0_0.xsd">
+
+    <modelVersion>4.0.0</modelVersion>
+    <groupId>org.apache.guacamole</groupId>
+    <artifactId>guacamole-auth-sso-openid</artifactId>
+    <packaging>jar</packaging>
+    <version>1.3.0</version>
+    <name>guacamole-auth-sso-openid</name>
+    <url>http://guacamole.apache.org/</url>
+
+    <parent>
+        <groupId>org.apache.guacamole</groupId>
+        <artifactId>guacamole-auth-sso</artifactId>
+        <version>1.3.0</version>
+        <relativePath>../../</relativePath>
+    </parent>
+
+    <build>
+        <plugins>
+
+            <!-- JS/CSS Minification Plugin -->
+            <plugin>
+                <groupId>com.github.buckelieg</groupId>
+                <artifactId>minify-maven-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>default-cli</id>
+                        <configuration>
+                            <charset>UTF-8</charset>
+
+                            <webappSourceDir>${basedir}/src/main/resources</webappSourceDir>
+                            <webappTargetDir>${project.build.directory}/classes</webappTargetDir>
+
+                            <jsSourceDir>/</jsSourceDir>
+                            <jsTargetDir>/</jsTargetDir>
+                            <jsFinalFile>openid.js</jsFinalFile>
+
+                            <jsSourceFiles>
+                                <jsSourceFile>license.txt</jsSourceFile>
+                            </jsSourceFiles>
+
+                            <jsSourceIncludes>
+                                <jsSourceInclude>**/*.js</jsSourceInclude>
+                            </jsSourceIncludes>
+
+                            <!-- Do not minify and include tests -->
+                            <jsSourceExcludes>
+                                <jsSourceExclude>**/*.test.js</jsSourceExclude>
+                            </jsSourceExcludes>
+                            <jsEngine>CLOSURE</jsEngine>
+
+                            <!-- Disable warnings for JSDoc annotations -->
+                            <closureWarningLevels>
+                                <misplacedTypeAnnotation>OFF</misplacedTypeAnnotation>
+                                <nonStandardJsDocs>OFF</nonStandardJsDocs>
+                            </closureWarningLevels>
+
+                        </configuration>
+                        <goals>
+                            <goal>minify</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+
+        </plugins>
+    </build>
+
+    <dependencies>
+
+        <!-- Guacamole Extension API -->
+        <dependency>
+            <groupId>org.apache.guacamole</groupId>
+            <artifactId>guacamole-ext</artifactId>
+        </dependency>
+
+        <!-- Core SSO support -->
+        <dependency>
+            <groupId>org.apache.guacamole</groupId>
+            <artifactId>guacamole-auth-sso-base</artifactId>
+        </dependency>
+
+        <!-- Java implementation of JOSE (jose.4.j) -->
+        <dependency>
+            <groupId>org.bitbucket.b_c</groupId>
+            <artifactId>jose4j</artifactId>
+            <version>0.7.6</version>
+        </dependency>
+
+        <!-- Guice -->
+        <dependency>
+            <groupId>com.google.inject</groupId>
+            <artifactId>guice</artifactId>
+        </dependency>
+
+        <!-- Java servlet API -->
+        <dependency>
+            <groupId>javax.servlet</groupId>
+            <artifactId>servlet-api</artifactId>
+        </dependency>
+
+        <!-- JAX-RS Annotations -->
+        <dependency>
+            <groupId>javax.ws.rs</groupId>
+            <artifactId>jsr311-api</artifactId>
+        </dependency>
+
+    </dependencies>
+
+</project>

extensions/guacamole-auth-sso/modules/guacamole-auth-sso-openid/src/main/assembly/dist.xml

@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+-->
+<assembly
+    xmlns="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.0 http://maven.apache.org/xsd/assembly-1.1.0.xsd">
+    
+    <id>dist</id>
+    <baseDirectory>${project.artifactId}-${project.version}</baseDirectory>
+
+    <!-- Output tar.gz -->
+    <formats>
+        <format>tar.gz</format>
+    </formats>
+
+    <!-- Include licenses and extension .jar -->
+    <fileSets>
+
+        <!-- Include licenses -->
+        <fileSet>
+            <outputDirectory></outputDirectory>
+            <directory>target/licenses</directory>
+        </fileSet>
+
+        <!-- Include extension .jar -->
+        <fileSet>
+            <directory>target</directory>
+            <outputDirectory></outputDirectory>
+            <includes>
+                <include>*.jar</include>
+            </includes>
+        </fileSet>
+
+    </fileSets>
+
+</assembly>

extensions/guacamole-auth-sso/modules/guacamole-auth-sso-openid/src/main/java/org/apache/guacamole/auth/openid/AuthenticationProviderService.java

