ShinyProxy with Auth0 Authentication & Nginx config - infinite redirect loop


#1

Hi all,

I am trying to set up OIDC authentication for my shinyproxy instance using Auth0 & NGINX over SSL. The application works when authentication is set to none. When setting authentication to Auth0 however Spring appears to encounter an error and then go into an infinite loop.

My application.yml file is as follows :

proxy:
title: Open Analytics Shiny Proxy
logo-url: h!!p://www.openanalytics.eu/sites/www.openanalytics.eu/themes/oa/logo.png
landing-page: /
heartbeat-rate: 10000
heartbeat-timeout: 60000
port: 8080
container-wait-time: 40000
authentication: openid
openid:
auth-url: h!!ps://blabla.eu.auth0.com/authorize
token-url: h!!ps://blabla.eu.auth0.com/oauth/token
jwks-url: h!!ps://blabla.eu.auth0.com/.well-known/jwks.json
client-id: cool_id
client-secret: cool_secret

server:
useForwardHeaders: true

docker:
url: h!!p://localhost:2375
port-range-start: 20000
#internal-networking: true
specs:

  • id: red_app
    container-cmd: [“R”, “-e”, “shiny::runApp(’/srv/shinydockerimage’)”]
    container-image: blablapp

logging:
level:
org.springframework.security: debug
file:
shinyproxy.log

My Nginx conf file is the exact same as instructed on the shinyproxy website

Here is an extract from the shinyproxy log when the loop happens :

– [ XNIO-2 task-4] o.s.s.authentication.ProviderManager : Authentication attempt using org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationProvider
2019-02-20 12:06:19.558 DEBUG 22867 — [ XNIO-2 task-4] o.s.s.authentication.ProviderManager : Authentication attempt using org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider

Before that the log indicates an error is occuring : " [authorization request _not_found]"

I have set the callback URL within the Auth0 portal accordingly to instructions and I’ve also populated the YAML file for Auth0 accordingly to instructions. I’ve also set my NGINX conf file accordingly to instructiuons.

Thanks in advance for your help.


#2

Hi @Samy,

We’ve had other reports of issues with OIDC + HTTPS. Can you please create an issue on https://github.com/openanalytics/shinyproxy/issues and add any info you have (config, logs) ?


#3

I’ve got the same problem. Cannot make it work with Auth0, however works perfectly with google auth.
Are there any updates on this issue?


#4

Hi both,

Thanks for your message - I’m somehow embarassed by this but I managed to resolve the problem by … rebooting my server. Somehow I had tried everything but this - I did however make a number of config change which I suspect took effect when I rebooted but I would not know exactly which change resolved the problem that I had.

Sorry for such an underwhelming conclusion !
By the way, thanks to Openanalytics for creating shinyproxy - what an incredible tool to make Shiny scalable and enterprise grade !


#5

Wow, nice! @Sammy, could you please share your nginx and shinyproxy config files? And mb your Auth0 config?


#6

Hi, sure, my nginx config is very simple :

----------- NGINX CONFIG ---------------
worker_processes 1;
pid /run/nginx.pid;

events {
worker_connections 1024;
# multi_accept on;
}

http {

server {
listen                80;
server_name           blabla.com
rewrite     ^(.*)     https://$server_name$1 permanent;

}

server {

listen                443;
server_name           blabla.com;
access_log            /var/log/nginx/shinyproxy.access.log;
error_log             /var/log/nginx/shinyproxy.error.log error;

ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_certificate      /path/to/cert;
ssl_certificate_key  /path/to/cert_key;
ssl_ciphers tadidadadida;


location / {

   proxy_pass          http://127.0.0.1:8080/;

   proxy_http_version 1.1;
   proxy_set_header Upgrade $http_upgrade;
   proxy_set_header Connection "upgrade";
   proxy_read_timeout 600s;
   #proxy_cookie_path ~^/site/.*$ /;

   proxy_redirect    off;
   proxy_set_header  Host             $http_host;
   proxy_set_header  X-Real-IP        $remote_addr;
   proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for;
   proxy_set_header  X-Forwarded-Proto $scheme;
 }

