shinyproxy icon indicating copy to clipboard operation
shinyproxy copied to clipboard

Published 20 hours ago verified publisher icon openanalytics

ShinyProxy 2.6.1 access with Identity Server

Open erossini opened this issue 2 years ago • 2 comments

I followed the instruction from this website to add the authentication with Identity Server. The configuration is quite simple

proxy:
  title: Open Analytics Shiny Proxy
  port: 8080
 
  authentication: openid
  openid:
    auth-url: https://identityserverurl/connect/authorize
    token-url: https://identityserverurl/connect/token
    jwks-url: https://identityserverurl/.well-known/openid-configuration/jwks
    logout-url: https://identityserverurl/Account/Logout?return=http://yourshinyproxy:8080/
    client-id: ShinyProxy
    client-secret: secret
    scopes: [ "openid", "profile", "roles" ]
    username-attribute: aud
    roles-claim: role

And the authentication seems working. When I add the access-groups to display only the app for a particular role, it doesn't work

  specs:
  - id: 01_hello
    display-name: Hello Application
    description: Application which demonstrates the basics of a Shiny app
    container-cmd: ["R", "-e", "shinyproxy::run_01_hello()"]
    container-image: openanalytics/shinyproxy-demo
    container-network: sp-example-net
    access-groups: 200122-user

The same code is working with the version 2.4.3 of ShinyProxy.

Is there anything I missed for this configuration in the ShinyProxy 2.6.1?

Update

In attachment you have the log for my ShinyProxy. Although I authenticate myself as admin or with my other accounts on the Identity Server, in the log I can only find

User logged in [user: [ShinyProxy]]

and then I read

No roles claim with name role found

Also, in the website the username is [ShinyProxy] and not the username.

image

I tried to change the line

username-attribute: aud

in

username-attribute: name

but in this case I get an error from the proxy.

image

shinyproxy.log

erossini avatar Jan 16 '23 14:01 erossini

I would recommend looking at the contents of your token in https://jwt.io/ and making sure that:

  1. The aud or name or another key contains the name of your user
  2. The token contains a 'role' claim.

ShawnRG avatar Feb 15 '23 15:02 ShawnRG

Please also have a look at the new FAQ entry about debugging the OpenID roles claim: https://shinyproxy.io/faq/#debugging-group-access-when-using-openid This should help with finding the correct name of the claims.

LEDfan avatar Mar 06 '23 09:03 LEDfan