GUACAMOLE-210: Migrate to implicit flow (client-side, relies on "id_token"). Update to pre-release 0.9.9-incubating codebase.

extensions/guacamole-auth-openid/pom.xml

@@ -26,7 +26,7 @@
     <groupId>org.apache.guacamole</groupId>
     <artifactId>guacamole-auth-openid</artifactId>
     <packaging>jar</packaging>
-    <version>0.9.9</version>
+    <version>0.9.9-incubating</version>
     <name>guacamole-auth-openid</name>
     <url>http://guacamole.incubator.apache.org/</url>
 
@@ -80,24 +80,12 @@
 
         <!-- Guacamole Extension API -->
         <dependency>
-            <groupId>org.glyptodon.guacamole</groupId>
+            <groupId>org.apache.guacamole</groupId>
             <artifactId>guacamole-ext</artifactId>
-            <version>0.9.9</version>
+            <version>0.9.9-incubating</version>
             <scope>provided</scope>
         </dependency>
 
-        <!-- Jersey Client -->
-        <dependency>
-            <groupId>com.sun.jersey</groupId>
-            <artifactId>jersey-client</artifactId>
-            <version>1.17.1</version>
-        </dependency>
-        <dependency>
-            <groupId>com.sun.jersey</groupId>
-            <artifactId>jersey-json</artifactId>
-            <version>1.17.1</version>
-        </dependency>
-
         <!-- Guice -->
         <dependency>
             <groupId>com.google.inject</groupId>

extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/AuthenticationProviderService.java

@@ -25,14 +25,12 @@ import java.util.Arrays;
 import javax.servlet.http.HttpServletRequest;
 import org.apache.guacamole.auth.oauth.user.AuthenticatedUser;
 import org.apache.guacamole.auth.oauth.conf.ConfigurationService;
-import org.apache.guacamole.auth.oauth.form.OAuthCodeField;
+import org.apache.guacamole.auth.oauth.form.OAuthTokenField;
-import org.apache.guacamole.auth.oauth.token.TokenResponse;
+import org.apache.guacamole.GuacamoleException;
-import org.apache.guacamole.auth.oauth.token.TokenService;
+import org.apache.guacamole.form.Field;
-import org.glyptodon.guacamole.GuacamoleException;
+import org.apache.guacamole.net.auth.Credentials;
-import org.glyptodon.guacamole.form.Field;
+import org.apache.guacamole.net.auth.credentials.CredentialsInfo;
-import org.glyptodon.guacamole.net.auth.Credentials;
+import org.apache.guacamole.net.auth.credentials.GuacamoleInvalidCredentialsException;
-import org.glyptodon.guacamole.net.auth.credentials.CredentialsInfo;
-import org.glyptodon.guacamole.net.auth.credentials.GuacamoleInvalidCredentialsException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -53,12 +51,6 @@ public class AuthenticationProviderService {
     @Inject
     private ConfigurationService confService;
 
-    /**
-     * Service for producing authentication tokens from OAuth codes.
-     */
-    @Inject
-    private TokenService tokenService;
-
     /**
      * Provider for AuthenticatedUser objects.
      */
@@ -83,19 +75,15 @@ public class AuthenticationProviderService {
     public AuthenticatedUser authenticateUser(Credentials credentials)
             throws GuacamoleException {
 
-        String code = null;
+        String token = null;
 
-        // Pull OAuth code from request if present
+        // Pull OAuth token from request if present
         HttpServletRequest request = credentials.getRequest();
         if (request != null)
-            code = request.getParameter(OAuthCodeField.PARAMETER_NAME);
+            token = request.getParameter(OAuthTokenField.PARAMETER_NAME);
 
-        // TODO: Actually complete authentication using received code
+        // TODO: Actually validate received token
-        if (code != null) {
+        if (token != null) {
-
-            // POST code and client information to OAuth token endpoint
-            TokenResponse response = tokenService.getTokenFromCode(code);
-            logger.debug("RESPONSE: {}", response);
 
             // Create corresponding authenticated user
             AuthenticatedUser authenticatedUser = authenticatedUserProvider.get();
@@ -104,17 +92,13 @@ public class AuthenticationProviderService {
 