}
}


and my shinyproxy config :

proxy:
title: blablibla Analytics Hub
template-path: ./templates/2col
logo-url: http://www.openanalytics.eu/sites/www.openanalytics.eu/themes/oa/logo.png
landing-page: /
heartbeat-rate: 10000
heartbeat-timeout: 60000
port: 8080
usage-stats-url: http://localhost:8086/write?db=shinyproxy_usagestats
authentication: openid
openid:
auth-url: https://blablibladatatools.eu.auth0.com/authorize
token-url: https://blablibladatatools.eu.auth0.com/oauth/token
jwks-url: https://blablibladatatools.eu.auth0.com/.well-known/jwks.json
client-id: cool_id
client-secret: cool_secret
roles-claim: https://shinyproxy.io/shinyproxy_roles
logout-url: https://blablibladatatools.eu.auth0.com/v2/logout?returnTo=https%3A%2F%2Fwww.google.com

docker:
cert-path: /home/none
url: http://localhost:2375
port-range-start: 20000

specs:

  • id: blablibla_app
    display-name: cool_name
    description: cool_desc
    container-cmd: [“R”, “-e”, “shiny::runApp(’/srv/shinydockerimage’)”]
    container-image: blablibla_shinyapp
    access-groups: [users,employees]

logging:
file:
shinyproxy.log

server:
useForwardHeaders: true


Not sure what you mean by Auth0 config ?

Cheers

Samy


#8

Still getting “ERR_TOO_MANY_REDIRECTS” error


#9

Adding my Shinyproxy.log file, mb it has some clues to what is happening

2019-03-09 01:19:35.450 DEBUG 2598 --- [XNIO-2 task-28] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/'; against '/css/**'

2019-03-09 01:19:35.657 DEBUG 2598 — [XNIO-2 task-28] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : ‘/’; against ‘/img/
2019-03-09 01:19:35.657 DEBUG 2598 — [XNIO-2 task-28] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : ‘/’; against '/js/

2019-03-09 01:19:35.657 DEBUG 2598 — [XNIO-2 task-28] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : ‘/’; against ‘/assets/
2019-03-09 01:19:35.657 DEBUG 2598 — [XNIO-2 task-28] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : ‘/’; against '/webjars/

