search

openanalytics / shinyproxy

ShinyProxy - Open Source Enterprise Deployment for Shiny and data science apps
https://www.shinyproxy.io
Apache License 2.0
514 stars 152 forks source link

ShinyProxy 2.6.1 access with Identity Server #398

Open erossini opened 1 year ago

erossini commented 1 year ago

I followed the instruction from this website to add the authentication with Identity Server. The configuration is quite simple

proxy:
  title: Open Analytics Shiny Proxy
  port: 8080

  authentication: openid
  openid:
    auth-url: https://identityserverurl/connect/authorize
    token-url: https://identityserverurl/connect/token
    jwks-url: https://identityserverurl/.well-known/openid-configuration/jwks
    logout-url: https://identityserverurl/Account/Logout?return=http://yourshinyproxy:8080/
    client-id: ShinyProxy
    client-secret: secret
    scopes: [ "openid", "profile", "roles" ]
    username-attribute: aud
    roles-claim: role

And the authentication seems working. When I add the access-groups to display only the app for a particular role, it doesn't work

  specs:
  - id: 01_hello
    display-name: Hello Application
    description: Application which demonstrates the basics of a Shiny app
    container-cmd: ["R", "-e", "shinyproxy::run_01_hello()"]
    container-image: openanalytics/shinyproxy-demo
    container-network: sp-example-net
    access-groups: 200122-user

The same code is working with the version 2.4.3 of ShinyProxy.

Is there anything I missed for this configuration in the ShinyProxy 2.6.1?

Update

In attachment you have the log for my ShinyProxy. Although I authenticate myself as admin or with my other accounts on the Identity Server, in the log I can only find

User logged in [user: [ShinyProxy]]

and then I read

No roles claim with name role found

Also, in the website the username is [ShinyProxy] and not the username.

image

I tried to change the line

username-attribute: aud

in

username-attribute: name

but in this case I get an error from the proxy.

image

shinyproxy.log

ShawnRG commented 1 year ago

I would recommend looking at the contents of your token in https://jwt.io/ and making sure that:

  1. The aud or name or another key contains the name of your user
  2. The token contains a 'role' claim.
LEDfan commented 1 year ago

Please also have a look at the new FAQ entry about debugging the OpenID roles claim: https://shinyproxy.io/faq/#debugging-group-access-when-using-openid This should help with finding the correct name of the claims.