         }
 
-        // Request auth code
+        // Request OAuth token
         throw new GuacamoleInvalidCredentialsException("Invalid login.",
             new CredentialsInfo(Arrays.asList(new Field[] {
 
-                // Normal username/password fields
+                // OAuth-specific token (will automatically redirect the user
-                CredentialsInfo.USERNAME,
+                // to the authorization page via JavaScript)
-                CredentialsInfo.PASSWORD,
+                new OAuthTokenField(
-
-                // OAuth-specific code (will be rendered as an appropriate
-                // "Log in with..." button
-                new OAuthCodeField(
                     confService.getAuthorizationEndpoint(),
                     confService.getClientID(),
                     confService.getRedirectURI()

extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/OAuthAuthenticationProvider.java

@@ -21,11 +21,11 @@ package org.apache.guacamole.auth.oauth;
 
 import com.google.inject.Guice;
 import com.google.inject.Injector;
-import org.glyptodon.guacamole.GuacamoleException;
+import org.apache.guacamole.GuacamoleException;
-import org.glyptodon.guacamole.net.auth.AuthenticatedUser;
+import org.apache.guacamole.net.auth.AuthenticatedUser;
-import org.glyptodon.guacamole.net.auth.AuthenticationProvider;
+import org.apache.guacamole.net.auth.AuthenticationProvider;
-import org.glyptodon.guacamole.net.auth.Credentials;
+import org.apache.guacamole.net.auth.Credentials;
-import org.glyptodon.guacamole.net.auth.UserContext;
+import org.apache.guacamole.net.auth.UserContext;
 
 /**
  * Guacamole authentication backend which authenticates users using an

extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/OAuthAuthenticationProviderModule.java

@@ -20,17 +20,11 @@
 package org.apache.guacamole.auth.oauth;
 
 import com.google.inject.AbstractModule;
-import com.sun.jersey.api.client.Client;
-import com.sun.jersey.api.client.config.ClientConfig;
-import com.sun.jersey.api.client.config.DefaultClientConfig;
 import org.apache.guacamole.auth.oauth.conf.ConfigurationService;
-import org.apache.guacamole.auth.oauth.token.TokenService;
+import org.apache.guacamole.GuacamoleException;
-import org.codehaus.jackson.jaxrs.JacksonJaxbJsonProvider;
+import org.apache.guacamole.environment.Environment;
-import org.codehaus.jackson.map.DeserializationConfig;
+import org.apache.guacamole.environment.LocalEnvironment;
-import org.glyptodon.guacamole.GuacamoleException;
+import org.apache.guacamole.net.auth.AuthenticationProvider;
-import org.glyptodon.guacamole.environment.Environment;
-import org.glyptodon.guacamole.environment.LocalEnvironment;
-import org.glyptodon.guacamole.net.auth.AuthenticationProvider;
 
 /**
  * Guice module which configures OAuth-specific injections.
@@ -48,12 +42,6 @@ public class OAuthAuthenticationProviderModule extends AbstractModule {
      */
     private final AuthenticationProvider authProvider;
 
-    /**
-     * A reference to the shared HTTP client to be used when making calls to
-     * the OAuth service.
-     */
-    private final Client client;
-
     /**
      * Creates a new OAuth authentication provider module which configures
      * injection for the OAuthAuthenticationProvider.
@@ -74,15 +62,6 @@ public class OAuthAuthenticationProviderModule extends AbstractModule {
         // Store associated auth provider
         this.authProvider = authProvider;
 
-        // Set up configuration for HTTP client
-        ClientConfig clientConfig = new DefaultClientConfig();
-        clientConfig.getSingletons().add(new JacksonJaxbJsonProvider()
-            .configure(DeserializationConfig.Feature.FAIL_ON_UNKNOWN_PROPERTIES, false)
-        );
-
-        // Store pre-configured HTTP client
-        this.client = Client.create(clientConfig);
-
     }
 
     @Override
@@ -94,10 +73,6 @@ public class OAuthAuthenticationProviderModule extends AbstractModule {
 
         // Bind OAuth-specific services
         bind(ConfigurationService.class);
-        bind(TokenService.class);
-
-        // Bind HTTP client
-        bind(Client.class).toInstance(client);
 
