LEDfan
commented
6 months ago Hi, thank you for your detailed information. I just implemented this and it will be included in the next release, which will be available soon.
Closed akkornel closed 4 months ago
LEDfan
commented
6 months ago Hi, thank you for your detailed information. I just implemented this and it will be included in the next release, which will be available soon.
LEDfan
commented
4 months ago Hi, this is now part of the ShinyProxy 3.1.0 we released today. Thanks again for reporting this bug!
Hello! I'd like to report an issue related to OpenID Connect (OIDC) and the roles-claim: Shinyproxy does not support parsing a roles claim from OIDC userinfo.
I am configuring a new ShinyProxy installation, using OpenID Connect. The IdP is running Shibboleth. (Shibboleth has been known for a long time as a SAML IdP; since version 3.x, Shibboleth has supported OIDC as an IdP.) ShinyProxy is configured with Auth/Token/Userinfo/JWKS URls, and PKCE is enabled.
In my case, the roles information is contained in an OIDC claim named
eduPersonEntitlement, and to get this claim, I need to request the scopeeduperson_entitlement. I have confirmed that ShinyProxy is properly requesting this scope from the IdP (I can see it when I look at the HTTP requests using Firefox dev tools). I have talked to the Shibboleth admins, and they confirmed I am making the request properly, and that theeduPersonEntitlementclaim is being provided.I turned on auth debugging, so I could see the claims that were being examined, but I still did not see my
eduPersonEntitlementclaim. I also noticed that some other claims were not being provided. I started to wonder if the userinfo endpoint was not being checked.Eventually, I found
createAuthoritiesMapperineu.openanalytics.containerproxy.auth.OpenIDAuthenticationBackend: https://github.com/openanalytics/containerproxy/blob/2c71c88a0f8a8f71e2551343e09b659c6f11c1fe/src/main/java/eu/openanalytics/containerproxy/auth/impl/OpenIDAuthenticationBackend.java#L209-L240I see the code is looking at the ID Token (on line 218), but it doesn't look like the userinfo is being checked. So, I think that is the problem: When looking for the roles, only the ID Token is being checked, not the userinfo.
Although I was able to find (what I think is) the issue, I do not have the Java skills necessary to patch, build, or test.
Please let me know if you have any questions, or if I put this report in the wrong place. Thanks very much!