Oidc login - redirect loop after upgrade shiny to latest version

shiny_user · January 13, 2022, 11:29am

Hi,

after upgrade ShinyProxy I have login problem.
I use OIDC with my own app to login to shiny. Everythink work well on 2.3.1, after update to 2.6.1 I have redirection loop. My configuration below.

application.yaml:

server:
  useForwardHeaders: true
proxy:
  title: Open Analytics Shiny Proxy
  logo-url: http://www.openanalytics.eu/sites/www.openanalytics.eu/themes/oa/logo.png
  landing-page: /
  heartbeat-rate: 10000
  heartbeat-timeout: 60000
  port: 8080
  authentication: openid
  openid:
   auth-url: http://localhost/oidc/authorize
   token-url: http://pm_panel_auth_apache/oidc/access_token
   jwks-url: http://pm_panel_auth_apache/oidc/.well-known/jwk
   logout-url: http://localhost/oidc/logout
   client-id: myawesomeappp
   client-secret: abc1234
   roles-claim: https://shinyproxy.io/shinyproxy_roles #['email', 'oidc', 'shinyproxy_roles']
  admin-groups: dcs

  # Docker configuration
  docker:
    url: http://localhost:2375
    host: localhost
    port-range-start: 20000
    internal-networking: true
    container-protocol: http
  specs:
  - id: 01_hello
    display-name: Hello Application
    description: Application which demonstrates the basics of a Shiny app
    container-cmd: ["R", "-e", "shinyproxy::run_01_hello()"]
    container-image: openanalytics/shinyproxy-demo
    container-network: sp-example-net
    access-groups: [test]
logging:
  file:
    name: shinyproxy.log

docker:

version: "3.7"

services:
  pm_panel_auth_apache:
    build: 
      context: ./bin/apache
      dockerfile: Dockerfile
      args:
        developer_uid: ${APACHE_DEVELOPER_UID}
        developer_name: ${USER}
    container_name: pm_panel_auth_apache
    restart: 'on-failure'
    ports:
      - "${APACHE_PORT}:80"
    volumes:
      - ~/.ssh:/home/${USER}/.ssh
      - ~/.gitconfig:/home/${USER}/.gitconfig
      - ${APACHE_DOCUMENT_ROOT}:/var/www/html/webapp
      - ${PHP_CONFIG_INI}:/usr/local/etc/php/php.ini
      - ${APACHE_CONFIG_DIR}/sites-enabled:/etc/apache2/sites-enabled
      - ${APACHE_LOG_DIR}:/var/log/apache2
    environment:
      APACHE_RUN_USER: ${USER}
      APACHE_RUN_GROUP: ${USER}
      PHP_IDE_CONFIG: ${PHP_IDE_CONFIG}
      XDEBUG_CONFIG: "${XDEBUG_REMOTE_ENABLE} ${XDEBUG_REMOTE_HOST} ${XDEBUG_REMOTE_PORT}"
      TZ: Europe/Warsaw
    user: ${USER}
    sysctls:
      - net.ipv4.ip_unprivileged_port_start=0
    networks:
      - pm_panel_auth
  pm_panel_auth_shinyproxy:
    build:
      context: ./bin/shinyproxy
      dockerfile: Dockerfile
    container_name: pm_panel_auth_shinyproxy
    restart: 'on-failure'
    ports:
      - "${SHINYPROXY_PORT}:8080"
    volumes:
      - ${SHINYPROXY_CONFIG_DIR}:/opt/shinyproxy/config
    networks:
      - pm_panel_auth
      
networks:
  pm_panel_auth:

redirect url:
http://localhost:8080/login/oauth2/code/shinyproxy

I can also see a logs:

