OpenID Active Directory Federation Services (ADFS)


#1

Hi,

I would like to integrate shinyproxy using ADFS as the identity provider. I asked our tech guys to setup the config, but I get an error saying java.lang.IllegalArgumentException: Missing attribute 'email' in attributes. I did check with the tech guys that they enables the email scope, but the error still remains.

Any help would be appreciated.

The url that gets generated is as follows:

https://<URL>/adfs/oauth2/authorize?response_type=code&client_id=<CLIENT_ID>&scope=openid%20email&state=IYYQu2Ej0UMTBXFRYiNSg2iZRh03Rckj0fX-bCl8wlI%3D&redirect_uri=http://<URI>/login/oauth2/code/shinyproxy

and the config:

proxy:
  title: Open Analytics Shiny Proxy
  logo-url: http://www.openanalytics.eu/sites/www.openanalytics.eu/themes/oa/logo.png
  landing-page: /
  heartbeat-rate: 10000
  heartbeat-timeout: 60000
  port: 8080
  authentication: openid
  openid:
    auth-url: https://<URL>/adfs/oauth2/authorize
    token-url: https://<URL>/adfs/oauth2/token
    jwks-url: https://<URL>/adfs/discovery/keys
    client-id: <CLIENT_ID>
    client-secret: <CLIENT_SECRET>
  # Docker configuration
  docker:
    url: http://localhost:2375
    port-range-start: 20000
  support:
    container-log-path: ./container-logs
  specs:
  - id: 01_hello
    display-name: Hello Application
    description: Application which demonstrates the basics of a Shiny app
    container-cmd: ["R", "-e", "shinyproxy::run_01_hello()"]
    container-image: openanalytics/shinyproxy-demo
  - id: 06_tabsets
    container-cmd: ["R", "-e", "shinyproxy::run_06_tabsets()"]
    container-image: openanalytics/shinyproxy-demo

logging:
  file:
    shinyproxy.log

#2

Hi @gbisschoff,

The oidc backend by default uses the ‘email’ attribute as the user’s display name, but this may not be appropriate in your case (I am not familiar with ADFS, the attributes may be named differently there).
You can override the attribute by setting username-attribute: anotherAttribute in the application.yml file.
Due to a bug, the setting is currently located in the root of the yaml, though it should be at proxy.openid.username-attribute: ...

Can you give this a try?


#3

I can confirm that the email attribute must be missing under ADFS, by setting username-attribute: aud ,which should always be there, it worked.

I will try and add a custom field to the token to include email.