2019-03-09 01:19:35.657 DEBUG 2598 — [XNIO-2 task-28] o.s.security.web.FilterChainProxy : / at position 1 of 12 in additional filter chain; firing Filter: ‘WebAsyncManagerIntegrationFilter’
2019-03-09 01:19:35.657 DEBUG 2598 — [XNIO-2 task-28] o.s.security.web.FilterChainProxy : / at position 2 of 12 in additional filter chain; firing Filter: ‘SecurityContextPersistenceFilter’
2019-03-09 01:19:35.657 DEBUG 2598 — [XNIO-2 task-28] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2019-03-09 01:19:35.657 DEBUG 2598 — [XNIO-2 task-28] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
2019-03-09 01:19:35.657 DEBUG 2598 — [XNIO-2 task-28] o.s.security.web.FilterChainProxy : / at position 3 of 12 in additional filter chain; firing Filter: ‘HeaderWriterFilter’
2019-03-09 01:19:35.657 DEBUG 2598 — [XNIO-2 task-28] o.s.security.web.FilterChainProxy : / at position 4 of 12 in additional filter chain; firing Filter: ‘LogoutFilter’
2019-03-09 01:19:35.657 DEBUG 2598 — [XNIO-2 task-28] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : ‘/’; against ‘/logout’
2019-03-09 01:19:35.657 DEBUG 2598 — [XNIO-2 task-28] o.s.security.web.FilterChainProxy : / at position 5 of 12 in additional filter chain; firing Filter: ‘UsernamePasswordAuthenticationFilter’
2019-03-09 01:19:35.657 DEBUG 2598 — [XNIO-2 task-28] o.s.s.w.u.matcher.AntPathRequestMatcher : Request ‘GET /’ doesn’t match 'POST /login
2019-03-09 01:19:35.657 DEBUG 2598 — [XNIO-2 task-28] o.s.security.web.FilterChainProxy : / at position 6 of 12 in additional filter chain; firing Filter: ‘BasicAuthenticationFilter’
2019-03-09 01:19:35.657 DEBUG 2598 — [XNIO-2 task-28] o.s.security.web.FilterChainProxy : / at position 7 of 12 in additional filter chain; firing Filter: ‘RequestCacheAwareFilter’
2019-03-09 01:19:35.657 DEBUG 2598 — [XNIO-2 task-28] o.s.security.web.FilterChainProxy : / at position 8 of 12 in additional filter chain; firing Filter: ‘SecurityContextHolderAwareRequestFilter’
2019-03-09 01:19:35.658 DEBUG 2598 — [XNIO-2 task-28] o.s.security.web.FilterChainProxy : / at position 9 of 12 in additional filter chain; firing Filter: ‘AnonymousAuthenticationFilter’
2019-03-09 01:19:35.658 DEBUG 2598 — [XNIO-2 task-28] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: ‘org.springframework.security.authentication.AnonymousAuthenticationToken@7d47336b: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 91.206.14.10; SessionId: null; Granted Authorities: ROLE_ANONYMOUS’
2019-03-09 01:19:35.658 DEBUG 2598 — [XNIO-2 task-28] o.s.security.web.FilterChainProxy : / at position 10 of 12 in additional filter chain; firing Filter: ‘SessionManagementFilter’
2019-03-09 01:19:35.658 DEBUG 2598 — [XNIO-2 task-28] o.s.security.web.FilterChainProxy : / at position 11 of 12 in additional filter chain; firing Filter: ‘ExceptionTranslationFilter’
2019-03-09 01:19:35.658 DEBUG 2598 — [XNIO-2 task-28] o.s.security.web.FilterChainProxy : / at position 12 of 12 in additional filter chain; firing Filter: ‘FilterSecurityInterceptor’
2019-03-09 01:19:35.658 DEBUG 2598 — [XNIO-2 task-28] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : ‘/’; against ‘/app/ProductDashboard’
2019-03-09 01:19:35.658 DEBUG 2598 — [XNIO-2 task-28] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : ‘/’; against ‘/app/ShopAudience’
2019-03-09 01:19:35.658 DEBUG 2598 — [XNIO-2 task-28] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : ‘/’; against ‘/app/PurchaseAdsROI’
2019-03-09 01:19:35.658 DEBUG 2598 — [XNIO-2 task-28] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : ‘/’; against ‘/admin’
2019-03-09 01:19:35.658 DEBUG 2598 — [XNIO-2 task-28] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : ‘/’; against ‘/login’
2019-03-09 01:19:35.658 DEBUG 2598 — [XNIO-2 task-28] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : ‘/’; against ‘/signin/**’
2019-03-09 01:19:35.658 DEBUG 2598 — [XNIO-2 task-28] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /; Attributes: [fullyAuthenticated]
2019-03-09 01:19:35.658 DEBUG 2598 — [XNIO-2 task-28] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@7d47336b: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 91.206.14.10; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2019-03-09 01:19:35.659 DEBUG 2598 — [XNIO-2 task-28] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@7ecba25a, returned: -1
2019-03-09 01:19:35.661 DEBUG 2598 — [XNIO-2 task-28] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is anonymous); redirecting to authentication entry point

