Logout with OpenID not working


#1

Dear shinyproxy support,

I’m having the same problem as gbisschoff on github in issue #87 (https://github.com/openanalytics/shinyproxy/issues/87):
I configured shinyproxy 2.0.4 to do authentication via Auth0. Login and group-based access to apps is working nicely, but logout does not work. Whenever I click the ‘Sign Off’ button in the navbar, it says ‘User logged out [user: aaa@bbb.cc]’ in the shinyserver log, but I stay logged in and get redirected to the landing page, where I can start the example app.
Here is my application.yml:


proxy:
title: Statistics Hub 1
landing-page: /
heartbeat-rate: 10000
heartbeat-timeout: 60000
port: 8081

hide-navbar: false

authentication: openid
admin-groups: scientists

openid:
auth-url: h!!ps://my-app.auth0.com/authorize
token-url: h!!ps://my-app.auth0.com/oauth/token
jwks-url: h!!ps://my-app.auth0.com/.well-known/jwks.json
client-id: *** my id ***
client-secret: *** my secret ***
roles-claim: h!!ps://shinyproxy.io/shinyproxy_roles

container-backend: docker
docker:
cert-path: /home/none
url: http://localhost:2375
port-range-start: 20000
port-range-max: 20099

specs:

  • id: 01_hello
    display-name: Hello Application
    description: Application which demonstrates the basics of a Shiny app
    container-cmd: [“R”, “-e”, “shiny::runApp(‘mnt/app’)”]
    container-image: default
    access-groups: [scientists, mathematicians]
    container-volumes: [ “/srv/shinyproxy/apps/hello:/mnt/app” ]

server:
servlet:
context-path: /hub1


(‘h!!ps:’ is intentional as I am not allowed to post that many links here)
I set the allowed callback URLs properly at Auth0 and as login is working well, I assume that everything is correct there. I also played around with the allowed logout URLs at Auth0, but still without success. With simple authentification everything worked well. Is there a setting that I missed or anything else that I should check to get logout working with OpenID?


#2

Dear @lug0si,

Thanks for the feedback. We will investigate and report back!

Kind regards,
Tobias


#3

Many thanks! :slight_smile:
I hope it is reproducible - please let me know, if you need more details.
Maybe it’s a concurrence of OpenID integration & the shinyproxy context-path: https://myserver.net/hub1 …?

Best wishes, Wolfgang


#4

I found a workaround for the time being:

  • create custom template with custom navbar.html
  • in navbar.html change
    <a role=“button” class=“btn btn-primary btn-sm” th:href="@{/logout}" th:if="${isLoggedIn}">Sign Out
    to
    <a role=“button” class=“btn btn-primary btn-sm” href=“https://myserver.auth0.com/v2/logout?returnTo=http%3A%2F%2Fshinyserverurl/logout” th:if="${isLoggedIn}">Sign Out

This really logs out the user from auth0 and from shinyserver.


#5

Hi @lug0si,

Thanks for checking this, and providing a workaround.
The github issue has been updated with new info.


#6

@lug0si, ShinyProxy 2.0.5 adds the possibility to specify the proxy.openid.logout-url for OpenID Connect based authentication; see https://www.shinyproxy.io/downloads/ and documentation under https://www.shinyproxy.io/configuration/#miscellaneous-settings

Best,
Tobias


#7

Great! :smiley:
With logout-url it’s working fine now and I went back to the original line in navbar.html.

Thanks a lot! Cheers, Wolfgang