LEDfan
commented
3 years ago Hi
The SHINYPROXY_OIDC_ACCESS_TOKEN contains the access token as defined by the OpenID (Connect) protocol. It is used for authenticating an user (and can be passed around to do so), but typically, this token does not contain all information over an user. The id token on the other hand, does typically contain this information. From OIDC perspective there is no obligation to use the JWT format for access tokens, i.e. Azure can perfectly return an opaque string. The ID token should be formatted as an JWT.
You can read more on the differences of these two tokens here:
- https://developer.okta.com/docs/guides/validate-id-tokens/overview/#verify-the-claims
- https://www.c-sharpcorner.com/article/accesstoken-vs-id-token-vs-refresh-token-what-whywhen/
That's also the reason your PR is working, instead of providing the access token you now provide the id token. I understand that this solves your use case, but the code isn't correct in the sense that you are passing the ID token to a variable named access token.
There is also some good news :) You can configure ShinyProxy to pass the ID token to applications, using:
- id: 01_hello
display-name: Hello Application
description: Application which demonstrates the basics of a Shiny app
container-image: shinyproxy-flask
port: 80
container-env:
ID_TOKEN: "#{@userService.getCurrentAuth().getPrincipal().idToken.tokenValue}"IMO this is a bit an ugly hack and therefore we will provide a better way to do this in the next ShinyProxy version. Of course we will provide some examples in our documentation at that point.
FrankCRoth
The current implementation of OpenIDAuthentication does not return the correct access token in the container variable SHINYPROXY_OIDC_ACCESS_TOKEN. Instead it does return authorization_code and hence does not provide a valid JWT to use further.