ShinyProxy auth0 too many redirects

Eddwo · March 21, 2019, 4:08pm

Hi

I am currently migrating from Keycloak to Auth0 for identity management and authorisation.
I have set the following in my application.yml
openid:
auth-url: h {cantputthelikebecuasenewuser}/authorize
token-url: {cantputthelikebecuasenewuser}/oauth/token
jwks-url: {cantputthelikebecuasenewuser}/.well-known/jwks.json
client-id: SuPeRsEcReT
client-secret: sUpErSeCrEt
username-attribute: name
roles-claim: {cantputthelikebecuasenewuser}/shinyproxy_roles

And when I start SP and navigate to localhost:8080 I get redirected to Auth0 as I should.

I enter user and pass and then I get the Auth0 spinner for a long time. in my SP logs I have:
2019-03-21 15:58:38.134 ERROR 20444 — [ XNIO-2 task-17] io.undertow.request : UT005023: Exception handling request to /login/oauth2/code/shinyproxy

java.lang.StackOverflowError: null
at java.security.AccessController.doPrivileged(Native Method) ~[na:1.8.0_171]

Followed by the kind of garbage one might expect for indefinite redirects!

I have /login/oauth2/code/shinyproxy as the only entry in my allowed redirects.

Using SP 2.0.4 and CP 0.5.0

Edd

fmichielssen · March 22, 2019, 9:22am

Hi @Eddwo,

Can you please take a look at this? ShinyProxy with Auth0 Authentication & Nginx config - infinite redirect loop

Eddwo · March 22, 2019, 10:45am

thanks for the reply.

Well… I did already have that setting “server.userForwardHeaders:true” although I am not using nginx in my development set up. I tried taking the setting out and it also doesn’t work.

Eddwo · March 25, 2019, 1:31pm

I have some more information;
This only seems to happen if a user is not authorised. For example, if I create an account but do not verify my email. I guess auth0 doesn’t show the error itself, but redirects the user back to the home application (SP in this case) and allows that application to handle the authentication error.

Is this a feature that is not implemented in SP?
Do you know of a way I can override the return url SP sends to Auth0? I could implement my own controller and views to handle this if so…

Thanks again

tiaradwiputri · August 5, 2021, 6:27pm

If anyone have the same issue, I figure out the problem lies with the Rule we set in Auth0 to support group-based authorization.

The rule set as stated in the documentation is the following:

function (user, context, callback) {
  context.idToken['https://shinyproxy.io/shinyproxy_roles'] = user.app_metadata.shinyproxy_roles;
  callback(null, user, context);
}

But for new users, since shinyproxy_roles metadata haven’t been set so it returns undefined, the rules couldn’t get to callback, so what I did is update the rule with a try catch:

function (user, context, callback) {
  try{
    context.idToken['https://shinyproxy.io/shinyproxy_roles'] = user.app_metadata.shinyproxy_roles;
  	callback(null, user, context);
  } catch(e){
    callback(null, user, context);
  }
}

Hope it helps, cheers