@@ -0,0 +1,142 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.openid;
+
+import com.google.inject.Inject;
+import com.google.inject.Provider;
+import java.util.Arrays;
+import java.util.Set;
+import javax.servlet.http.HttpServletRequest;
+import org.apache.guacamole.auth.openid.conf.ConfigurationService;
+import org.apache.guacamole.auth.openid.form.TokenField;
+import org.apache.guacamole.auth.openid.token.NonceService;
+import org.apache.guacamole.auth.openid.token.TokenValidationService;
+import org.apache.guacamole.auth.openid.user.AuthenticatedUser;
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.form.Field;
+import org.apache.guacamole.language.TranslatableMessage;
+import org.apache.guacamole.net.auth.Credentials;
+import org.apache.guacamole.net.auth.credentials.CredentialsInfo;
+import org.apache.guacamole.net.auth.credentials.GuacamoleInvalidCredentialsException;
+import org.jose4j.jwt.JwtClaims;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Service providing convenience functions for the OpenID AuthenticationProvider
+ * implementation.
+ */
+public class AuthenticationProviderService {
+
+    /**
+     * Logger for this class.
+     */
+    private final Logger logger = LoggerFactory.getLogger(AuthenticationProviderService.class);
+
+    /**
+     * Service for retrieving OpenID configuration information.
+     */
+    @Inject
+    private ConfigurationService confService;
+
+    /**
+     * Service for validating and generating unique nonce values.
+     */
+    @Inject
+    private NonceService nonceService;
+
+    /**
+     * Service for validating received ID tokens.
+     */
+    @Inject
+    private TokenValidationService tokenService;
+
+    /**
+     * Provider for AuthenticatedUser objects.
+     */
+    @Inject
+    private Provider<AuthenticatedUser> authenticatedUserProvider;
+
+    /**
+     * Returns an AuthenticatedUser representing the user authenticated by the
+     * given credentials.
+     *
+     * @param credentials
+     *     The credentials to use for authentication.
+     *
+     * @return
+     *     An AuthenticatedUser representing the user authenticated by the
+     *     given credentials.
+     *
+     * @throws GuacamoleException
+     *     If an error occurs while authenticating the user, or if access is
+     *     denied.
+     */
+    public AuthenticatedUser authenticateUser(Credentials credentials)
+            throws GuacamoleException {
+
+        String username = null;
+        Set<String> groups = null;
+
+        // Validate OpenID token in request, if present, and derive username
+        HttpServletRequest request = credentials.getRequest();
+        if (request != null) {
+            String token = request.getParameter(TokenField.PARAMETER_NAME);
+            if (token != null) {
+                JwtClaims claims = tokenService.validateToken(token);
+                if (claims != null) {
+                    username = tokenService.processUsername(claims);
+                    groups = tokenService.processGroups(claims);
+                }
+            }
+        }
+
+        // If the username was successfully retrieved from the token, produce
+        // authenticated user
+        if (username != null) {
+
+            // Create corresponding authenticated user
+            AuthenticatedUser authenticatedUser = authenticatedUserProvider.get();
+            authenticatedUser.init(username, credentials, groups);
+            return authenticatedUser;
+
+        }
+
+        // Request OpenID token
+        throw new GuacamoleInvalidCredentialsException("Invalid login.",
+            new CredentialsInfo(Arrays.asList(new Field[] {
+
+                // OpenID-specific token (will automatically redirect the user
+                // to the authorization page via JavaScript)
+                new TokenField(
+                    confService.getAuthorizationEndpoint(),
+                    confService.getScope(),
+                    confService.getClientID(),
+                    confService.getRedirectURI(),
+                    nonceService.generate(confService.getMaxNonceValidity() * 60000L),
+                    new TranslatableMessage("LOGIN.INFO_OID_REDIRECT_PENDING")
+                )
+
+            }))
+        );
+
+    }
+
+}

extensions/guacamole-auth-sso/modules/guacamole-auth-sso-openid/src/main/java/org/apache/guacamole/auth/openid/OpenIDAuthenticationProvider.java

@@ -0,0 +1,75 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.openid;
+
+import com.google.inject.Guice;
+import com.google.inject.Injector;
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.net.auth.AbstractAuthenticationProvider;
+import org.apache.guacamole.net.auth.AuthenticatedUser;
+import org.apache.guacamole.net.auth.Credentials;
+
+/**
+ * Guacamole authentication backend which authenticates users using an
+ * arbitrary external system implementing OpenID. No storage for connections is
+ * provided - only authentication. Storage must be provided by some other
+ * extension.
+ */
+public class OpenIDAuthenticationProvider extends AbstractAuthenticationProvider {
+
+    /**
+     * Injector which will manage the object graph of this authentication
+     * provider.
+     */
+    private final Injector injector;
+
+    /**
+     * Creates a new OpenIDAuthenticationProvider that authenticates users
+     * against an OpenID service.
+     *
+     * @throws GuacamoleException
+     *     If a required property is missing, or an error occurs while parsing
+     *     a property.
+     */
+    public OpenIDAuthenticationProvider() throws GuacamoleException {
+
+        // Set up Guice injector.
+        injector = Guice.createInjector(
+            new OpenIDAuthenticationProviderModule(this)
+        );
+
+    }
+
+    @Override
+    public String getIdentifier() {
+        return "openid";
+    }
+
+    @Override
+    public AuthenticatedUser authenticateUser(Credentials credentials)
+            throws GuacamoleException {
+
+        // Attempt to authenticate user with given credentials
+        AuthenticationProviderService authProviderService = injector.getInstance(AuthenticationProviderService.class);
+        return authProviderService.authenticateUser(credentials);
+
+    }
+
+}

extensions/guacamole-auth-sso/modules/guacamole-auth-sso-openid/src/main/java/org/apache/guacamole/auth/openid/OpenIDAuthenticationProviderModule.java

@@ -0,0 +1,83 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.openid;
+
+import com.google.inject.AbstractModule;
+import org.apache.guacamole.auth.openid.conf.ConfigurationService;
+import org.apache.guacamole.auth.openid.token.NonceService;
+import org.apache.guacamole.auth.openid.token.TokenValidationService;
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.environment.Environment;
+import org.apache.guacamole.environment.LocalEnvironment;
+import org.apache.guacamole.net.auth.AuthenticationProvider;
+
+/**
+ * Guice module which configures openid-specific injections.
+ */
+public class OpenIDAuthenticationProviderModule extends AbstractModule {
+
+    /**
+     * Guacamole server environment.
+     */
+    private final Environment environment;
+
+    /**
+     * A reference to the OpenIDAuthenticationProvider on behalf of which this
+     * module has configured injection.
+     */
+    private final AuthenticationProvider authProvider;
+
+    /**
+     * Creates a new OpenID authentication provider module which configures
+     * injection for the OpenIDAuthenticationProvider.
+     *
+     * @param authProvider
+     *     The AuthenticationProvider for which injection is being configured.
+     *
+     * @throws GuacamoleException
+     *     If an error occurs while retrieving the Guacamole server
+     *     environment.
+     */
+    public OpenIDAuthenticationProviderModule(AuthenticationProvider authProvider)
+            throws GuacamoleException {
+
+        // Get local environment
+        this.environment = LocalEnvironment.getInstance();
+
+        // Store associated auth provider
+        this.authProvider = authProvider;
+
+    }
+
+    @Override
+    protected void configure() {
+
+        // Bind core implementations of guacamole-ext classes
+        bind(AuthenticationProvider.class).toInstance(authProvider);
+        bind(Environment.class).toInstance(environment);
+
+        // Bind openid-specific services
+        bind(ConfigurationService.class);
+        bind(NonceService.class);
+        bind(TokenValidationService.class);
+
+    }
+
+}

