Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

user_info url not triggered after OpenID auth flow completed #58

Open
JuanAContreras opened this issue Feb 6, 2025 · 1 comment
Open

user_info url not triggered after OpenID auth flow completed #58

JuanAContreras opened this issue Feb 6, 2025 · 1 comment
Labels
question Further information is requested

Comments

@JuanAContreras
Copy link

Hi Everyone,

We are trying to integrate ShinyProxy with OpenID. We have managed to authenticate and obtain an ID token, but we are facing issues with sending a correct userinfo request and are not receiving the necessary claims.

We followed the documentation and used the following configuration, but the flow is not working as expected:

proxy:
...
    authentication: openid
    openid:
        auth-url: https://domain/auth/realms/xxxx/protocol/openid-connect/auth
        token-url: https://domain/auth/realms/xxxx/protocol/openid-connect/token
        jwks-url: https://domain/auth/realms/xxxx/protocol/openid-connect/token
        userinfo-url: https://domain/auth/realms/xxxx/protocol/openid-connect/userinfo
        jwks-signature-algorithm: "PS256"
        client-id: "xxxx"
        client-secret: "xxxxx"
        username-attribute: sub
        scopes:
            - profiles
            - email
            - offline_access
        openid-scopes: 
            - profile
            - email
            - offline_access
        role-claim: email
        groups-claim: profiles
...
    # Example container app
    container-log-path: /opt/shinyproxy/container-logs
    - id: MAPAS
    display-name: APP MAPAS
    description: APP MAPAS
    container-image: image-....
    container-env:
        SUB: "#{oidcUser.attributes['sub']}"
        ID_TOKEN: "#{oidcUser.idToken.tokenValue}"   
        EMAIL: "#{oidcUser.attributes['email']}"
        PROFILE: "#{oidcUser.attributes['profile']}"
        PROFILES: "#{oidcUser.attributes['profiles']}"

The authentication flow seems to work fine. We enter the credentials and receive the ID token, but the userinfo request is not triggered as expected. We are not getting the required claims that are not in the id token.

As a result, we see the landing page after login without errors, but when we try to access the app, we encounter the following error:

eu.openanalytics.containerproxy.ProxyFailedToStartException: Container failed to start
	at eu.openanalytics.containerproxy.service.ProxyService.prepareProxyForStart(ProxyService.java:458) ~[containerproxy-1.1.1.jar!/:1.1.1]
	at eu.openanalytics.containerproxy.service.ProxyService.startOrResumeProxy(ProxyService.java:466) ~[containerproxy-1.1.1.jar!/:1.1.1]
	at eu.openanalytics.containerproxy.service.ProxyService.lambda$startProxy$5(ProxyService.java:293) ~[containerproxy-1.1.1.jar!/:1.1.1]
	at eu.openanalytics.containerproxy.service.ProxyService.lambda$action$12(ProxyService.java:638) ~[containerproxy-1.1.1.jar!/:1.1.1]
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) ~[na:na]
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) ~[na:na]
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1135) ~[na:na]
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) ~[na:na]
	at java.base/java.lang.Thread.run(Thread.java:831) ~[na:na]
Caused by: eu.openanalytics.containerproxy.spec.expression.SpelException: Error while resolving expression: "#{oidcUser.accessTokenAsJwt.claims}", error: EL1021E: A problem occurred whilst attempting to access the property 'accessTokenAsJwt': 'Unable to access property 'accessTokenAsJwt' through getter method'
	at eu.openanalytics.containerproxy.spec.expression.SpecExpressionResolver.evaluate(SpecExpressionResolver.java:111) ~[containerproxy-1.1.1.jar!/:1.1.1]
	at eu.openanalytics.containerproxy.spec.expression.SpecExpressionResolver.evaluateToString(SpecExpressionResolver.java:119) ~[containerproxy-1.1.1.jar!/:1.1.1]
	at eu.openanalytics.containerproxy.spec.expression.SpelField$StringMap.lambda$resolve$0(SpelField.java:328) ~[containerproxy-1.1.1.jar!/:1.1.1]
	at java.base/java.util.LinkedHashMap.forEach(LinkedHashMap.java:723) ~[na:na]
	at eu.openanalytics.containerproxy.spec.expression.SpelField$StringMap.resolve(SpelField.java:328) ~[containerproxy-1.1.1.jar!/:1.1.1]
	at eu.openanalytics.containerproxy.model.spec.ContainerSpec.finalResolve(ContainerSpec.java:142) ~[containerproxy-1.1.1.jar!/:1.1.1]
	at eu.openanalytics.containerproxy.model.spec.ProxySpec.lambda$finalResolve$3(ProxySpec.java:157) ~[containerproxy-1.1.1.jar!/:1.1.1]
	at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197) ~[na:na]
	at java.base/java.util.AbstractList$RandomAccessSpliterator.forEachRemaining(AbstractList.java:720) ~[na:na]
	at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484) ~[na:na]
	at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474) ~[na:na]
	at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:550) ~[na:na]
	at java.base/java.util.stream.AbstractPipeline.evaluateToArrayNode(AbstractPipeline.java:260) ~[na:na]
	at java.base/java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:616) ~[na:na]
	at java.base/java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:622) ~[na:na]
	at java.base/java.util.stream.ReferencePipeline.toList(ReferencePipeline.java:627) ~[na:na]
	at eu.openanalytics.containerproxy.model.spec.ProxySpec.finalResolve(ProxySpec.java:158) ~[containerproxy-1.1.1.jar!/:1.1.1]
	at eu.openanalytics.containerproxy.service.ProxyService.prepareProxyForStart(ProxyService.java:451) ~[containerproxy-1.1.1.jar!/:1.1.1]
	... 8 common frames omitted

We would appreciate it if you could tell us what might be missing or incorrect in our configuration.
@LEDfan LEDfan added the question Further information is requested label Feb 13, 2025
@LEDfan
Copy link
Member

LEDfan commented Feb 13, 2025

For later reference: https://support.openanalytics.eu/t/user-info-url-not-triggered-after-openid-auth-flow-completed/3071

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@LEDfan @JuanAContreras