 UT005023: Exception handling request to /login/oauth2/code/shinyproxy
java.lang.IllegalStateException: Could not create URI object: Illegal character in hostname at index 9: http://pm_panel_auth_apache/oidc/access_token

pm_panel_auth_shinyproxy    | 2022-01-13 10:04:46.525  WARN 1 --- [           main] org.thymeleaf.templatemode.TemplateMode  : [THYMELEAF][main] Template Mode 'HTML5' is deprecated. Using Template Mode 'HTML' instead.
pm_panel_auth_shinyproxy    | 2022-01-13 10:04:46.567  INFO 1 --- [           main] e.o.c.stat.StatCollectorFactory          : Disabled. Usage statistics will not be processed.
pm_panel_auth_shinyproxy    | 2022-01-13 10:04:48.100  INFO 1 --- [           main] o.s.s.concurrent.ThreadPoolTaskExecutor  : Initializing ExecutorService
pm_panel_auth_shinyproxy    | 2022-01-13 10:04:48.105  INFO 1 --- [           main] o.s.s.concurrent.ThreadPoolTaskExecutor  : Initializing ExecutorService 'taskExecutor'
pm_panel_auth_shinyproxy    | 2022-01-13 10:04:49.137  INFO 1 --- [           main] o.s.b.a.w.s.WelcomePageHandlerMapping    : Adding welcome page template: index
pm_panel_auth_shinyproxy    | 2022-01-13 10:04:50.903  INFO 1 --- [           main] o.s.l.c.support.AbstractContextSource    : Property 'userDn' not set - anonymous context will be used for read-write operations
pm_panel_auth_shinyproxy    | 2022-01-13 10:04:51.878  INFO 1 --- [           main] io.undertow                              : starting server: Undertow - 2.2.8.Final
pm_panel_auth_shinyproxy    | 2022-01-13 10:04:51.979  INFO 1 --- [           main] org.xnio                                 : XNIO version 3.8.4.Final
pm_panel_auth_shinyproxy    | 2022-01-13 10:04:52.081  INFO 1 --- [           main] org.xnio.nio                             : XNIO NIO Implementation Version 3.8.4.Final
pm_panel_auth_shinyproxy    | 2022-01-13 10:04:52.666  INFO 1 --- [           main] org.jboss.threads                        : JBoss Threads version 3.1.0.Final
pm_panel_auth_shinyproxy    | 2022-01-13 10:04:53.085  INFO 1 --- [           main] o.s.b.w.e.undertow.UndertowWebServer     : Undertow started on port(s) 8080 (http)
pm_panel_auth_shinyproxy    | 2022-01-13 10:04:53.431  INFO 1 --- [           main] io.undertow.servlet                      : Initializing Spring embedded WebApplicationContext
pm_panel_auth_shinyproxy    | 2022-01-13 10:04:53.431  INFO 1 --- [           main] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 332 ms
pm_panel_auth_shinyproxy    | 2022-01-13 10:04:53.481  INFO 1 --- [           main] o.s.b.a.e.web.EndpointLinksResolver      : Exposing 1 endpoint(s) beneath base path '/actuator'
pm_panel_auth_shinyproxy    | 2022-01-13 10:04:53.684  INFO 1 --- [           main] io.undertow                              : starting server: Undertow - 2.2.8.Final
pm_panel_auth_shinyproxy    | 2022-01-13 10:04:53.724  INFO 1 --- [           main] o.s.b.w.e.undertow.UndertowWebServer     : Undertow started on port(s) 9090 (http)
pm_panel_auth_shinyproxy    | 2022-01-13 10:04:53.844  INFO 1 --- [           main] e.o.c.util.StartupEventListener          : Started ShinyProxy 2.6.0 (ContainerProxy 0.8.10)
pm_panel_auth_shinyproxy    | 2022-01-13 10:04:53.845  INFO 1 --- [           main] e.o.c.service.AppRecoveryService         : Recovery of running apps disabled
pm_panel_auth_shinyproxy    | 2022-01-13 10:04:57.540  INFO 1 --- [  XNIO-1 task-1] io.undertow.servlet                      : Initializing Spring DispatcherServlet 'dispatcherServlet'
pm_panel_auth_shinyproxy    | 2022-01-13 10:04:57.544  INFO 1 --- [  XNIO-1 task-1] o.s.web.servlet.DispatcherServlet        : Initializing Servlet 'dispatcherServlet'
pm_panel_auth_shinyproxy    | 2022-01-13 10:04:57.579  INFO 1 --- [  XNIO-1 task-1] o.s.web.servlet.DispatcherServlet        : Completed initialization in 34 ms