extensions/guacamole-auth-sso/modules/guacamole-auth-sso-openid/src/main/java/org/apache/guacamole/auth/openid/conf/ConfigurationService.java

@@ -0,0 +1,398 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.openid.conf;
+
+import com.google.inject.Inject;
+import java.net.URI;
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.environment.Environment;
+import org.apache.guacamole.properties.IntegerGuacamoleProperty;
+import org.apache.guacamole.properties.StringGuacamoleProperty;
+import org.apache.guacamole.properties.URIGuacamoleProperty;
+
+/**
+ * Service for retrieving configuration information regarding the OpenID
+ * service.
+ */
+public class ConfigurationService {
+
+    /**
+     * The default claim type to use to retrieve an authenticated user's
+     * username.
+     */
+    private static final String DEFAULT_USERNAME_CLAIM_TYPE = "email";
+
+    /**
+     * The default claim type to use to retrieve an authenticated user's
+     * groups.
+     */
+    private static final String DEFAULT_GROUPS_CLAIM_TYPE = "groups";
+
+    /**
+     * The default space-separated list of OpenID scopes to request.
+     */
+    private static final String DEFAULT_SCOPE = "openid email profile";
+
+    /**
+     * The default amount of clock skew tolerated for timestamp comparisons
+     * between the Guacamole server and OpenID service clocks, in seconds.
+     */
+    private static final int DEFAULT_ALLOWED_CLOCK_SKEW = 30;
+
+    /**
+     * The default maximum amount of time that an OpenID token should remain
+     * valid, in minutes.
+     */
+    private static final int DEFAULT_MAX_TOKEN_VALIDITY = 300;
+
+    /**
+     * The default maximum amount of time that a nonce generated by the
+     * Guacamole server should remain valid, in minutes.
+     */
+    private static final int DEFAULT_MAX_NONCE_VALIDITY = 10;
+
+    /**
+     * The authorization endpoint (URI) of the OpenID service.
+     */
+    private static final URIGuacamoleProperty OPENID_AUTHORIZATION_ENDPOINT =
+            new URIGuacamoleProperty() {
+
+        @Override
+        public String getName() { return "openid-authorization-endpoint"; }
+
+    };
+
+    /**
+     * The endpoint (URI) of the JWKS service which defines how received ID
+     * tokens (JWTs) shall be validated.
+     */
+    private static final URIGuacamoleProperty OPENID_JWKS_ENDPOINT =
+            new URIGuacamoleProperty() {
+
+        @Override
+        public String getName() { return "openid-jwks-endpoint"; }
+
+    };
+
+    /**
+     * The issuer to expect for all received ID tokens.
+     */
+    private static final StringGuacamoleProperty OPENID_ISSUER =
+            new StringGuacamoleProperty() {
+
+        @Override
+        public String getName() { return "openid-issuer"; }
+
+    };
+
+    /**
+     * The claim type which contains the authenticated user's username within
+     * any valid JWT.
+     */
+    private static final StringGuacamoleProperty OPENID_USERNAME_CLAIM_TYPE =
+            new StringGuacamoleProperty() {
+
+        @Override
+        public String getName() { return "openid-username-claim-type"; }
+
+    };
+
+    /**
+     * The claim type which contains the authenticated user's groups within
+     * any valid JWT.
+     */
+    private static final StringGuacamoleProperty OPENID_GROUPS_CLAIM_TYPE =
+            new StringGuacamoleProperty() {
+
+        @Override
+        public String getName() { return "openid-groups-claim-type"; }
+
+    };
+
+    /**
+     * The space-separated list of OpenID scopes to request.
+     */
+    private static final StringGuacamoleProperty OPENID_SCOPE =
+            new StringGuacamoleProperty() {
+
+        @Override
+        public String getName() { return "openid-scope"; }
+
+    };
+
+    /**
+     * The amount of clock skew tolerated for timestamp comparisons between the
+     * Guacamole server and OpenID service clocks, in seconds.
+     */
+    private static final IntegerGuacamoleProperty OPENID_ALLOWED_CLOCK_SKEW =
+            new IntegerGuacamoleProperty() {
+
+        @Override
+        public String getName() { return "openid-allowed-clock-skew"; }
+
+    };
+
+    /**
+     * The maximum amount of time that an OpenID token should remain valid, in
+     * minutes.
+     */
+    private static final IntegerGuacamoleProperty OPENID_MAX_TOKEN_VALIDITY =
+            new IntegerGuacamoleProperty() {
+
+        @Override
+        public String getName() { return "openid-max-token-validity"; }
+
+    };
+
+    /**
+     * The maximum amount of time that a nonce generated by the Guacamole server
+     * should remain valid, in minutes. As each OpenID request has a unique
+     * nonce value, this imposes an upper limit on the amount of time any
+     * particular OpenID request can result in successful authentication within
+     * Guacamole.
+     */
+    private static final IntegerGuacamoleProperty OPENID_MAX_NONCE_VALIDITY =
+            new IntegerGuacamoleProperty() {
+
+        @Override
+        public String getName() { return "openid-max-nonce-validity"; }
+
+    };
+
+    /**
+     * OpenID client ID which should be submitted to the OpenID service when
+     * necessary. This value is typically provided by the OpenID service when
+     * OpenID credentials are generated for your application.
+     */
+    private static final StringGuacamoleProperty OPENID_CLIENT_ID =
+            new StringGuacamoleProperty() {
+
+        @Override
+        public String getName() { return "openid-client-id"; }
+
+    };
+
+    /**
+     * The URI that the OpenID service should redirect to after the
+     * authentication process is complete. This must be the full URL that a
+     * user would enter into their browser to access Guacamole.
+     */
+    private static final URIGuacamoleProperty OPENID_REDIRECT_URI =
+            new URIGuacamoleProperty() {
+
+        @Override
+        public String getName() { return "openid-redirect-uri"; }
+
+    };
+
+    /**
+     * The Guacamole server environment.
+     */
+    @Inject
+    private Environment environment;
+
+    /**
+     * Returns the authorization endpoint (URI) of the OpenID service as
+     * configured with guacamole.properties.
+     *
+     * @return
+     *     The authorization endpoint of the OpenID service, as configured with
+     *     guacamole.properties.
+     *
+     * @throws GuacamoleException
+     *     If guacamole.properties cannot be parsed, or if the authorization
+     *     endpoint property is missing.
+     */
+    public URI getAuthorizationEndpoint() throws GuacamoleException {
+        return environment.getRequiredProperty(OPENID_AUTHORIZATION_ENDPOINT);
+    }
+
+    /**
+     * Returns the OpenID client ID which should be submitted to the OpenID