org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-5.0.3.RELEASE.jar!/:5.0.3.RELEASE]
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) ~[spring-security-core-5.0.3.RELEASE.jar!/:5.0.3.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124) ~[spring-security-web-5.0.3.RELEASE.jar!/:5.0.3.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91) ~[spring-security-web-5.0.3.RELEASE.jar!/:5.0.3.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.0.3.RELEASE.jar!/:5.0.3.RELEASE]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119) ~[spring-security-web-5.0.3.RELEASE.jar!/:5.0.3.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.0.3.RELEASE.jar!/:5.0.3.RELEASE]
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137) ~[spring-security-web-5.0.3.RELEASE.jar!/:5.0.3.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.0.3.RELEASE.jar!/:5.0.3.RELEASE]
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111) ~[spring-security-web-5.0.3.RELEASE.jar!/:5.0.3.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.0.3.RELEASE.jar!/:5.0.3.RELEASE]
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170) ~[spring-security-web-5.0.3.RELEASE.jar!/:5.0.3.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.0.3.RELEASE.jar!/:5.0.3.RELEASE]
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) ~[spring-security-web-5.0.3.RELEASE.jar!/:5.0.3.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.0.3.RELEASE.jar!/:5.0.3.RELEASE]
at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:158) ~[spring-security-web-5.0.3.RELEASE.jar!/:5.0.3.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-5.0.4.RELEASE.jar!/:5.0.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.0.3.RELEASE.jar!/:5.0.3.RELEASE]
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200) ~[spring-security-web-5.0.3.RELEASE.jar!/:5.0.3.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.0.3.RELEASE.jar!/:5.0.3.RELEASE]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) ~[spring-security-web-5.0.3.RELEASE.jar!/:5.0.3.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.0.3.RELEASE.jar!/:5.0.3.RELEASE]
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66) ~[spring-security-web-5.0.3.RELEASE.jar!/:5.0.3.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-5.0.4.RELEASE.jar!/:5.0.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.0.3.RELEASE.jar!/:5.0.3.RELEASE]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) ~[spring-security-web-5.0.3.RELEASE.jar!/:5.0.3.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.0.3.RELEASE.jar!/:5.0.3.RELEASE]
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) ~[spring-security-web-5.0.3.RELEASE.jar!/:5.0.3.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-5.0.4.RELEASE.jar!/:5.0.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.0.3.RELEASE.jar!/:5.0.3.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215) ~[spring-security-web-5.0.3.RELEASE.jar!/:5.0.3.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) ~[spring-security-web-5.0.3.RELEASE.jar!/:5.0.3.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357) ~[spring-web-5.0.4.RELEASE.jar!/:5.0.4.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270) ~[spring-web-5.0.4.RELEASE.jar!/:5.0.4.RELEASE]
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) ~[undertow-servlet-1.4.22.Final.jar!/:1.4.22.Final]
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ~[undertow-servlet-1.4.22.Final.jar!/:1.4.22.Final]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) ~[spring-web-5.0.4.RELEASE.jar!/:5.0.4.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-5.0.4.RELEASE.jar!/:5.0.4.RELEASE]
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) ~[undertow-servlet-1.4.22.Final.jar!/:1.4.22.Final]
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ~[undertow-servlet-1.4.22.Final.jar!/:1.4.22.Final]
at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:109) ~[spring-web-5.0.4.RELEASE.jar!/:5.0.4.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-5.0.4.RELEASE.jar!/:5.0.4.RELEASE]
