Shiny Proxy - Open ID - Multiple redirections

Thomas_Quiviger · April 2, 2019, 11:48am

Hi,

We successfully connected Shiny Proxy through OpenID to ADFS. Authentication is working correctly but as soon as we’re adding the roles-claim attribute to manage group authorisations we can’t login anymore and we’re having errors

org.springframework.security.access.AccessDeniedException: Access is denied

And finally an ERR_TOO_MANY_REDIRECTS error in the browser.
If we remove the roles-claim attribute everything goes back to normal. What could explain that I can’t use roles-claim?
Here’s my configuration :

authentication: openid
openid:
auth-url: xxxxxxxxxxxx/adfs/oauth2/authorize
token-url: xxxxxxxxxxxx/adfs/oauth2/token
jwks-url: xxxxxxxxxxxx/adfs/discovery/keys
client-id: xxxxxxxxxxxx
client-secret: xxxxxxxxxxxx
username-attribute: unique_name
roles-claim: Groups
scopes: [allatclaims]
logout-url: https://xxxxxxxxxxxx/adfs/oauth2/logout?returnTo=http%3A%2F%2Fwww.9-yyyyyyy

fmichielssen · April 26, 2019, 11:54am

Hi @Thomas_Quiviger,

Can you confirm that the id token returned by ADFS contains a Groups claim, and that its value is an array?

Thomas_Quiviger · May 9, 2019, 7:27am

Hi @fmichielssen,

Yes we made sure that the token contains a Groups claim with an array. We tested also without an array and we’re having the same behaviour.