Troubleshooting

This page contains tips on how to solve common issues with ShinyProxy.

OpenID Connect (OIDC)

Invalid redirect_uri

When authenticating using OpenID, ShinyProxy first redirects the user to the IDP. In this redirection request, ShinyProxy specifies a redirect_uri. When the IDP successfully authenticates the user, the IDP redirects the user to this redirect_uri. Therefore, this redirect_uri should be the location at which ShinyProxy is hosted. For security reasons, the IDP contains a list of which redirect_uri are valid or allowed. Therefore, if ShinyProxy specifies a wrong redirect_uri to the IDP, the IDP will abort the authentication request.

This error message is typically caused when ShinyProxy is accessed over https but the generated redirect_uri contains the http scheme instead of https. By default, ShinyProxy generates a redirect_uri using the plain http scheme, unless it detects that ShinyProxy is accessed over https. As discussed in Security the recommended way to setup https for ShinyProxy is by using a reverse proxy. The proxy server still accesses ShinyProxy using the plain HTTP protocol, therefore ShinyProxy cannot detect that it is accessed (by the users) using https. To solve this issue, reverse proxies can add extra headers to the request, specifying the protocol used to access ShinyProxy. These headers are X-Forwarded-For and X-Forwarded-Proto.

When you are using a reverse proxy and ShinyProxy is generating a wrong redirect_uri,

  • check that you correctly setup ShinyProxy to use the forward headers.
  • check that the server part of this configuration is at the top level of the YAML file.
  • check that you specified the correct valid redirect_uri in the IDP configuration.
  • check whether your reverse proxy configuration contains the required options so that it adds the necessary headers.
  • check that all proxies and/or loadbalancers in your setup support the forward-headers mechanism. For example, loadbalancers that operate at the network layer (rather than the application level) often do not support this feature. This is, for instance, the case when using AWS NLB.
  • if it still does not work, enable request dumping and check whether the incoming requests to ShinyProxy contain the forward headers.

My browser reports a redirect loop when using OpenID Connect

As discussed in the previous entry, ShinyProxy and the IDP perform some redirects between each other. However, in the following scenario a redirect loop could happen:

  1. users goes to ShinyProxy
  2. ShinyProxy redirects the user to the IDP
  3. users successfully logins into the IDP
  4. IDP redirects you back to ShinyProxy
  5. ShinyProxy needs to validate the token provided by the IDP. However, for some reason ShinyProxy is unable to do this, and therefore thinks that the user is unauthenticated.
  6. therefore ShinyProxy redirects you back to the IDP
  7. IDP thinks you are authenticated and redirects you back to ShinyProxy
  8. see 5.

In ShinyProxy version 2.4.2 we prevented this from happening, instead the user is redirect to the /auth-error page, which explains what has gone wrong. Therefore, it is advised to upgrade to the latest version of ShinyProxy. If you are still encountering a redirect loop when using the latest version, please open an issue at GitHub.

Authentication using OpenID does not work because of Missing attribute 'email' in attributes exception

When using OpenID, ShinyProxy tries to use the e-mail of the user to identify the user. However, when the email of a user is not specified in the IDP, ShinyProxy is unable to do so and therefore the authentication fails. To solve this change the username-attribute. See the next topic to get a list of the available claims.

Tip: when using OpenID, the sub attribute should always be available to use. You can use this property when no other property works.

Listing all claims sent by the OpenID Provider

The OpenID authentication backend supports reading a claim from the ID token and use this as the username or groups for the users. Try the following steps, when this does not work:

  1. make sure the claim is added to the ID token (ShinyProxy does not read the groups from the access token). Since ShinyProxy 3.1.0 it is also possible to add the claim to the userinfo endpoint (but only if you specify the userinfo-url option).

  2. enable debug logging for the OpenID component by adding the following configuration:

    logging:
      level:
        eu:
          openanalytics:
            containerproxy:
              auth: DEBUG
    

    Note: the above code should be placed outside the proxy: block.

    ShinyProxy logs the contents of every claim it finds and also logs how it tries to parse the values of the roles claim.

Authentication using OpenID does not work because of invalid_token_response

When using OpenID, ShinyProxy has to contact the IDP in order to validate the token. This exception indicates that this validation was unsuccessful, which can be caused by multiple things:

  • ShinyProxy cannot reach the IDP because the access to the network access is blocked (e.g. because of some firewall), wrong port number, the connection timed out, … The error will be similar to:

    org.springframework.security.oauth2.core.OAuth2AuthenticationException: [invalid_token_response] An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: I/O error on POST request for "https://idp.com/openid-connect/token": Connection refused (Connection refused); nested exception is java.net.ConnectException: Connection refused (Connection refused)
    

    Solution: fix the network issue.

  • ShinyProxy cannot reach the IDP because it cannot resolve the hostname. The error will be similar to:

    org.springframework.security.oauth2.core.OAuth2AuthenticationException: [invalid_token_response] An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: I/O error on POST request for "https://non-existingidp.com/protocol/openid-connect/token": non-existingidp.com; nested exception is java.net.UnknownHostException: non-existingidp.com
    

    Solution: ensure that the hostname is correct and that DNS is working properly.

  • The firewall of the IDP is blocking the request. The error will be similar to:

    org.springframework.security.oauth2.core.OAuth2AuthenticationException: [invalid_token_response] An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: 403 Forbidden: [403 Forbidden]
    

    Tip: when your IDP is protected by CloudFlare it could be that requests from ShinyProxy are blocked based on the user agent. Try changing the user-agent by starting ShinyProxy using the following command: java -Dhttp.agent="<user-agent>" shinyproxy.jar

  • The client-secret is wrong and therefore the IDP is rejecting the request. The error will be similar to:

    org.springframework.security.oauth2.core.OAuth2AuthenticationException: [invalid_token_response] An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: 401 Unauthorized: [no body]
    

    Solution: specify the correct client-secret.

  • The jwks-url URL is wrong or giving bad responses. The error will be similar to:

    org.springframework.security.oauth2.core.OAuth2AuthenticationException: [invalid_id_token] An error occurred while attempting to decode the Jwt: Couldn't retrieve remote JWK set: org.springframework.web.client.HttpClientErrorException$NotFound: 404 Not Found: [{"error":"RESTEASY003210: Could not find resource for full path: "}]
    

    Solution: fix the URL or find out why the IDP is giving bad responses.