pm_panel_auth_shinyproxy    | 2022-01-13 10:05:11.213 ERROR 1 --- [  XNIO-1 task-2] io.undertow.request                      : UT005023: Exception handling request to /login/oauth2/code/shinyproxy
pm_panel_auth_shinyproxy    | 
pm_panel_auth_shinyproxy    | java.lang.IllegalStateException: Could not create URI object: Illegal character in hostname at index 9: http://pm_panel_auth_apache/oidc/access_token
pm_panel_auth_shinyproxy    | 	at org.springframework.web.util.HierarchicalUriComponents.toUri(HierarchicalUriComponents.java:521) ~[spring-web-5.2.15.RELEASE.jar!/:5.2.15.RELEASE]
pm_panel_auth_shinyproxy    | 	at org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequestEntityConverter.convert(OAuth2AuthorizationCodeGrantRequestEntityConverter.java:60) ~[spring-security-oauth2-client-5.3.9.RELEASE.jar!/:5.3.9.RELEASE]
pm_panel_auth_shinyproxy    | 	at org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequestEntityConverter.convert(OAuth2AuthorizationCodeGrantRequestEntityConverter.java:44) ~[spring-security-oauth2-client-5.3.9.RELEASE.jar!/:5.3.9.RELEASE]
pm_panel_auth_shinyproxy    | 	at org.springframework.security.oauth2.client.endpoint.DefaultAuthorizationCodeTokenResponseClient.getTokenResponse(DefaultAuthorizationCodeTokenResponseClient.java:71) ~[spring-security-oauth2-client-5.3.9.RELEASE.jar!/:5.3.9.RELEASE]
pm_panel_auth_shinyproxy    | 	at org.springframework.security.oauth2.client.endpoint.DefaultAuthorizationCodeTokenResponseClient.getTokenResponse(DefaultAuthorizationCodeTokenResponseClient.java:52) ~[spring-security-oauth2-client-5.3.9.RELEASE.jar!/:5.3.9.RELEASE]
pm_panel_auth_shinyproxy    | 	at org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider.authenticate(OidcAuthorizationCodeAuthenticationProvider.java:136) ~[spring-security-oauth2-client-5.3.9.RELEASE.jar!/:5.3.9.RELEASE]
pm_panel_auth_shinyproxy    | 	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:199) ~[spring-security-core-5.3.9.RELEASE.jar!/:5.3.9.RELEASE]
pm_panel_auth_shinyproxy    | 	at org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter.attemptAuthentication(OAuth2LoginAuthenticationFilter.java:185) ~[spring-security-oauth2-client-5.3.9.RELEASE.jar!/:5.3.9.RELEASE]
pm_panel_auth_shinyproxy    | 	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212) ~[spring-security-web-5.3.9.RELEASE.jar!/:5.3.9.RELEASE]
pm_panel_auth_shinyproxy    | 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.3.9.RELEASE.jar!/:5.3.9.RELEASE]
pm_panel_auth_shinyproxy    | 	at org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter.doFilterInternal(OAuth2AuthorizationRequestRedirectFilter.java:160) ~[spring-security-oauth2-client-5.3.9.RELEASE.jar!/:5.3.9.RELEASE]
pm_panel_auth_shinyproxy    | 	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.15.RELEASE.jar!/:5.2.15.RELEASE]
pm_panel_auth_shinyproxy    | 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.3.9.RELEASE.jar!/:5.3.9.RELEASE]
pm_panel_auth_shinyproxy    | 	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) ~[spring-security-web-5.3.9.RELEASE.jar!/:5.3.9.RELEASE]
pm_panel_auth_shinyproxy    | 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.3.9.RELEASE.jar!/:5.3.9.RELEASE]
pm_panel_auth_shinyproxy    | 	at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:117) ~[spring-security-web-5.3.9.RELEASE.jar!/:5.3.9.RELEASE]
pm_panel_auth_shinyproxy    | 	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.15.RELEASE.jar!/:5.2.15.RELEASE]
pm_panel_auth_shinyproxy    | 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.3.9.RELEASE.jar!/:5.3.9.RELEASE]
pm_panel_auth_shinyproxy    | 	at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92) ~[spring-security-web-5.3.9.RELEASE.jar!/:5.3.9.RELEASE]