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) ~[undertow-servlet-1.4.22.Final.jar!/:1.4.22.Final]
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ~[undertow-servlet-1.4.22.Final.jar!/:1.4.22.Final]
at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81) ~[spring-web-5.0.4.RELEASE.jar!/:5.0.4.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-5.0.4.RELEASE.jar!/:5.0.4.RELEASE]
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) ~[undertow-servlet-1.4.22.Final.jar!/:1.4.22.Final]
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ~[undertow-servlet-1.4.22.Final.jar!/:1.4.22.Final]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:200) ~[spring-web-5.0.4.RELEASE.jar!/:5.0.4.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-5.0.4.RELEASE.jar!/:5.0.4.RELEASE]
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) ~[undertow-servlet-1.4.22.Final.jar!/:1.4.22.Final]
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ~[undertow-servlet-1.4.22.Final.jar!/:1.4.22.Final]
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) ~[undertow-servlet-1.4.22.Final.jar!/:1.4.22.Final]
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) ~[undertow-servlet-1.4.22.Final.jar!/:1.4.22.Final]
at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:64) ~[undertow-servlet-1.4.22.Final.jar!/:1.4.22.Final]
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) ~[undertow-servlet-1.4.22.Final.jar!/:1.4.22.Final]
at io.undertow.server.handlers.PathHandler.handleRequest(PathHandler.java:94) ~[undertow-core-1.4.22.Final.jar!/:1.4.22.Final]
at eu.openanalytics.containerproxy.ContainerProxyApplication$ProtectedPathHandler.handleRequest(ContainerProxyApplication.java:111) ~[containerproxy-0.4.0.jar!/:0.4.0]
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) ~[undertow-servlet-1.4.22.Final.jar!/:1.4.22.Final]
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) ~[undertow-servlet-1.4.22.Final.jar!/:1.4.22.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-1.4.22.Final.jar!/:1.4.22.Final]
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) ~[undertow-core-1.4.22.Final.jar!/:1.4.22.Final]
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) ~[undertow-servlet-1.4.22.Final.jar!/:1.4.22.Final]
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) ~[undertow-core-1.4.22.Final.jar!/:1.4.22.Final]
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) ~[undertow-servlet-1.4.22.Final.jar!/:1.4.22.Final]
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) ~[undertow-core-1.4.22.Final.jar!/:1.4.22.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-1.4.22.Final.jar!/:1.4.22.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-1.4.22.Final.jar!/:1.4.22.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) ~[undertow-servlet-1.4.22.Final.jar!/:1.4.22.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) ~[undertow-servlet-1.4.22.Final.jar!/:1.4.22.Final]
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) ~[undertow-servlet-1.4.22.Final.jar!/:1.4.22.Final]
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) ~[undertow-servlet-1.4.22.Final.jar!/:1.4.22.Final]
at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) ~[undertow-servlet-1.4.22.Final.jar!/:1.4.22.Final]
at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) ~[undertow-servlet-1.4.22.Final.jar!/:1.4.22.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) ~[undertow-servlet-1.4.22.Final.jar!/:1.4.22.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) ~[undertow-servlet-1.4.22.Final.jar!/:1.4.22.Final]
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) ~[undertow-servlet-1.4.22.Final.jar!/:1.4.22.Final]
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:336) ~[undertow-core-1.4.22.Final.jar!/:1.4.22.Final]
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) ~[undertow-core-1.4.22.Final.jar!/:1.4.22.Final]
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[na:na]
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[na:na]
at java.base/java.lang.Thread.run(Thread.java:834) ~[na:na]