+     * service when necessary, as configured with guacamole.properties. This
+     * value is typically provided by the OpenID service when OpenID credentials
+     * are generated for your application.
+     *
+     * @return
+     *     The client ID to use when communicating with the OpenID service,
+     *     as configured with guacamole.properties.
+     *
+     * @throws GuacamoleException
+     *     If guacamole.properties cannot be parsed, or if the client ID
+     *     property is missing.
+     */
+    public String getClientID() throws GuacamoleException {
+        return environment.getRequiredProperty(OPENID_CLIENT_ID);
+    }
+
+    /**
+     * Returns the URI that the OpenID service should redirect to after
+     * the authentication process is complete, as configured with
+     * guacamole.properties. This must be the full URL that a user would enter
+     * into their browser to access Guacamole.
+     *
+     * @return
+     *     The client secret to use when communicating with the OpenID service,
+     *     as configured with guacamole.properties.
+     *
+     * @throws GuacamoleException
+     *     If guacamole.properties cannot be parsed, or if the redirect URI
+     *     property is missing.
+     */
+    public URI getRedirectURI() throws GuacamoleException {
+        return environment.getRequiredProperty(OPENID_REDIRECT_URI);
+    }
+
+    /**
+     * Returns the issuer to expect for all received ID tokens, as configured
+     * with guacamole.properties.
+     *
+     * @return
+     *     The issuer to expect for all received ID tokens, as configured with
+     *     guacamole.properties.
+     *
+     * @throws GuacamoleException
+     *     If guacamole.properties cannot be parsed, or if the issuer property
+     *     is missing.
+     */
+    public String getIssuer() throws GuacamoleException {
+        return environment.getRequiredProperty(OPENID_ISSUER);
+    }
+
+    /**
+     * Returns the endpoint (URI) of the JWKS service which defines how
+     * received ID tokens (JWTs) shall be validated, as configured with
+     * guacamole.properties.
+     *
+     * @return
+     *     The endpoint (URI) of the JWKS service which defines how received ID
+     *     tokens (JWTs) shall be validated, as configured with
+     *     guacamole.properties.
+     *
+     * @throws GuacamoleException
+     *     If guacamole.properties cannot be parsed, or if the JWKS endpoint
+     *     property is missing.
+     */
+    public URI getJWKSEndpoint() throws GuacamoleException {
+        return environment.getRequiredProperty(OPENID_JWKS_ENDPOINT);
+    }
+
+    /**
+     * Returns the claim type which contains the authenticated user's username
+     * within any valid JWT, as configured with guacamole.properties. By
+     * default, this will be "email".
+     *
+     * @return
+     *     The claim type which contains the authenticated user's username
+     *     within any valid JWT, as configured with guacamole.properties.
+     *
+     * @throws GuacamoleException
+     *     If guacamole.properties cannot be parsed.
+     */
+    public String getUsernameClaimType() throws GuacamoleException {
+        return environment.getProperty(OPENID_USERNAME_CLAIM_TYPE, DEFAULT_USERNAME_CLAIM_TYPE);
+    }
+
+    /**
+     * Returns the claim type which contains the authenticated user's groups
+     * within any valid JWT, as configured with guacamole.properties. By
+     * default, this will be "groups".
+     *
+     * @return
+     *     The claim type which contains the authenticated user's groups
+     *     within any valid JWT, as configured with guacamole.properties.
+     *
+     * @throws GuacamoleException
+     *     If guacamole.properties cannot be parsed.
+     */
+    public String getGroupsClaimType() throws GuacamoleException {
+        return environment.getProperty(OPENID_GROUPS_CLAIM_TYPE, DEFAULT_GROUPS_CLAIM_TYPE);
+    }
+
+    /**
+     * Returns the space-separated list of OpenID scopes to request. By default,
+     * this will be "openid email profile". The OpenID scopes determine the
+     * information returned within the OpenID token, and thus affect what
+     * values can be used as an authenticated user's username.
+     *
+     * @return
+     *     The space-separated list of OpenID scopes to request when identifying
+     *     a user.
+     *
+     * @throws GuacamoleException
+     *     If guacamole.properties cannot be parsed.
+     */
+    public String getScope() throws GuacamoleException {
+        return environment.getProperty(OPENID_SCOPE, DEFAULT_SCOPE);
+    }
+
+    /**
+     * Returns the amount of clock skew tolerated for timestamp comparisons
+     * between the Guacamole server and OpenID service clocks, in seconds. Too
+     * much clock skew will affect token expiration calculations, possibly
+     * allowing old tokens to be used. By default, this will be 30.
+     *
+     * @return
+     *     The amount of clock skew tolerated for timestamp comparisons, in
+     *     seconds.
+     *
+     * @throws GuacamoleException
+     *     If guacamole.properties cannot be parsed.
+     */
+    public int getAllowedClockSkew() throws GuacamoleException {
+        return environment.getProperty(OPENID_ALLOWED_CLOCK_SKEW, DEFAULT_ALLOWED_CLOCK_SKEW);
+    }
+
+    /**
+     * Returns the maximum amount of time that an OpenID token should remain
+     * valid, in minutes. A token received from an OpenID service which is
+     * older than this amount of time will be rejected, even if it is otherwise
+     * valid. By default, this will be 300 (5 hours).
+     *
+     * @return
+     *     The maximum amount of time that an OpenID token should remain valid,
+     *     in minutes.
+     *
+     * @throws GuacamoleException
+     *     If guacamole.properties cannot be parsed.
+     */
+    public int getMaxTokenValidity() throws GuacamoleException {
+        return environment.getProperty(OPENID_MAX_TOKEN_VALIDITY, DEFAULT_MAX_TOKEN_VALIDITY);
+    }
+
+    /**
+     * Returns the maximum amount of time that a nonce generated by the
+     * Guacamole server should remain valid, in minutes. As each OpenID request
+     * has a unique nonce value, this imposes an upper limit on the amount of
+     * time any particular OpenID request can result in successful
+     * authentication within Guacamole. By default, this will be 10.
+     *
+     * @return
+     *     The maximum amount of time that a nonce generated by the Guacamole
+     *     server should remain valid, in minutes.
+     *
+     * @throws GuacamoleException
+     *     If guacamole.properties cannot be parsed.
+     */
+    public int getMaxNonceValidity() throws GuacamoleException {
+        return environment.getProperty(OPENID_MAX_NONCE_VALIDITY, DEFAULT_MAX_NONCE_VALIDITY);
+    }
+
+}

