CORS-related errors thrown by Shiny App startup fetch request

mbradley · June 26, 2024, 6:37am

Hi all,
I am working to setup ShinyProxy with an Okta OAuth 2.0 authentication endpoint on EKS. I am working off of this project currently.

Here is my application.yml file:

proxy:
  title: Title
  logo-url: favicon.ico
  port: 8080
  default-webSocket-reconnection-mode: Confirm
  authentication: openid
  api-security:    
    cors-allowed-origins: 'https://domain.okta.com'
  openid:
    auth-url: https://domain.okta.com/oauth2/v1/authorize
    token-url: https://domain.okta.com/oauth2/v1/token
    jwks-url: https://domain.okta.com/oauth2/v1/keys
    client-id: #####
    client-secret: ######
    logout-url: <EKS-node-URL>:8080/
  container-backend: kubernetes
  container-wait-time: 300000
  heartbeat-rate: 10000
  heartbeat-timeout: 300000
  kubernetes:
    internal-networking: true 
    url: localhost:8001
    image-pull-policy: IfNotPresent
    image-pull-secret:
    node-selector: NodeSize=c5.xlarge
  specs:
  - id: my_app
    display-name: My App
    description: My App
    container-cmd: ["R", "-e", "shiny::runApp('/srv/shiny-server', port=3838)"]
    container-image: #######
    port: 3838
    http-headers: 
      Access-Control-Allow-Origin: 'https://domain.okta.com'
      container-log-path: ./container-logs
spring:
  servlet:
    multipart:
      max-file-size: 200MB
      max-request-size: 200MB
logging:
  file:
    shinyproxy.log

sp-authorization.yml:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: shinyproxy-auth
subjects:
  - kind: ServiceAccount
    name: default
    namespace: default
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io

sp-service.yml:

kind: Service
apiVersion: v1
metadata:
  name: shinyproxy
spec:
  type: LoadBalancer
  selector:
    run: shinyproxy
  ports:
  - protocol: TCP
    port: 8080
    targetPort: 8080
    nodePort: 32094

sp-deployment.yml:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: shinyproxy
  #namespace: shiny
spec:
  selector:
    matchLabels:
      run: shinyproxy
  replicas: 2
  template:
    metadata:
      labels:
        run: shinyproxy
    spec:
      containers:
      - name: shinyproxy
        image: ####
        imagePullPolicy: Always
        ports:
        - containerPort: 8080
      - name: kube-proxy-sidecar
        image: <aws-ecs-addr>/kube-proxy-sidecar:latest
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 8001
          #imagePullSecrets:

Authentication is by all measures successful, but when the fetch request is made to the shiny app (i.e. to “/app_i/my_app”) the response is being sent to the authorization endpoint (https://domain.okta.com/oauth2/v1/authorize) via re-direct from ShinyProxy (running at :8080) instead of back to the origin. This is throwing a CORS error in the pre-flight check since the response doesn’t have the proper headers. Also, since the fetch request fails then the app instance does not start. Why is preflight response being sent to the authentication endpoint and not to ShinyProxy? Is there a way to only send CORS headers with authorization requests and not with others?