2019-03-09 01:19:35.661 DEBUG 2598 — [XNIO-2 task-28] o.s.s.w.util.matcher.AndRequestMatcher : Trying to match using NegatedRequestMatcher [requestMatcher=Ant [pattern=’//favicon.ico’]]
2019-03-09 01:19:35.661 DEBUG 2598 — [XNIO-2 task-28] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : ‘/’; against '/
/favicon.ico’
2019-03-09 01:19:35.661 DEBUG 2598 — [XNIO-2 task-28] o.s.s.w.u.matcher.NegatedRequestMatcher : matches = true
2019-03-09 01:19:35.661 DEBUG 2598 — [XNIO-2 task-28] o.s.s.w.util.matcher.AndRequestMatcher : Trying to match using NegatedRequestMatcher [requestMatcher=MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@51f03a40, matchingMediaTypes=[application/json], useEquals=false, ignoredMediaTypes=[/]]]
2019-03-09 01:19:35.661 DEBUG 2598 — [XNIO-2 task-28] o.s.s.w.u.m.MediaTypeRequestMatcher : httpRequestMediaTypes=[]
2019-03-09 01:19:35.661 DEBUG 2598 — [XNIO-2 task-28] o.s.s.w.u.m.MediaTypeRequestMatcher : Did not match any media types
2019-03-09 01:19:35.661 DEBUG 2598 — [XNIO-2 task-28] o.s.s.w.u.matcher.NegatedRequestMatcher : matches = true
2019-03-09 01:19:35.661 DEBUG 2598 — [XNIO-2 task-28] o.s.s.w.util.matcher.AndRequestMatcher : Trying to match using NegatedRequestMatcher [requestMatcher=RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]]
2019-03-09 01:19:35.661 DEBUG 2598 — [XNIO-2 task-28] o.s.s.w.u.matcher.NegatedRequestMatcher : matches = true
2019-03-09 01:19:35.661 DEBUG 2598 — [XNIO-2 task-28] o.s.s.w.util.matcher.AndRequestMatcher : All requestMatchers returned true
2019-03-09 01:19:35.662 DEBUG 2598 — [XNIO-2 task-28] o.s.s.w.s.HttpSessionRequestCache : DefaultSavedRequest added to Session: DefaultSavedRequest[https://letylytics.com/]
2019-03-09 01:19:35.662 DEBUG 2598 — [XNIO-2 task-28] o.s.s.w.a.ExceptionTranslationFilter : Calling Authentication entry point.
2019-03-09 01:19:35.662 DEBUG 2598 — [XNIO-2 task-28] o.s.s.web.DefaultRedirectStrategy : Redirecting to ‘https://letylytics.com/login
2019-03-09 01:19:35.662 DEBUG 2598 — [XNIO-2 task-28] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2019-03-09 01:19:35.663 DEBUG 2598 — [XNIO-2 task-28] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2019-03-09 01:19:35.799 DEBUG 2598 — [XNIO-2 task-29] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : ‘/login’; against ‘/css/
2019-03-09 01:19:35.800 DEBUG 2598 — [XNIO-2 task-29] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : ‘/login’; against '/img/

