OpenID redirect timeout (Google, Auth0, ADFS)

gbisschoff · September 25, 2018, 4:20pm

Hi I would like to use ADFS’s openID connection method.

I followed the configuration guidance for setting up OpenID.
I created an google openID account, an Auth0 account, as well as an ADFS account.
When I connect to the site I get redirected to the identity provides’ login screen. After I log in it tries to redirect to the callback URL (http://<FQDN>/login/oauth2/code/shinyproxy) but eventually fails. Here are the provider specific openid sections, and below is the full config.

on google and auth0:
google config:

openid:
    auth-url: https://accounts.google.com/o/oauth2/auth
    token-url: https://www.googleapis.com/oauth2/v3/token
    jwks-url: https://www.googleapis.com/oauth2/v1/certs
    client-id: xxx
    client-secret: xxx

auth0 config:

openid:
    auth-url: https://test-dstore1.eu.auth0.com/authorize
    token-url: https://test-dstore1.eu.auth0.com/oauth/token
    jwks-url: https://test-dstore1.eu.auth0.com/.well-known/jwks.json
    client-id: xxx
    client-secret: xxx


2018-09-25 18:03:10.427 ERROR 7500 --- [  XNIO-2 task-4] io.undertow.request                      : UT005023: Exception handling request to /login/oauth2/code/shinyproxy

java.lang.StackOverflowError: null
        at java.lang.StringCoding$StringDecoder.decode(StringCoding.java:153) ~[na:1.8.0_171]
        at java.lang.StringCoding.decode(StringCoding.java:193) ~[na:1.8.0_171]
        at java.lang.String.<init>(String.java:426) ~[na:1.8.0_171]
        at java.lang.String.<init>(String.java:491) ~[na:1.8.0_171]
        at java.net.SocketOutputStream.socketWrite0(Native Method) ~[na:1.8.0_171]

on ADFS:

config:

openid:
    auth-url: https://URL/adfs/oauth2/authorize
    token-url: https://URL/adfs/oauth2/token
    jwks-url: https://URL/adfs/discovery/keys
    client-id: xxx
    client-secret: xxx

2018-09-19 16:42:31.413 ERROR 7445 --- [  XNIO-2 task-7] io.undertow.request                      : UT005023: Exception handling request to /login/oauth2/code/shinyproxy

java.lang.StackOverflowError: null
        at java.lang.Exception.<init>(Exception.java:102) ~[na:1.8.0_171]
        at java.lang.ReflectiveOperationException.<init>(ReflectiveOperationException.java:89) ~[na:1.8.0_171]
        at java.lang.reflect.InvocationTargetException.<init>(InvocationTargetException.java:72) ~[na:1.8.0_171]
        at sun.reflect.GeneratedMethodAccessor26.invoke(Unknown Source) ~[na:na]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_171]
       
...

2018-09-19 16:42:33.652 ERROR 7445 --- [ XNIO-2 task-10] io.undertow.request                      : UT005023: Exception handling request to /login/oauth2/code/shinyproxy

java.lang.IllegalArgumentException: Missing attribute 'email' in attributes
        at org.springframework.security.oauth2.core.user.DefaultOAuth2User.<init>(DefaultOAuth2User.java:67) ~[spring-security-oauth2-core-5.0.3.RELEASE.jar!/:5.0.3.RELEASE]
        at org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser.<init>(DefaultOidcUser.java:89) ~[spring-security-oauth2-core-5.0.3.RELEASE.jar!/:5.0.3.RELEASE]
        at

With the full config:

proxy:
  title: Open Analytics Shiny Proxy
  logo-url: http://www.openanalytics.eu/sites/www.openanalytics.eu/themes/oa/logo.png
  landing-page: /
  heartbeat-rate: 10000
  heartbeat-timeout: 60000
  port: 8080
  authentication: openid
  #admin-groups: scientists
  openid:
   [provider dependent]
  # Docker configuration
  docker:
    url: http://localhost:2375
    port-range-start: 20000
  support:
    container-log-path: ./container-logs
  specs:
  - id: 01_hello
    display-name: Hello Application
    description: Application which demonstrates the basics of a Shiny app
    container-cmd: ["R", "-e", "shinyproxy::run_01_hello()"]
    container-image: openanalytics/shinyproxy-demo
    #access-groups: [scientists, mathematicians]
  - id: 06_tabsets
    container-cmd: ["R", "-e", "shinyproxy::run_06_tabsets()"]
    container-image: openanalytics/shinyproxy-demo
    #access-groups: scientists

logging:
  file:
    shinyproxy.log

I am using the latest master version from github (2.0.4)

gbisschoff · October 1, 2018, 6:52am

The timeout was due to the company proxy.