     }
 

extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/conf/ConfigurationService.java

@@ -20,8 +20,8 @@
 package org.apache.guacamole.auth.oauth.conf;
 
 import com.google.inject.Inject;
-import org.glyptodon.guacamole.GuacamoleException;
+import org.apache.guacamole.GuacamoleException;
-import org.glyptodon.guacamole.environment.Environment;
+import org.apache.guacamole.environment.Environment;
 
 /**
  * Service for retrieving configuration information regarding the OAuth service.
@@ -50,22 +50,6 @@ public class ConfigurationService {
         return environment.getRequiredProperty(OAuthGuacamoleProperties.OAUTH_AUTHORIZATION_ENDPOINT);
     }
 
-    /**
-     * Returns the token endpoint (URI) of the OAuth service as configured with
-     * guacamole.properties.
-     *
-     * @return
-     *     The token endpoint of the OAuth service, as configured with
-     *     guacamole.properties.
-     *
-     * @throws GuacamoleException
-     *     If guacamole.properties cannot be parsed, or if the authorization
-     *     endpoint property is missing.
-     */
-    public String getTokenEndpoint() throws GuacamoleException {
-        return environment.getRequiredProperty(OAuthGuacamoleProperties.OAUTH_TOKEN_ENDPOINT);
-    }
-
     /**
      * Returns the OAuth client ID which should be submitted to the OAuth
      * service when necessary, as configured with guacamole.properties. This
@@ -84,24 +68,6 @@ public class ConfigurationService {
         return environment.getRequiredProperty(OAuthGuacamoleProperties.OAUTH_CLIENT_ID);
     }
 
-    /**
-     * Returns the OAuth client secret which should be submitted to the OAuth
-     * service when necessary, as configured with guacamole.properties. This
-     * value is typically provided by the OAuth service when OAuth credentials
-     * are generated for your application.
-     *
-     * @return
-     *     The client secret to use when communicating with the OAuth service,
-     *     as configured with guacamole.properties.
-     *
-     * @throws GuacamoleException
-     *     If guacamole.properties cannot be parsed, or if the client secret
-     *     property is missing.
-     */
-    public String getClientSecret() throws GuacamoleException {
-        return environment.getRequiredProperty(OAuthGuacamoleProperties.OAUTH_CLIENT_SECRET);
-    }
-
     /**
      * Returns the URI that the OAuth service should redirect to after
      * the authentication process is complete, as configured with

extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/conf/OAuthGuacamoleProperties.java

@@ -19,7 +19,7 @@
 
 package org.apache.guacamole.auth.oauth.conf;
 
-import org.glyptodon.guacamole.properties.StringGuacamoleProperty;
+import org.apache.guacamole.properties.StringGuacamoleProperty;
 
 /**
  * Provides properties required for use of the OAuth authentication provider.
@@ -44,17 +44,6 @@ public class OAuthGuacamoleProperties {
 
     };
 
-    /**
-     * The token endpoint (URI) of the OAuth service.
-     */
-    public static final StringGuacamoleProperty OAUTH_TOKEN_ENDPOINT =
-            new StringGuacamoleProperty() {
-
-        @Override
-        public String getName() { return "oauth-token-endpoint"; }
-
-    };
-
     /**
      * OAuth client ID which should be submitted to the OAuth service when
      * necessary. This value is typically provided by the OAuth service when
@@ -68,19 +57,6 @@ public class OAuthGuacamoleProperties {
 
     };
 
-    /**
-     * OAuth client secret which should be submitted to the OAuth service when
-     * necessary. This value is typically provided by the OAuth service when
-     * OAuth credentials are generated for your application.
-     */
-    public static final StringGuacamoleProperty OAUTH_CLIENT_SECRET =
-            new StringGuacamoleProperty() {
-
-        @Override
-        public String getName() { return "oauth-client-secret"; }
-
-    };
-
     /**
      * The URI that the OAuth service should redirect to after the
      * authentication process is complete. This must be the full URL that a

extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/form/OAuthTokenField.java

