We are using social authentication (with Google accounts) in shinyproxy. We specify the allowed users for our apps in application.yml using the “access-users” option. The user identifier that gets returned after successful authentication by Google is the account Display Name, rather than the email address as I had initially expected. The same display name is also passed into the SHINYPROXY_USERNAME environment variable. So, for example, to give access to a user named John Smith we use:
proxy: ... social: google: app-id: "XXXX" app-secret: "XXX" specs: - id: test-app .... access-users: - "John Smith"
My concern is that any user with an arbitrary email address could simply change their display name in their google profile to “John Smith” and gain access. Is there a way to avoid this security problem (for example by using a user email address as the identifier instead)? I may be missing something obvious here…