extensions/guacamole-auth-sso/modules/guacamole-auth-sso-openid/src/main/java/org/apache/guacamole/auth/openid/form/TokenField.java

@@ -0,0 +1,87 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.openid.form;
+
+import java.net.URI;
+import javax.ws.rs.core.UriBuilder;
+import org.apache.guacamole.form.RedirectField;
+import org.apache.guacamole.language.TranslatableMessage;
+
+/**
+ * Field definition which represents the token returned by an OpenID Connect
+ * service.
+ */
+public class TokenField extends RedirectField {
+
+    /**
+     * The standard HTTP parameter which will be included within the URL by all
+     * OpenID services upon successful authentication and redirect.
+     */
+    public static final String PARAMETER_NAME = "id_token";
+
+    /**
+     * Creates a new field which requests authentication via OpenID connect.
+     * Successful authentication at the OpenID Connect service will result in
+     * the client being redirected to the specified redirect URI. The OpenID
+     * token will be embedded in the fragment (the part following the hash
+     * symbol) of that URI, which the JavaScript side of this extension will
+     * move to the query parameters.
+     *
+     * @param authorizationEndpoint
+     *     The full URL of the endpoint accepting OpenID authentication
+     *     requests.
+     *
+     * @param scope
+     *     The space-delimited list of OpenID scopes to request from the
+     *     identity provider, such as "openid" or "openid email profile".
+     *
+     * @param clientID
+     *     The ID of the OpenID client. This is normally determined ahead of
+     *     time by the OpenID service through some manual credential request
+     *     procedure.
+     *
+     * @param redirectURI
+     *     The URI that the OpenID service should redirect to upon successful
+     *     authentication.
+     *
+     * @param nonce
+     *     A random string unique to this request. To defend against replay
+     *     attacks, this value must cease being valid after its first use.
+     * 
+     * @param redirectMessage
+     *     The message that will be displayed to the user during redirect.  This
+     *     will be processed through Guacamole's translation system.
+     */
+    public TokenField(URI authorizationEndpoint, String scope,
+            String clientID, URI redirectURI, String nonce,
+            TranslatableMessage redirectMessage) {
+
+        super(PARAMETER_NAME, UriBuilder.fromUri(authorizationEndpoint)
+                .queryParam("scope", scope)
+                .queryParam("response_type", "id_token")
+                .queryParam("client_id", clientID)
+                .queryParam("redirect_uri", redirectURI)
+                .queryParam("nonce", nonce)
+                .build(),
+                redirectMessage);
+
+    }
+
+}

extensions/guacamole-auth-sso/modules/guacamole-auth-sso-openid/src/main/java/org/apache/guacamole/auth/openid/token/NonceService.java