pm_panel_auth_shinyproxy    | 	at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77) ~[spring-security-web-5.3.9.RELEASE.jar!/:5.3.9.RELEASE]
pm_panel_auth_shinyproxy    | 	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.15.RELEASE.jar!/:5.2.15.RELEASE]
pm_panel_auth_shinyproxy    | 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.3.9.RELEASE.jar!/:5.3.9.RELEASE]
pm_panel_auth_shinyproxy    | 	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) ~[spring-security-web-5.3.9.RELEASE.jar!/:5.3.9.RELEASE]
pm_panel_auth_shinyproxy    | 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.3.9.RELEASE.jar!/:5.3.9.RELEASE]
pm_panel_auth_shinyproxy    | 	at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) ~[spring-security-web-5.3.9.RELEASE.jar!/:5.3.9.RELEASE]
pm_panel_auth_shinyproxy    | 	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.15.RELEASE.jar!/:5.2.15.RELEASE]
pm_panel_auth_shinyproxy    | 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.3.9.RELEASE.jar!/:5.3.9.RELEASE]
pm_panel_auth_shinyproxy    | 	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215) ~[spring-security-web-5.3.9.RELEASE.jar!/:5.3.9.RELEASE]
pm_panel_auth_shinyproxy    | 	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) ~[spring-security-web-5.3.9.RELEASE.jar!/:5.3.9.RELEASE]
pm_panel_auth_shinyproxy    | 	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) ~[spring-web-5.2.15.RELEASE.jar!/:5.2.15.RELEASE]
pm_panel_auth_shinyproxy    | 	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) ~[spring-web-5.2.15.RELEASE.jar!/:5.2.15.RELEASE]
pm_panel_auth_shinyproxy    | 	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
pm_panel_auth_shinyproxy    | 	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
pm_panel_auth_shinyproxy    | 	at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-5.2.15.RELEASE.jar!/:5.2.15.RELEASE]
pm_panel_auth_shinyproxy    | 	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.15.RELEASE.jar!/:5.2.15.RELEASE]
pm_panel_auth_shinyproxy    | 	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
pm_panel_auth_shinyproxy    | 	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
pm_panel_auth_shinyproxy    | 	at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:97) ~[spring-boot-actuator-2.3.12.RELEASE.jar!/:2.3.12.RELEASE]
pm_panel_auth_shinyproxy    | 	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.15.RELEASE.jar!/:5.2.15.RELEASE]
pm_panel_auth_shinyproxy    | 	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
pm_panel_auth_shinyproxy    | 	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
pm_panel_auth_shinyproxy    | 	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-5.2.15.RELEASE.jar!/:5.2.15.RELEASE]
pm_panel_auth_shinyproxy    | 	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.15.RELEASE.jar!/:5.2.15.RELEASE]
pm_panel_auth_shinyproxy    | 	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
pm_panel_auth_shinyproxy    | 	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
pm_panel_auth_shinyproxy    | 	at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
pm_panel_auth_shinyproxy    | 	at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
pm_panel_auth_shinyproxy    | 	at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
pm_panel_auth_shinyproxy    | 	at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
pm_panel_auth_shinyproxy    | 	at io.undertow.server.handlers.PathHandler.handleRequest(PathHandler.java:104) ~[undertow-core-2.2.8.Final.jar!/:2.2.8.Final]
pm_panel_auth_shinyproxy    | 	at eu.openanalytics.containerproxy.util.ProxyMappingManager$ProxyPathHandler.handleRequest(ProxyMappingManager.java:160) ~[containerproxy-0.8.10.jar!/:0.8.10]
pm_panel_auth_shinyproxy    | 	at io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
