Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ShinyProxy 2.6.1 access with Identity Server #398

Open
erossini opened this issue Jan 16, 2023 · 2 comments
Open

ShinyProxy 2.6.1 access with Identity Server #398

erossini opened this issue Jan 16, 2023 · 2 comments
Labels
question

Comments

@erossini
Copy link

erossini commented Jan 16, 2023
edited

I followed the instruction from this website to add the authentication with Identity Server. The configuration is quite simple

proxy:
  title: Open Analytics Shiny Proxy
  port: 8080
 
  authentication: openid
  openid:
    auth-url: https://identityserverurl/connect/authorize
    token-url: https://identityserverurl/connect/token
    jwks-url: https://identityserverurl/.well-known/openid-configuration/jwks
    logout-url: https://identityserverurl/Account/Logout?return=http://yourshinyproxy:8080/
    client-id: ShinyProxy
    client-secret: secret
    scopes: [ "openid", "profile", "roles" ]
    username-attribute: aud
    roles-claim: role

And the authentication seems working. When I add the access-groups to display only the app for a particular role, it doesn't work

  specs:
  - id: 01_hello
    display-name: Hello Application
    description: Application which demonstrates the basics of a Shiny app
    container-cmd: ["R", "-e", "shinyproxy::run_01_hello()"]
    container-image: openanalytics/shinyproxy-demo
    container-network: sp-example-net
    access-groups: 200122-user

The same code is working with the version 2.4.3 of ShinyProxy.

Is there anything I missed for this configuration in the ShinyProxy 2.6.1?

Update

In attachment you have the log for my ShinyProxy. Although I authenticate myself as admin or with my other accounts on the Identity Server, in the log I can only find

User logged in [user: [ShinyProxy]]

and then I read

No roles claim with name role found

Also, in the website the username is [ShinyProxy] and not the username.

image

I tried to change the line

username-attribute: aud

in

username-attribute: name

but in this case I get an error from the proxy.

image

shinyproxy.log
@ShawnRG
Copy link

ShawnRG commented Feb 15, 2023

I would recommend looking at the contents of your token in https://jwt.io/ and making sure that:

  1. The aud or name or another key contains the name of your user
  2. The token contains a 'role' claim.

@LEDfan
Copy link
Member

LEDfan commented Mar 6, 2023

Please also have a look at the new FAQ entry about debugging the OpenID roles claim: https://shinyproxy.io/faq/#debugging-group-access-when-using-openid
This should help with finding the correct name of the claims.

@LEDfan LEDfan added the question label Mar 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@LEDfan @erossini @ShawnRG