@@ -0,0 +1,135 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.openid.token;
+
+import com.google.inject.Singleton;
+import java.math.BigInteger;
+import java.security.SecureRandom;
+import java.util.Iterator;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+
+/**
+ * Service for generating and validating single-use random tokens (nonces).
+ */
+@Singleton
+public class NonceService {
+
+    /**
+     * Cryptographically-secure random number generator for generating the
+     * required nonce.
+     */
+    private final SecureRandom random = new SecureRandom();
+
+    /**
+     * Map of all generated nonces to their corresponding expiration timestamps.
+     * This Map must be periodically swept of expired nonces to avoid growing
+     * without bound.
+     */
+    private final Map<String, Long> nonces = new ConcurrentHashMap<String, Long>();
+
+    /**
+     * The timestamp of the last expired nonce sweep.
+     */
+    private long lastSweep = System.currentTimeMillis();
+
+    /**
+     * The minimum amount of time to wait between sweeping expired nonces from
+     * the Map.
+     */
+    private static final long SWEEP_INTERVAL = 60000;
+
+    /**
+     * Iterates through the entire Map of generated nonces, removing any nonce
+     * that has exceeded its expiration timestamp. If insufficient time has
+     * elapsed since the last sweep, as dictated by SWEEP_INTERVAL, this
+     * function has no effect.
+     */
+    private void sweepExpiredNonces() {
+
+        // Do not sweep until enough time has elapsed since the last sweep
+        long currentTime = System.currentTimeMillis();
+        if (currentTime - lastSweep < SWEEP_INTERVAL)
+            return;
+
+        // Record time of sweep
+        lastSweep = currentTime;
+
+        // For each stored nonce
+        Iterator<Map.Entry<String, Long>> entries = nonces.entrySet().iterator();
+        while (entries.hasNext()) {
+
+            // Remove all entries which have expired
+            Map.Entry<String, Long> current = entries.next();
+            if (current.getValue() <= System.currentTimeMillis())
+                entries.remove();
+
+        }
+
+    }
+
+    /**
+     * Generates a cryptographically-secure nonce value. The nonce is intended
+     * to be used to prevent replay attacks.
+     *
+     * @param maxAge
+     *     The maximum amount of time that the generated nonce should remain
+     *     valid, in milliseconds.
+     *
+     * @return
+     *     A cryptographically-secure nonce value.
+     */
+    public String generate(long maxAge) {
+
+        // Sweep expired nonces if enough time has passed
+        sweepExpiredNonces();
+
+        // Generate and store nonce, along with expiration timestamp
+        String nonce = new BigInteger(130, random).toString(32);
+        nonces.put(nonce, System.currentTimeMillis() + maxAge);
+        return nonce;
+
+    }
+
+    /**
+     * Returns whether the give nonce value is valid. A nonce is valid if and
+     * only if it was generated by this instance of the NonceService. Testing
+     * nonce validity through this function immediately and permanently
+     * invalidates that nonce.
+     *
+     * @param nonce
+     *     The nonce value to test.
+     *
+     * @return
+     *     true if the provided nonce is valid, false otherwise.
+     */
+    public boolean isValid(String nonce) {
+
+        // Remove nonce, verifying whether it was present at all
+        Long expires = nonces.remove(nonce);
+        if (expires == null)
+            return false;
+
+        // Nonce is only valid if it hasn't expired
+        return expires > System.currentTimeMillis();
+
+    }
+
+}

extensions/guacamole-auth-sso/modules/guacamole-auth-sso-openid/src/main/java/org/apache/guacamole/auth/openid/token/TokenValidationService.java