pm_panel_auth_shinyproxy    | 	at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:117) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
pm_panel_auth_shinyproxy    | 	at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
pm_panel_auth_shinyproxy    | 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.2.8.Final.jar!/:2.2.8.Final]
pm_panel_auth_shinyproxy    | 	at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) ~[undertow-core-2.2.8.Final.jar!/:2.2.8.Final]
pm_panel_auth_shinyproxy    | 	at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
pm_panel_auth_shinyproxy    | 	at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) ~[undertow-core-2.2.8.Final.jar!/:2.2.8.Final]
pm_panel_auth_shinyproxy    | 	at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
pm_panel_auth_shinyproxy    | 	at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) ~[undertow-core-2.2.8.Final.jar!/:2.2.8.Final]
pm_panel_auth_shinyproxy    | 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.2.8.Final.jar!/:2.2.8.Final]
pm_panel_auth_shinyproxy    | 	at io.undertow.server.handlers.SameSiteCookieHandler.handleRequest(SameSiteCookieHandler.java:97) ~[undertow-core-2.2.8.Final.jar!/:2.2.8.Final]
pm_panel_auth_shinyproxy    | 	at io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
pm_panel_auth_shinyproxy    | 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.2.8.Final.jar!/:2.2.8.Final]
pm_panel_auth_shinyproxy    | 	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269) [undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
pm_panel_auth_shinyproxy    | 	at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:78) [undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
pm_panel_auth_shinyproxy    | 	at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:133) [undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
pm_panel_auth_shinyproxy    | 	at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:130) [undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
pm_panel_auth_shinyproxy    | 	at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) [undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
pm_panel_auth_shinyproxy    | 	at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) [undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
pm_panel_auth_shinyproxy    | 	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249) [undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
pm_panel_auth_shinyproxy    | 	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:78) [undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
pm_panel_auth_shinyproxy    | 	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:99) [undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
pm_panel_auth_shinyproxy    | 	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:387) [undertow-core-2.2.8.Final.jar!/:2.2.8.Final]
pm_panel_auth_shinyproxy    | 	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:841) [undertow-core-2.2.8.Final.jar!/:2.2.8.Final]
pm_panel_auth_shinyproxy    | 	at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) [jboss-threads-3.1.0.Final.jar!/:3.1.0.Final]
pm_panel_auth_shinyproxy    | 	at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:2019) [jboss-threads-3.1.0.Final.jar!/:3.1.0.Final]
pm_panel_auth_shinyproxy    | 	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1558) [jboss-threads-3.1.0.Final.jar!/:3.1.0.Final]
pm_panel_auth_shinyproxy    | 	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1449) [jboss-threads-3.1.0.Final.jar!/:3.1.0.Final]
pm_panel_auth_shinyproxy    | 	at org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1280) [xnio-api-3.8.4.Final.jar!/:3.8.4.Final]
pm_panel_auth_shinyproxy    | 	at java.lang.Thread.run(Thread.java:748) [na:1.8.0_275]