2019-03-09 01:19:35.800 DEBUG 2598 — [XNIO-2 task-29] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : ‘/login’; against ‘/js/
2019-03-09 01:19:35.800 DEBUG 2598 — [XNIO-2 task-29] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : ‘/login’; against '/assets/

2019-03-09 01:19:35.800 DEBUG 2598 — [XNIO-2 task-29] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : ‘/login’; against ‘/webjars/
2019-03-09 01:19:35.800 DEBUG 2598 — [XNIO-2 task-29] o.s.security.web.FilterChainProxy : /login at position 1 of 12 in additional filter chain; firing Filter: ‘WebAsyncManagerIntegrationFilter’
2019-03-09 01:19:35.800 DEBUG 2598 — [XNIO-2 task-29] o.s.security.web.FilterChainProxy : /login at position 2 of 12 in additional filter chain; firing Filter: ‘SecurityContextPersistenceFilter’
2019-03-09 01:19:35.800 DEBUG 2598 — [XNIO-2 task-29] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2019-03-09 01:19:35.800 DEBUG 2598 — [XNIO-2 task-29] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
2019-03-09 01:19:35.800 DEBUG 2598 — [XNIO-2 task-29] o.s.security.web.FilterChainProxy : /login at position 3 of 12 in additional filter chain; firing Filter: ‘HeaderWriterFilter’
2019-03-09 01:19:35.800 DEBUG 2598 — [XNIO-2 task-29] o.s.security.web.FilterChainProxy : /login at position 4 of 12 in additional filter chain; firing Filter: ‘LogoutFilter’
2019-03-09 01:19:35.800 DEBUG 2598 — [XNIO-2 task-29] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : ‘/login’; against ‘/logout’
2019-03-09 01:19:35.800 DEBUG 2598 — [XNIO-2 task-29] o.s.security.web.FilterChainProxy : /login at position 5 of 12 in additional filter chain; firing Filter: ‘UsernamePasswordAuthenticationFilter’
2019-03-09 01:19:35.800 DEBUG 2598 — [XNIO-2 task-29] o.s.s.w.u.matcher.AntPathRequestMatcher : Request ‘GET /login’ doesn’t match 'POST /login
2019-03-09 01:19:35.800 DEBUG 2598 — [XNIO-2 task-29] o.s.security.web.FilterChainProxy : /login at position 6 of 12 in additional filter chain; firing Filter: ‘BasicAuthenticationFilter’
2019-03-09 01:19:35.800 DEBUG 2598 — [XNIO-2 task-29] o.s.security.web.FilterChainProxy : /login at position 7 of 12 in additional filter chain; firing Filter: ‘RequestCacheAwareFilter’
2019-03-09 01:19:35.800 DEBUG 2598 — [XNIO-2 task-29] o.s.security.web.FilterChainProxy : /login at position 8 of 12 in additional filter chain; firing Filter: ‘SecurityContextHolderAwareRequestFilter’
2019-03-09 01:19:35.800 DEBUG 2598 — [XNIO-2 task-29] o.s.security.web.FilterChainProxy : /login at position 9 of 12 in additional filter chain; firing Filter: ‘AnonymousAuthenticationFilter’
2019-03-09 01:19:35.800 DEBUG 2598 — [XNIO-2 task-29] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: ‘org.springframework.security.authentication.AnonymousAuthenticationToken@7d47336b: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 91.206.14.10; SessionId: null; Granted Authorities: ROLE_ANONYMOUS’
2019-03-09 01:19:35.800 DEBUG 2598 — [XNIO-2 task-29] o.s.security.web.FilterChainProxy : /login at position 10 of 12 in additional filter chain; firing Filter: ‘SessionManagementFilter’
2019-03-09 01:19:35.800 DEBUG 2598 — [XNIO-2 task-29] o.s.security.web.FilterChainProxy : /login at position 11 of 12 in additional filter chain; firing Filter: ‘ExceptionTranslationFilter’
2019-03-09 01:19:35.801 DEBUG 2598 — [XNIO-2 task-29] o.s.security.web.FilterChainProxy : /login at position 12 of 12 in additional filter chain; firing Filter: ‘FilterSecurityInterceptor’
2019-03-09 01:19:35.801 DEBUG 2598 — [XNIO-2 task-29] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : ‘/login’; against ‘/app/ProductDashboard’
2019-03-09 01:19:35.801 DEBUG 2598 — [XNIO-2 task-29] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : ‘/login’; against ‘/app/ShopAudience’
2019-03-09 01:19:35.801 DEBUG 2598 — [XNIO-2 task-29] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : ‘/login’; against ‘/app/PurchaseAdsROI’
2019-03-09 01:19:35.801 DEBUG 2598 — [XNIO-2 task-29] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : ‘/login’; against ‘/admin’
2019-03-09 01:19:35.801 DEBUG 2598 — [XNIO-2 task-29] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : ‘/login’; against ‘/login’
2019-03-09 01:19:35.801 DEBUG 2598 — [XNIO-2 task-29] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /login; Attributes: [permitAll]
2019-03-09 01:19:35.801 DEBUG 2598 — [XNIO-2 task-29] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@7d47336b: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 91.206.14.10; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2019-03-09 01:19:35.801 DEBUG 2598 — [XNIO-2 task-29] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@7ecba25a, returned: 1
2019-03-09 01:19:35.801 DEBUG 2598 — [XNIO-2 task-29] o.s.s.w.a.i.FilterSecurityInterceptor : Authorization successful
2019-03-09 01:19:35.801 DEBUG 2598 — [XNIO-2 task-29] o.s.s.w.a.i.FilterSecurityInterceptor : RunAsManager did not change Authentication object
2019-03-09 01:19:35.801 DEBUG 2598 — [XNIO-2 task-29] o.s.security.web.FilterChainProxy : /login reached end of additional filter chain; proceeding with original chain
2019-03-09 01:19:35.804 DEBUG 2598 — [XNIO-2 task-29] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2019-03-09 01:19:35.804 DEBUG 2598 — [XNIO-2 task-29] o.s.s.w.a.ExceptionTranslationFilter : Chain processed normally
2019-03-09 01:19:35.804 DEBUG 2598 — [XNIO-2 task-29] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2019-03-09 04:54:52.955 DEBUG 2598 — [XNIO-2 task-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : ‘/’; against '/css/

2019-03-09 04:54:52.955 DEBUG 2598 — [XNIO-2 task-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : ‘/’; against ‘/img/
2019-03-09 04:54:52.955 DEBUG 2598 — [XNIO-2 task-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : ‘/’; against '/js/

2019-03-09 04:54:52.955 DEBUG 2598 — [XNIO-2 task-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : ‘/’; against ‘/assets/
2019-03-09 04:54:52.955 DEBUG 2598 — [XNIO-2 task-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : ‘/’; against '/webjars/

