Setup shiny proxy as OAuth2 resource server

ShinyProxy
#1

Dear Team,

I try to setup shiny proxy as OAuth2 resource server, but for the moment I did not find the correct configuration.

I was able to setup shinyproxy to authenticate against an openId / OAuth2 server (in my case Keycloak) using the example the documentation/configuration/#openid-connect-oidc

Now, in my use case, I have already a valid bearer token and I want to inject it when I am calling my URL through shinyproxy in the http Authorization header as bearer token.
I am calling the following URL to open my R application through shinyproxy: localhost:8080/app_direct/statistic-board

I tried to follow the configuration the documentation/configuration/#authorization and the example on github openanalytics shinyproxy-config-examples 09-api-oauth2
Unfortunately, it is not working.

I think my issue is coming from the setup available in the application.yml, and I did not found an example how to setup shinyproxy as OAuth2 resource server.

Below, my current application.yml:

proxy:
title: Open Analytics Shiny Proxy
landing-page: /
heartbeat-rate: 10000
heartbeat-timeout: 60000
port: 8080
authentication: none

admin-groups: scientists

oauth2:
jwks-url: http://localhost:9999/auth/realms/test/protocol/openid-connect/certs
resource-id: analytics

Docker configuration

docker:
url: http://127.0.0.1:2375
port-range-start: 20000
specs:

  • id: statistic-board
    display-name: Statistic Board
    description: Statistic Board
    container-cmd: [“R”, “-e”, “shiny::runApp(’/root/shiny-server/statistic-board’)”]
    container-image: swissrdl-shiny-server
    access-groups: [scientists, mathematicians]
  • id: euler
    display-name: Euler’s number
    container-cmd: [“R”, “-e”, “shiny::runApp(’/root/euler’)”]
    container-image: openanalytics/shinyproxy-template
    access-groups: scientists

logging:
file:
shinyproxy.log

Please, do you have an example on how to setup shinyproxy as resource server?
I am curently using the shinyproxy 3.0.1.

Thank you for help.
CaptainCyd

#2

Dear Team,

finaly, I was able to find out the correct configuration to setup shinyproxy as resource server with OAuth2.

The big difficulty I had was in the configuration to distinguish:

  • the setup of the authentication (none, simple, openid)
  • the setup of the oauth2 context to use an existing bearer token

In the documentation, the value to set as resource-id is the claim value “aud” set inside the bearer-token.
Furthermore, if you set an access-group in the specs, you have to add the following entry in the oauth2 configuration:

roles-claim: https://shinyproxy.io/shinyproxy_roles

return the list of group access as roles in the bearer token.

Below, the application.yml using simple authentication for the shinyproxy frontend and the possibility to call the app with the bearer token in the authorization header:

image
image781×859 23 KB

I hope this example can help.
CaptainCyd

#3

Another example:
the application.yml using openid authentication for the shinyproxy frontend and the possibility to call the app with the bearer token in the authorization header:

image
image793×884 25.5 KB