pm_panel_auth_shinyproxy    | Caused by: java.net.URISyntaxException: Illegal character in hostname at index 9: http://pm_panel_auth_apache/oidc/access_token
pm_panel_auth_shinyproxy    | 	at java.net.URI$Parser.fail(URI.java:2848) ~[na:1.8.0_275]
pm_panel_auth_shinyproxy    | 	at java.net.URI$Parser.parseHostname(URI.java:3387) ~[na:1.8.0_275]
pm_panel_auth_shinyproxy    | 	at java.net.URI$Parser.parseServer(URI.java:3236) ~[na:1.8.0_275]
pm_panel_auth_shinyproxy    | 	at java.net.URI$Parser.parseAuthority(URI.java:3155) ~[na:1.8.0_275]
pm_panel_auth_shinyproxy    | 	at java.net.URI$Parser.parseHierarchical(URI.java:3097) ~[na:1.8.0_275]
pm_panel_auth_shinyproxy    | 	at java.net.URI$Parser.parse(URI.java:3053) ~[na:1.8.0_275]
pm_panel_auth_shinyproxy    | 	at java.net.URI.<init>(URI.java:673) ~[na:1.8.0_275]
pm_panel_auth_shinyproxy    | 	at org.springframework.web.util.HierarchicalUriComponents.toUri(HierarchicalUriComponents.java:517) ~[spring-web-5.2.15.RELEASE.jar!/:5.2.15.RELEASE]
pm_panel_auth_shinyproxy    | 	... 80 common frames omitted
pm_panel_auth_shinyproxy    | 
pm_panel_auth_shinyproxy    | 2022-01-13 10:05:13.486 ERROR 1 --- [  XNIO-1 task-2] io.undertow.request                      : UT005023: Exception handling request to /login/oauth2/code/shinyproxy
pm_panel_auth_shinyproxy    | 
pm_panel_auth_shinyproxy    | java.lang.IllegalStateException: Could not create URI object: Illegal character in hostname at index 9: http://pm_panel_auth_apache/oidc/access_token
pm_panel_auth_shinyproxy    | 	at org.springframework.web.util.HierarchicalUriComponents.toUri(HierarchicalUriComponents.java:521) ~[spring-web-5.2.15.RELEASE.jar!/:5.2.15.RELEASE]
pm_panel_auth_shinyproxy    | 	at org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequestEntityConverter.convert(OAuth2AuthorizationCodeGrantRequestEntityConverter.java:60) ~[spring-security-oauth2-client-5.3.9.RELEASE.jar!/:5.3.9.RELEASE]
pm_panel_auth_shinyproxy    | 	at org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequestEntityConverter.convert(OAuth2AuthorizationCodeGrantRequestEntityConverter.java:44) ~[spring-security-oauth2-client-5.3.9.RELEASE.jar!/:5.3.9.RELEASE]
pm_panel_auth_shinyproxy    | 	at org.springframework.security.oauth2.client.endpoint.DefaultAuthorizationCodeTokenResponseClient.getTokenResponse(DefaultAuthorizationCodeTokenResponseClient.java:71) ~[spring-security-oauth2-client-5.3.9.RELEASE.jar!/:5.3.9.RELEASE]
pm_panel_auth_shinyproxy    | 	at org.springframework.security.oauth2.client.endpoint.DefaultAuthorizationCodeTokenResponseClient.getTokenResponse(DefaultAuthorizationCodeTokenResponseClient.java:52) ~[spring-security-oauth2-client-5.3.9.RELEASE.jar!/:5.3.9.RELEASE]
pm_panel_auth_shinyproxy    | 	at org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider.authenticate(OidcAuthorizationCodeAuthenticationProvider.java:136) ~[spring-security-oauth2-client-5.3.9.RELEASE.jar!/:5.3.9.RELEASE]
pm_panel_auth_shinyproxy    | 	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:199) ~[spring-security-core-5.3.9.RELEASE.jar!/:5.3.9.RELEASE]
pm_panel_auth_shinyproxy    | 	at org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter.attemptAuthentication(OAuth2LoginAuthenticationFilter.java:185) ~[spring-security-oauth2-client-5.3.9.RELEASE.jar!/:5.3.9.RELEASE]
pm_panel_auth_shinyproxy    | 	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212) ~[spring-security-web-5.3.9.RELEASE.jar!/:5.3.9.RELEASE]
pm_panel_auth_shinyproxy    | 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.3.9.RELEASE.jar!/:5.3.9.RELEASE]
pm_panel_auth_shinyproxy    | 	at org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter.doFilterInternal(OAuth2AuthorizationRequestRedirectFilter.java:160) ~[spring-security-oauth2-client-5.3.9.RELEASE.jar!/:5.3.9.RELEASE]