111 · January 25, 2019, 9:48am

@gbisschoff hi, could you please specify what kind of timeout was causing this problem?

akozlov · February 15, 2019, 10:28am

Can you help me?
I have a error with auth:

ERROR 1 — [ XNIO-2 task-7] io.undertow.request : UT005023: Exception handling request to /login/oauth2/code/shinyproxy
java.lang.IllegalArgumentException: Missing attribute ‘email’ in attributes

application.yml:

proxy:
port: 8080
authentication: openid
openid:
auth-url: h!!ps://login.microsoftonline.com/{my_tenant}/oauth2/authorize
token-url: h!!ps://login.microsoftonline.com/{my_tenant}/oauth2/token
jwks-url: h!!ps://login.microsoftonline.com/{my_tenant}/discovery/keys
client-id: xxxxxxxx
client-secret: xxxxxxxx
docker:
internal-networking: true
specs:

id: 01_hello
display-name: Hello Application
description: Application which demonstrates the basics of a Shiny app
container-cmd: [“R”, “-e”, “shinyproxy::run_01_hello()”]
container-image: openanalytics/shinyproxy-demo
container-network: sp-example-net
id: 06_tabsets
container-cmd: [“R”, “-e”, “shinyproxy::run_06_tabsets()”]
container-image: openanalytics/shinyproxy-demo
container-network: sp-example-net

logging:
file:
shinyproxy.log

five_cents · February 15, 2019, 7:09pm

@akozlov

I don’t know how Microsoft OAuth setup works, but make sure you’re passing ‘email’ attributes on requests.

Check out using the username-attribute field in the proxy: field of your application.yml file. Look at this post too.

Samy · February 21, 2019, 9:39pm

Hi - I’m having the exact same problem, would you be able to explain what needed to be done in the proxy settings to make it work ?

Thanks

five_cents · February 22, 2019, 4:19pm

@Samy

Have you tried setting the username-attribute to something that will always be present, like ‘aud’?

Also, do you have a proxy engine in front of ShinyProxy?

Samy · February 23, 2019, 11:29am

Hi @five_cents , thanks for your message

I have tried your suggestionin the yml to no avail. Here is an updated version of my yml file as it has changed a bit since my initial post :

proxy:
title: bla Analytics Hub
logo-url: h!!p://www.openanalytics.eu/sites/www.openanalytics.eu/themes/oa/logo.png
landing-page: /
heartbeat-rate: 10000
heartbeat-timeout: 60000
port: 8080
useForwardHeaders: true
authentication: openid
openid:
auth-url: h!!ps://bladatatools.eu.auth0.com/authorize
token-url: h!!ps://bladatatools.eu.auth0.com/oauth/token
jwks-url: h!!ps://bladatatools.eu.auth0.com/.well-known/jwks.json
client-id: coolid
client-secret: coolsecret
username-attribute: ‘aud’

docker:
cert-path: /home/none
url: h!!p://localhost:2375
port-range-start: 20000
container-protocol: h!!ps

specs:

id: bla_app
container-cmd: [“R”, “-e”, “shiny::runApp(’/srv/shinydockerimage’)”]
container-image: bla_shinyapp
logging:
file:
shinyproxy.log

server:
useForwardHeaders: true

Shiny proxy seems to encounter an error and writes the following in the error log :

2019-02-23 08:32:07.708 ERROR 14029 — [XNIO-2 task-7] io.undertow.request : UT005023: Exception handling request to /login/oauth2/code/shinyproxy

java.lang.StackOverflowError: null

Then, it goes into a loop with the following segment repeated in the logs over and over :

~[spring-security-config-5.0.3.RELEASE.jar!/:5.0.3.RELEASE]
at sun.reflect.GeneratedMethodAccessor25.invoke(Unknown Source) ~[na:na]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_171]
at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_171]
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:338) ~[spring-aop-5.0.4.RELEASE.jar!/:5.0.4.RELEASE]
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:206) ~[spring-aop-5.0.4.RELEASE.jar!/:5.0.4.RELEASE]
at com.sun.proxy.$Proxy77.authenticate(Unknown Source) ~[na:na]
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:199) ~[spring-security-core-5.0.3.RELEASE.jar!/:5.0.3.RELEASE]
at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter$AuthenticationManagerDelegator.authenticate(WebSecurityConfigurerAdapter.java:502)

I terms of proxy engine : I am running shinyproxy, shiny server, rstudio server etc on my own EC2 instance and my nginx configuration is the following :

worker_processes 1;
pid /run/nginx.pid;

events {
worker_connections 1024;
# multi_accept on;
}

http {

server {
listen                80;
server_name           domain_name.com;
rewrite     ^(.*)     https://$server_name$1 permanent;

}

server {

listen                443;
server_name           domain_name.com;
access_log            /var/log/nginx/shinyproxy.access.log;
error_log             /var/log/nginx/shinyproxy.error.log error;

ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_certificate      /etc/letsencrypt/live/domain_name.com/fullchain.pem;
ssl_certificate_key  /etc/letsencrypt/live/domain_name.com/privkey.pem;
ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;


location / {

   proxy_pass          http://127.0.0.1:8080/;

   proxy_http_version 1.1;
   proxy_set_header Upgrade $http_upgrade;
   proxy_set_header Connection "upgrade";
   proxy_read_timeout 600s;
   #proxy_cookie_path ~^/site/.*$ /;

   proxy_redirect    off;
   proxy_set_header  Host             $http_host;
   proxy_set_header  X-Real-IP        $remote_addr;
   proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for;
   proxy_set_header  X-Forwarded-Proto $scheme;
 }

}
}