@@ -21,20 +21,21 @@ package org.apache.guacamole.auth.oauth.form;
 
 import java.io.UnsupportedEncodingException;
 import java.net.URLEncoder;
-import org.glyptodon.guacamole.form.Field;
+import java.util.UUID;
+import org.apache.guacamole.form.Field;
 
 /**
- * Field definition which represents the code returned by an OAuth service.
+ * Field definition which represents the token returned by an OAuth service.
  * Within the user interface, this will be rendered as an appropriate "Log in
  * with ..." button which links to the OAuth service.
  */
-public class OAuthCodeField extends Field {
+public class OAuthTokenField extends Field {
 
     /**
      * The standard HTTP parameter which will be included within the URL by all
      * OAuth services upon successful authentication and redirect.
      */
-    public static final String PARAMETER_NAME = "code";
+    public static final String PARAMETER_NAME = "id_token";
 
     /**
      * The full URI which the field should link to.
@@ -42,11 +43,12 @@ public class OAuthCodeField extends Field {
     private final String authorizationURI;
 
     /**
-     * Creates a new OAuth "code" field which links to the given OAuth service
+     * Creates a new OAuth "id_token" field which links to the given OAuth
-     * using the provided client ID. Successful authentication at the OAuth
+     * service using the provided client ID. Successful authentication at the
-     * service will result in the client being redirected to the specified
+     * OAuth service will result in the client being redirected to the specified
-     * redirect URI. The OAuth code will be embedded in the query parameters of
+     * redirect URI. The OAuth token will be embedded in the fragment (the part
-     * that URI.
+     * following the hash symbol) of that URI, which the JavaScript side of
+     * this extension will move to the query parameters.
      *
      * @param authorizationEndpoint
      *     The full URL of the endpoint accepting OAuth authentication
@@ -61,19 +63,20 @@ public class OAuthCodeField extends Field {
      *     The URI that the OAuth service should redirect to upon successful
      *     authentication.
      */
-    public OAuthCodeField(String authorizationEndpoint, String clientID,
+    public OAuthTokenField(String authorizationEndpoint, String clientID,
             String redirectURI) {
 
         // Init base field properties
-        super(PARAMETER_NAME, "GUAC_OAUTH_CODE");
+        super(PARAMETER_NAME, "GUAC_OAUTH_TOKEN");
 
         // Build authorization URI from given values
         try {
             this.authorizationURI = authorizationEndpoint
                     + "?scope=openid%20email%20profile"
-                    + "&response_type=code"
+                    + "&response_type=id_token"
                     + "&client_id=" + URLEncoder.encode(clientID, "UTF-8")
-                    + "&redirect_uri=" + URLEncoder.encode(redirectURI, "UTF-8");
+                    + "&redirect_uri=" + URLEncoder.encode(redirectURI, "UTF-8")
+                    + "&nonce=" + UUID.randomUUID().toString();
         }
 
         // Java is required to provide UTF-8 support
@@ -84,7 +87,7 @@ public class OAuthCodeField extends Field {
     }
 
     /**
-     * Returns the full URI that this field should link to when a new code
+     * Returns the full URI that this field should link to when a new token
      * needs to be obtained from the OAuth service.
      *
      * @return

extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/token/TokenResponse.java