As I said before everything wors fine on 2.6.1. I do not change anything except the proxy version. I tried to handle it, mostly I was trying to change some options in application.yml like

server:
forward-headers-strategy: native

but nothing help me. I am not sure now if should I change something by the app side becouse it work on older version. Maybe someone had a similar problem and managed to fix it?

tdekoninck · January 13, 2022, 1:39pm

Hi

The problem is that the URL you use for the openid endpoints contains an underscore (_) in the domain part. (If you really are interested, this should be documented here https://datatracker.ietf.org/doc/html/rfc1123 , but wikipedia documents it as well: https://en.wikipedia.org/wiki/Hostname#Syntax)

You should change the name of the containers in your docker-compose file: pm_panel_auth_apache -> pm-panel-auth-apache and also change the references in your ShinyProxy configuration.

Hope this helps.

shiny_user · January 14, 2022, 1:41pm

Thank you for your answer. Something moved forward. But I still have other errors. I was trying to log more notices but I can see only this:

pm-panel-auth-shinyproxy    | 2022-01-14 13:12:31.888 DEBUG 1 --- [  XNIO-1 task-2] o.s.s.w.a.ExceptionTranslationFilter     : Access is denied (user is anonymous); redirecting to authentication entry point
pm-panel-auth-shinyproxy    | 
pm-panel-auth-shinyproxy    | org.springframework.security.access.AccessDeniedException: Access is denied

 pm-panel-auth-shinyproxy    | 2022-01-14 13:08:14.207  INFO 1 --- [  XNIO-1 task-2] e.o.containerproxy.service.UserService   : Authentication failure [user: ] [error: No AuthenticationProvider found for org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationToken]
pm-panel-auth-shinyproxy    | 2022-01-14 13:08:14.215 ERROR 1 --- [  XNIO-1 task-2] e.o.c.a.i.OpenIDAuthenticationBackend    : org.springframework.security.oauth2.core.OAuth2AuthenticationException: [invalid_nonce] 
pm-panel-auth-shinyproxy    | 
pm-panel-auth-shinyproxy    | org.springframework.security.oauth2.core.OAuth2AuthenticationException: [invalid_nonce]

And i can see this info in my browser:

An error occurred during the authentication procedure.

If you are a user of ShinyProxy: please report this issue to your administrator and try to log out from your Identity Provider.

If you are an administrator of ShinyProxy: this error page is typically shown because of an configuration error in the authentication setup. See the logs for more information.

There are too few details here for me. Maybe you have an idea where should I looking for fixes? Thanks a lot

tdekoninck · January 17, 2022, 7:55am

The error you are getting means that the nonce parameter used by OIDC is not properly handled by your OIDC server. The nonce parameter is an extra security layer, which can optionally be used by OIDC clients, but must be implemented on the server side. Therefore, it seems that your OIDC is not compliant to the OIDC spec. We once had a similar issue with another PHP implementation of OIDC.

See e.g. https://github.com/spring-projects/spring-security/issues/7696 for more information or https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowSteps

The best solution would be to fix the implementation in your OIDC server. I’m afraid there is no workaround on the ShinyProxy side (since this is a security feature and part of the OIDC standard)

shiny_user · January 19, 2022, 10:02am

Thank you very much for your answer.

So as I understand I have to get ‘nonce’ parameter from shiny proxy
and then after login to my OIDC server I need to add ‘nonce’ to payload (body) of my id_token as a claim (as a key value: nonce : ‘nonce-generated-by-shiny’)
and then send it back to shiny as a part of token?