@@ -0,0 +1,204 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.openid.token;
+
+import com.google.inject.Inject;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+import org.apache.guacamole.auth.openid.conf.ConfigurationService;
+import org.apache.guacamole.GuacamoleException;
+import org.jose4j.jwk.HttpsJwks;
+import org.jose4j.jwt.JwtClaims;
+import org.jose4j.jwt.MalformedClaimException;
+import org.jose4j.jwt.consumer.InvalidJwtException;
+import org.jose4j.jwt.consumer.JwtConsumer;
+import org.jose4j.jwt.consumer.JwtConsumerBuilder;
+import org.jose4j.keys.resolvers.HttpsJwksVerificationKeyResolver;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Service for validating ID tokens forwarded to us by the client, verifying
+ * that they did indeed come from the OpenID service.
+ */
+public class TokenValidationService {
+
+    /**
+     * Logger for this class.
+     */
+    private final Logger logger = LoggerFactory.getLogger(TokenValidationService.class);
+
+    /**
+     * Service for retrieving OpenID configuration information.
+     */
+    @Inject
+    private ConfigurationService confService;
+
+    /**
+     * Service for validating and generating unique nonce values.
+     */
+    @Inject
+    private NonceService nonceService;
+
+    /**
+     * Validates the given ID token, returning the JwtClaims contained therein.
+     * If the ID token is invalid, null is returned.
+     *
+     * @param token
+     *     The ID token to validate.
+     *
+     * @return
+     *     The JWT claims contained within the given ID token if it passes tests,
+     *     or null if the token is not valid.
+     *
+     * @throws GuacamoleException
+     *     If guacamole.properties could not be parsed.
+     */
+    public JwtClaims validateToken(String token) throws GuacamoleException {
+        // Validating the token requires a JWKS key resolver
+        HttpsJwks jwks = new HttpsJwks(confService.getJWKSEndpoint().toString());
+        HttpsJwksVerificationKeyResolver resolver = new HttpsJwksVerificationKeyResolver(jwks);
+
+        // Create JWT consumer for validating received token
+        JwtConsumer jwtConsumer = new JwtConsumerBuilder()
+                .setRequireExpirationTime()
+                .setMaxFutureValidityInMinutes(confService.getMaxTokenValidity())
+                .setAllowedClockSkewInSeconds(confService.getAllowedClockSkew())
+                .setRequireSubject()
+                .setExpectedIssuer(confService.getIssuer())
+                .setExpectedAudience(confService.getClientID())
+                .setVerificationKeyResolver(resolver)
+                .build();
+
+        try {
+            // Validate JWT
+            JwtClaims claims = jwtConsumer.processToClaims(token);
+
+            // Verify a nonce is present
+            String nonce = claims.getStringClaimValue("nonce");
+            if (nonce != null) {
+                // Verify that we actually generated the nonce, and that it has not
+                // already been used
+                if (nonceService.isValid(nonce)) {
+                    // nonce is valid, consider claims valid
+                    return claims;
+                }
+                else {
+                    logger.info("Rejected OpenID token with invalid/old nonce.");
+                }
+            }
+            else {
+                logger.info("Rejected OpenID token without nonce.");
+            }
+        }
+        // Log any failures to validate/parse the JWT
+        catch (MalformedClaimException e) {
+            logger.info("Rejected OpenID token with malformed claim: {}", e.getMessage());
+            logger.debug("Malformed claim within received JWT.", e);
+        }
+        catch (InvalidJwtException e) {
+            logger.info("Rejected invalid OpenID token: {}", e.getMessage());
+            logger.debug("Invalid JWT received.", e);
+        }
+
+        return null;
+    }
+
+    /**
+     * Parses the given JwtClaims, returning the username contained
+     * therein, as defined by the username claim type given in
+     * guacamole.properties. If the username claim type is missing or 
+     * is invalid, null is returned.
+     *
+     * @param claims
+     *     A valid JwtClaims to extract the username from.
+     *
+     * @return
+     *     The username contained within the given JwtClaims, or null if the
+     *     claim is not valid or the username claim type is missing,
+     *
+     * @throws GuacamoleException
+     *     If guacamole.properties could not be parsed.
+     */
+    public String processUsername(JwtClaims claims) throws GuacamoleException {
+        String usernameClaim = confService.getUsernameClaimType();
+
+        if (claims != null) {
+            try {
+                // Pull username from claims
+                String username = claims.getStringClaimValue(usernameClaim);
+                if (username != null)
+                    return username;
+            }
+            catch (MalformedClaimException e) {
+                logger.info("Rejected OpenID token with malformed claim: {}", e.getMessage());
+                logger.debug("Malformed claim within received JWT.", e);
+            }
+
+            // Warn if username was not present in token, as it likely means
+            // the system is not set up correctly
+            logger.warn("Username claim \"{}\" missing from token. Perhaps the "
+                    + "OpenID scope and/or username claim type are "
+                    + "misconfigured?", usernameClaim);
+        }
+
+        // Could not retrieve username from JWT
+        return null;
+    }
+
+    /**
+     * Parses the given JwtClaims, returning the groups contained
+     * therein, as defined by the groups claim type given in
+     * guacamole.properties. If the groups claim type is missing or
+     * is invalid, an empty set is returned.
+     *
+     * @param claims
+     *     A valid JwtClaims to extract groups from.
+     *
+     * @return
+     *     A Set of String representing the groups the user is member of
+     *     from the OpenID provider point of view, or an empty Set if
+     *     claim is not valid or the groups claim type is missing,
+     *
+     * @throws GuacamoleException
+     *     If guacamole.properties could not be parsed.
+     */
+    public Set<String> processGroups(JwtClaims claims) throws GuacamoleException {
+        String groupsClaim = confService.getGroupsClaimType();
+
+        if (claims != null) {
+            try {
+                // Pull groups from claims
+                List<String> oidcGroups = claims.getStringListClaimValue(groupsClaim);
+                if (oidcGroups != null && !oidcGroups.isEmpty())
+                    return Collections.unmodifiableSet(new HashSet<>(oidcGroups));
+            }   
+            catch (MalformedClaimException e) {
+                logger.info("Rejected OpenID token with malformed claim: {}", e.getMessage());
+                logger.debug("Malformed claim within received JWT.", e);
+            }
+        }
+
+        // Could not retrieve groups from JWT
+        return Collections.emptySet();
+    }
+}

extensions/guacamole-auth-sso/modules/guacamole-auth-sso-openid/src/main/java/org/apache/guacamole/auth/openid/user/AuthenticatedUser.java

@@ -0,0 +1,85 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.openid.user;
+
+import com.google.inject.Inject;
+import java.util.Set;
+import org.apache.guacamole.net.auth.AbstractAuthenticatedUser;
+import org.apache.guacamole.net.auth.AuthenticationProvider;
+import org.apache.guacamole.net.auth.Credentials;
+
+/**
+ * An openid-specific implementation of AuthenticatedUser, associating a
+ * username, a particular set of credentials and the groups with the 
+ * OpenID authentication provider.
+ */
+public class AuthenticatedUser extends AbstractAuthenticatedUser {
+
+    /**
+     * Reference to the authentication provider associated with this
+     * authenticated user.
+     */
+    @Inject
+    private AuthenticationProvider authProvider;
+
+    /**
+     * The credentials provided when this user was authenticated.
+     */
+    private Credentials credentials;
+
+    /**
+     * The groups of the user that was authenticated.
+     */
+    private Set<String> effectiveGroups;
+
+    /**
+     * Initializes this AuthenticatedUser using the given username and
+     * credentials.
+     *
+     * @param username
+     *     The username of the user that was authenticated.
+     *
+     * @param credentials
+     *     The credentials provided when this user was authenticated.
+     *
+     * @param effectiveGroups
+     *     The groups of the user that was authenticated.
+     */
+    public void init(String username, Credentials credentials, Set<String> effectiveGroups) {
+        this.credentials = credentials;
+        this.effectiveGroups = effectiveGroups;
+        setIdentifier(username);
+    }
+
+    @Override
+    public AuthenticationProvider getAuthenticationProvider() {
+        return authProvider;
+    }
+
+    @Override
+    public Credentials getCredentials() {
+        return credentials;
+    }
+
+    @Override
+    public Set<String> getEffectiveUserGroups() {
+        return effectiveGroups;
+    }
+}

extensions/guacamole-auth-sso/modules/guacamole-auth-sso-openid/src/main/resources/guac-manifest.json

