Authentication with AD is stuck at the callback

#1

Hi,

We’re trying to setup AD authorization for the shinyproxy server on AWS. The authorization with AD seems to
work correctly but the the server is stuck at the callback: https://<domain-name>/login/oauth2/code/shinyproxy?code=XXX. From the logs I can see that the authentication attempt doesn’t work:

...
2019-06-26 17:54:38.756 DEBUG 8237 --- [  XNIO-2 task-4] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/login/oauth2/code/shinyproxy'; against '/login/oauth2/code/*'
2019-06-26 17:54:38.756 DEBUG 8237 --- [  XNIO-2 task-4] .s.o.c.w.OAuth2LoginAuthenticationFilter : Request is to process authentication
2019-06-26 17:54:38.758 DEBUG 8237 --- [  XNIO-2 task-4] o.s.s.authentication.ProviderManager     : Authentication attempt using org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationProvider
2019-06-26 17:54:38.758 DEBUG 8237 --- [  XNIO-2 task-4] o.s.s.authentication.ProviderManager     : Authentication attempt using org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider
2019-06-26 17:56:08.908 DEBUG 8237 --- [  XNIO-2 task-4] o.s.s.authentication.ProviderManager     : Authentication attempt using org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationProvider
2019-06-26 17:56:08.908 DEBUG 8237 --- [  XNIO-2 task-4] o.s.s.authentication.ProviderManager     : Authentication attempt using org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider
...

The last 2 log messages repeat indefinitely after that and the browser request times out.

The shinyproxy server is deployed on the EC2 instance behind Application Load Balancer.
We also observe the same issue when using GoogleOAuth but everything works correctly with a simple authentication.

Do you know what could be the cause of this behaviour or how could we debug this issue further? Any advice would be greatly appreciated as we’re really stuck at this point.

The the yaml configuration of the server looks like this:

proxy:
  title: XXX
  landing-page: /
  heartbeat-rate: 10000
  heartbeat-timeout: 90000
  container-wait-time: 90000
  authentication: openid
  container-log-path: /efs/container-logs
  openid:
    auth-url: https://login.microsoftonline.com/c8036283-1408-4dc8-b870-31e789a0a528/oauth2/authorize
    token-url: https://login.microsoftonline.com/c8036283-1408-4dc8-b870-31e789a0a528/oauth2/token
    jwks-url: https://login.microsoftonline.com/common/discovery/keys
    client-id: XXX
    client-secret: XXX
  port: 8080
  docker:
    url: http://localhost:2375
  specs:
  - id: Appname
    display-name: Appname
    description: Description
    container-env:
      ENTRYPOINT_TYPE: R
      APP_ENV: ENV1
      R_ENV: SHINYPROXY_DOC_APP_URL="https://some-url"
      SHINY_APP_PORT: 3838
    container-volumes: /efs/appdir:/root/.appdir
    container-image: app:img
  - id: Appname2
    display-name: Appname2
    description: Description2
    container-env:
      ENTRYPOINT_TYPE: R
      R_CMD: rmarkdown::run(system.file("documentation", "user_guide", "index.Rmd",
        package = "App_pkg"), shiny_args = list(port = 3838, launch.browser
        = FALSE, host = "0.0.0.0"))
      SHINY_APP_PORT: 3838
    container-volumes: /efs/appdir:/root/.appdir
    container-image: app:img
logging:
  level:
    org.springframework.security: debug
  file: app.log
server:
  useForwardHeaders: true
OPENID Authentication endless loop