@@ -1,153 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.guacamole.auth.oauth.token;
-
-import org.codehaus.jackson.annotate.JsonProperty;
-
-/**
- * The response produced from a successful request to the token endpoint of an
- * OAuth service.
- */
-public class TokenResponse {
-
-    /**
-     * An arbitrary access token which can be used for future requests against
-     * the API associated with the OAuth service.
-     */
-    private String accessToken;
-
-    /**
-     * The type of token present. This will always be "Bearer".
-     */
-    private String tokenType;
-
-    /**
-     * The number of seconds the access token will remain valid.
-     */
-    private int expiresIn;
-
-    /**
-     * A JWT (JSON Web Token) which containing identity information which has
-     * been cryptographically signed.
-     */
-    private String idToken;
-
-    /**
-     * Returns an arbitrary access token which can be used for future requests
-     * against the API associated with the OAuth service.
-     *
-     * @return
-     *     An arbitrary access token provided by the OAuth service.
-     */
-    @JsonProperty("access_token")
-    public String getAccessToken() {
-        return accessToken;
-    }
-
-    /**
-     * Sets the arbitrary access token which can be used for future requests
-     * against the API associated with the OAuth service.
-     *
-     * @param accessToken
-     *     The arbitrary access token provided by the OAuth service.
-     */
-    @JsonProperty("access_token")
-    public void setAccessToken(String accessToken) {
-        this.accessToken = accessToken;
-    }
-
-    /**
-     * Returns the type of token present in this response. This should always
-     * be "Bearer".
-     *
-     * @return
-     *     The type of token present in this response.
-     */
-    @JsonProperty("token_type")
-    public String getTokenType() {
-        return tokenType;
-    }
-
-    /**
-     * Sets the type of token present in this response. This should always be
-     * "Bearer".
-     *
-     * @param tokenType
-     *     The type of token present in this response, which should be
-     *     "Bearer".
-     */
-    @JsonProperty("token_type")
-    public void setTokenType(String tokenType) {
-        this.tokenType = tokenType;
-    }
-
-    /**
-     * Returns the number of seconds the access token within this response will
-     * remain valid.
-     *
-     * @return
-     *     The number of seconds the access token within this response will
-     *     remain valid.
-     */
-    @JsonProperty("expires_in")
-    public int getExpiresIn() {
-        return expiresIn;
-    }
-
-    /**
-     * Sets the number of seconds the access token within this response will
-     * remain valid.
-     *
-     * @param expiresIn
-     *     The number of seconds the access token within this response will
-     *     remain valid.
-     */
-    @JsonProperty("expires_in")
-    public void setExpiresIn(int expiresIn) {
-        this.expiresIn = expiresIn;
-    }
-
-    /**
-     * Returns a JWT (JSON Web Token) containing identity information which has
-     * been cryptographically signed by the OAuth service.
-     *
-     * @return
-     *     A JWT (JSON Web Token) containing identity information which has
-     *     been cryptographically signed by the OAuth service.
-     */
-    @JsonProperty("id_token")
-    public String getIdToken() {
-        return idToken;
-    }
-
-    /**
-     * Sets the JWT (JSON Web Token) containing identity information which has
-     * been cryptographically signed by the OAuth service.
-     *
-     * @param idToken
-     *     A JWT (JSON Web Token) containing identity information which has
-     *     been cryptographically signed by the OAuth service.
-     */
-    @JsonProperty("id_token")
-    public void setIdToken(String idToken) {
-        this.idToken = idToken;
-    }
-
-}

extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/token/TokenService.java

@@ -1,101 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.guacamole.auth.oauth.token;
-
-import com.google.inject.Inject;
-import com.sun.jersey.api.client.Client;
-import com.sun.jersey.api.client.UniformInterfaceException;
-import com.sun.jersey.api.representation.Form;
-import javax.ws.rs.core.MediaType;
-import org.apache.guacamole.auth.oauth.AuthenticationProviderService;
-import org.apache.guacamole.auth.oauth.conf.ConfigurationService;
-import org.glyptodon.guacamole.GuacamoleException;
-import org.glyptodon.guacamole.GuacamoleServerException;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-/**
- * Provides relatively abstract means of producing authentication tokens from
- * the codes received from OAuth services.
- */
-public class TokenService {
-
-    /**
-     * Logger for this class.
-     */
-    private final Logger logger = LoggerFactory.getLogger(AuthenticationProviderService.class);
-
-    /**
-     * Service for retrieving OAuth configuration information.
-     */
-    @Inject
-    private ConfigurationService confService;
-
-    /**
-     * Jersey HTTP client.
-     */
-    @Inject
-    private Client client;
-
-    /**
-     * Given an authorization code previously received from the OAuth service
-     * via the "code" parameter provided to the redirect URL, retrieves and
-     * returns an authentication token.
-     *
-     * @param code
-     *     The value of the "code" parameter received from the OAuth service.
-     *
-     * @return
-     *     The authentication roken response received from the OAuth service.
-     *
-     * @throws GuacamoleException
-     *     If required properties within guacamole.properties cannot be read,
-     *     or if an error occurs while contacting the OAuth service.
-     */
-    public TokenResponse getTokenFromCode(String code)
-            throws GuacamoleException {
-
-        try {
-
-            // Generate POST data
-            Form form = new Form();
-            form.add("code", code);
-            form.add("client_id", confService.getClientID());
-            form.add("client_secret", confService.getClientSecret());
-            form.add("redirect_uri", confService.getRedirectURI());
-            form.add("grant_type", "authorization_code");
-
-            // POST code and client information to OAuth token endpoint
-            return client.resource(confService.getTokenEndpoint())
-                .type(MediaType.APPLICATION_FORM_URLENCODED_TYPE)
-                .accept(MediaType.APPLICATION_JSON_TYPE)
-                .post(TokenResponse.class, form);
-
-        }
-
-        // Log any failure reaching the OAuth service
-        catch (UniformInterfaceException e) {
-            logger.debug("POST to token endpoint failed.", e);
-            throw new GuacamoleServerException("Unable to POST to token endpoint.", e);
-        }
-
-    }
-
-}

extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/user/AuthenticatedUser.java

@@ -20,9 +20,9 @@
 package org.apache.guacamole.auth.oauth.user;
 
 import com.google.inject.Inject;
-import org.glyptodon.guacamole.net.auth.AbstractAuthenticatedUser;
+import org.apache.guacamole.net.auth.AbstractAuthenticatedUser;
-import org.glyptodon.guacamole.net.auth.AuthenticationProvider;
+import org.apache.guacamole.net.auth.AuthenticationProvider;
-import org.glyptodon.guacamole.net.auth.Credentials;
+import org.apache.guacamole.net.auth.Credentials;
 
 /**
  * An OAuth-specific implementation of AuthenticatedUser, associating a

extensions/guacamole-auth-openid/src/main/resources/guac-manifest.json

@@ -1,6 +1,6 @@
 {
 
-    "guacamoleVersion" : "0.9.9",
+    "guacamoleVersion" : "0.9.9-incubating",
 
     "name"      : "OAuth Authentication Extension",
     "namespace" : "guac-oauth",
@@ -11,11 +11,8 @@
 
     "js" : [
         "oauthModule.js",
+        "oauthController.js",
         "oauthConfig.js"
-    ],
+    ]
-
-    "resources" : {
-        "oauthCodeField.html" : "text/html"
-    }
 
 }

extensions/guacamole-auth-openid/src/main/resources/oauthCodeField.html

@@ -1 +0,0 @@
-<a href="{{field.authorizationURI}}">Log in using OAuth</a>

extensions/guacamole-auth-openid/src/main/resources/oauthConfig.js

@@ -23,9 +23,32 @@
 angular.module('guacOAuth').config(['formServiceProvider',
         function guacOAuthConfig(formServiceProvider) {
 
-    // Define field for code from OAuth service
+    // Define field for token from OAuth service
-    formServiceProvider.registerFieldType("GUAC_OAUTH_CODE", {
+    formServiceProvider.registerFieldType("GUAC_OAUTH_TOKEN", {
-        templateUrl : 'app/ext/guac-oauth/oauthCodeField.html'
+        template   : '',
+        controller : 'guacOAuthController',
+        module     : 'guacOAuth'
+    });
+
+}]);
+
+/**
+ * Config block which augments the existing routing, providing special handling
+ * for the "id_token=" fragments provided by OpenID Connect.
+ */
+angular.module('index').config(['$routeProvider',
+        function indexRouteConfig($routeProvider) {
+
+    // Transform "/#/id_token=..." to "/#/?id_token=..."
+    $routeProvider.when('/id_token=:response', {
+
+        template   : '',
+        controller : ['$location', function reroute($location) {
+            var params = $location.path().substring(1);
+            $location.url('/');
+            $location.search(params);
+        }]
+
     });
 
 }]);

extensions/guacamole-auth-openid/src/main/resources/oauthController.js

@@ -0,0 +1,30 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+/**
+ * Controller for the "GUAC_OAUTH_TOKEN" field which simply redirects the user
+ * immediately to the authorization URI.
+ */
+angular.module('guacOAuth').controller('guacOAuthController', ['$scope',
+    function guacOAuthController($scope) {
+
+    // Redirect to authorization URI
+    window.location = $scope.field.authorizationURI;
+
+}]);