@@ -0,0 +1,28 @@
+{
+
+    "guacamoleVersion" : "1.3.0",
+
+    "name"      : "OpenID Authentication Extension",
+    "namespace" : "openid",
+
+    "authProviders" : [
+        "org.apache.guacamole.auth.openid.OpenIDAuthenticationProvider"
+    ],
+
+    "translations" : [
+        "translations/ca.json",
+        "translations/de.json",
+        "translations/en.json",
+        "translations/fr.json",
+        "translations/ja.json",
+        "translations/ko.json",
+        "translations/pt.json",
+        "translations/ru.json",
+        "translations/zh.json"
+    ],
+
+    "js" : [
+        "openid.min.js"
+    ]
+
+}

extensions/guacamole-auth-sso/modules/guacamole-auth-sso-openid/src/main/resources/license.txt

@@ -0,0 +1,18 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */

extensions/guacamole-auth-sso/modules/guacamole-auth-sso-openid/src/main/resources/transformToken.js

@@ -0,0 +1,35 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+/**
+ * Before AngularJS routing takes effect, reformat the URL fragment
+ * from the format used by OpenID Connect ("#param1=value1&param2=value2&...")
+ * to the format used by AngularJS ("#/?param1=value1&param2=value2&...") such
+ * that the client side of Guacamole's authentication system will automatically
+ * forward the "id_token" value for server-side validation.
+ * 
+ * Note that not all OpenID identity providers will include the "id_token"
+ * parameter in the first position; it may occur after several other parameters
+ * within the fragment.
+ */
+
+(function guacOpenIDTransformToken() {
+    if (/^#(?![?\/])(.*&)?id_token=/.test(location.hash))
+        location.hash = '/?' + location.hash.substring(1);
+})();

extensions/guacamole-auth-sso/modules/guacamole-auth-sso-openid/src/main/resources/translations/ca.json

@@ -0,0 +1,12 @@
+{
+
+    "DATA_SOURCE_OPENID" : {
+        "NAME" : "OpenID SSO Backend"
+    },
+
+    "LOGIN" : {
+        "FIELD_HEADER_ID_TOKEN" : "",
+        "INFO_OID_REDIRECT_PENDING" : "Espereu, redirigint al proveïdor d'identitat ..."
+    }
+
+}

extensions/guacamole-auth-sso/modules/guacamole-auth-sso-openid/src/main/resources/translations/de.json

@@ -0,0 +1,7 @@
+{
+
+    "LOGIN" : {
+        "INFO_OID_REDIRECT_PENDING" : "Bitte warten, Sie werden zum Identitätsprovider weitergeleitet..."
+    }
+
+}

extensions/guacamole-auth-sso/modules/guacamole-auth-sso-openid/src/main/resources/translations/en.json

@@ -0,0 +1,12 @@
+{
+
+    "DATA_SOURCE_OPENID" : {
+        "NAME" : "OpenID SSO Backend"
+    },
+
+    "LOGIN" : {
+        "FIELD_HEADER_ID_TOKEN" : "",
+        "INFO_OID_REDIRECT_PENDING" : "Please wait, redirecting to identity provider..."
+    }
+
+}

extensions/guacamole-auth-sso/modules/guacamole-auth-sso-openid/src/main/resources/translations/fr.json

@@ -0,0 +1,12 @@
+{
+
+    "DATA_SOURCE_OPENID" : {
+        "NAME" : "OpenID SSO Backend"
+    },
+
+    "LOGIN" : {
+        "FIELD_HEADER_ID_TOKEN" : "",
+        "INFO_OID_REDIRECT_PENDING" : "Veuillez patienter, redirection vers le fournisseur d'identité..."
+    }
+
+}

extensions/guacamole-auth-sso/modules/guacamole-auth-sso-openid/src/main/resources/translations/ja.json

@@ -0,0 +1,7 @@
+{
+
+    "LOGIN" : {
+        "INFO_OID_REDIRECT_PENDING" : "IDプロバイダへリダイレクトしています。"
+    }
+
+}

extensions/guacamole-auth-sso/modules/guacamole-auth-sso-openid/src/main/resources/translations/ko.json

@@ -0,0 +1,7 @@
+{
+
+    "LOGIN" : {
+        "INFO_OID_REDIRECT_PENDING" : "잠시만 기다려주십시오. ID 제공자로 리디렉션 중..."
+    }
+
+}

extensions/guacamole-auth-sso/modules/guacamole-auth-sso-openid/src/main/resources/translations/pt.json

@@ -0,0 +1,12 @@
+{
+
+    "DATA_SOURCE_OPENID" : {
+        "NAME" : "OpenID SSO Backend"
+    },
+
+    "LOGIN" : {
+        "FIELD_HEADER_ID_TOKEN" : "",
+        "INFO_OID_REDIRECT_PENDING" : "Por favor aguarde, redirecionando ao provedor de indentidade..."
+    }
+
+}

extensions/guacamole-auth-sso/modules/guacamole-auth-sso-openid/src/main/resources/translations/ru.json

@@ -0,0 +1,11 @@
+{
+
+    "DATA_SOURCE_OPENID" : {
+        "NAME" : "Бэкенд OpenID SSO"
+    },
+
+    "LOGIN" : {
+        "INFO_REDIRECT_PENDING" : "Пожалуйста, подождите. Переадресую на страницу аутентификации..."
+    }
+
+}

extensions/guacamole-auth-sso/modules/guacamole-auth-sso-openid/src/main/resources/translations/zh.json

@@ -0,0 +1,12 @@
+{
+
+    "DATA_SOURCE_OPENID" : {
+        "NAME" : "OpenID SSO后端"
+    },
+
+    "LOGIN" : {
+        "FIELD_HEADER_ID_TOKEN" : "",
+        "INFO_REDIRECT_PENDING" : "请稍候，正在重定向到身份提供者..."
+    }
+
+}