Shinyproxy social authentication can be circumvented by changing display name?

We are using social authentication (with Google accounts) in shinyproxy. We specify the allowed users for our apps in application.yml using the “access-users” option. The user identifier that gets returned after successful authentication by Google is the account Display Name, rather than the email address as I had initially expected. The same display name is also passed into the SHINYPROXY_USERNAME environment variable. So, for example, to give access to a user named John Smith we use:

      app-id: "XXXX"
      app-secret: "XXX"
  - id: test-app
      - "John Smith"

My concern is that any user with an arbitrary email address could simply change their display name in their google profile to “John Smith” and gain access. Is there a way to avoid this security problem (for example by using a user email address as the identifier instead)? I may be missing something obvious here…


Hi there,
I am using the Keycloak authentication and there is a configuration property called username-attribute that can be set to the name of the attribute that Shiny Proxy will feed into the SHINYPROXY_USERNAME variable. You should check in the docs if something similar exists for Social Auth.