2019-03-09 04:54:52.956 DEBUG 2598 — [XNIO-2 task-3] o.s.security.web.FilterChainProxy : / at position 1 of 12 in additional filter chain; firing Filter: ‘WebAsyncManagerIntegrationFilter’
2019-03-09 04:54:52.956 DEBUG 2598 — [XNIO-2 task-3] o.s.security.web.FilterChainProxy : / at position 2 of 12 in additional filter chain; firing Filter: ‘SecurityContextPersistenceFilter’
2019-03-09 04:54:52.956 DEBUG 2598 — [XNIO-2 task-3] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2019-03-09 04:54:52.956 DEBUG 2598 — [XNIO-2 task-3] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
2019-03-09 04:54:52.956 DEBUG 2598 — [XNIO-2 task-3] o.s.security.web.FilterChainProxy : / at position 3 of 12 in additional filter chain; firing Filter: ‘HeaderWriterFilter’
2019-03-09 04:54:52.956 DEBUG 2598 — [XNIO-2 task-3] o.s.security.web.FilterChainProxy : / at position 4 of 12 in additional filter chain; firing Filter: ‘LogoutFilter’
2019-03-09 04:54:52.956 DEBUG 2598 — [XNIO-2 task-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : ‘/’; against ‘/logout’
2019-03-09 04:54:52.956 DEBUG 2598 — [XNIO-2 task-3] o.s.security.web.FilterChainProxy : / at position 5 of 12 in additional filter chain; firing Filter: ‘UsernamePasswordAuthenticationFilter’
2019-03-09 04:54:52.956 DEBUG 2598 — [XNIO-2 task-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Request ‘GET /’ doesn’t match 'POST /login
2019-03-09 04:54:52.956 DEBUG 2598 — [XNIO-2 task-3] o.s.security.web.FilterChainProxy : / at position 6 of 12 in additional filter chain; firing Filter: ‘BasicAuthenticationFilter’
2019-03-09 04:54:52.956 DEBUG 2598 — [XNIO-2 task-3]
o.s.security.web.FilterChainProxy : / at position 8 of 12 in additional filter chain; firing Filter: ‘SecurityContextHolderAwareRequestFilter’
2019-03-09 04:54:52.956 DEBUG 2598 — [XNIO-2 task-3] o.s.security.web.FilterChainProxy : / at position 9 of 12 in additional filter chain; firing Filter: ‘AnonymousAuthenticationFilter’
2019-03-09 04:54:52.956 DEBUG 2598 — [XNIO-2 task-3] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: ‘org.springframework.security.authentication.AnonymousAuthenticationToken@7d50ff07: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 94.102.49.193; SessionId: null; Granted Authorities: ROLE_ANONYMOUS’


#10

Hi All!

I got the same problem. Please find my logs below:


HTTP/1.1 302 Found
Redirect to_ ht_ps_//www.mydomain.com/login(ht_ps_//l.facebook.com/l.php?u=ht_ps%3A%2F%2Fwww.mydomain.com%2Flogin%3Ffbclid%3DIwAR3qcJIXrwDfhgNMuY9AJFQO1AspO5sxXCnVjrXcmzFoy7z4J500nWvIjR4&h=AT0kf1H92ZS2tjq8Q4Cp9lol3nijmOYM2x3wSSyPHDy5gV-oCbvJAshXZnVe6ANxWeiBsbGXHwGpeY9qF1Q857tIXYJcBZ3N6YoC7zfymmHtnvYYgqTbj2851HEywubLIbRMqQ)
Server_ nginx/1.14.0 (Ubuntu)
Date_ Sun, 17 Mar 2019 13_22_08 GMT
Content-Length_ 0
Connection_ keep-alive
Expires_ 0
Cache-Control_ no-cache, no-store, max-age=0, must-revalidate
X-XSS-Protection_ 1; mode=block
Pragma_ no-cache
Location_ ht_ps_//www.mydomain.com/login(ht_ps_//l.facebook.com/l.php?u=ht_ps%3A%2F%2Fwww.mydomain.com%2Flogin%3Ffbclid%3DIwAR2sB1Zc-yyjhE9cWh0BieqzCTq0lSRzPDjoQPXAOLj8j-LDDElvnjbo8Ac&h=AT0kf1H92ZS2tjq8Q4Cp9lol3nijmOYM2x3wSSyPHDy5gV-oCbvJAshXZnVe6ANxWeiBsbGXHwGpeY9qF1Q857tIXYJcBZ3N6YoC7zfymmHtnvYYgqTbj2851HEywubLIbRMqQ)
X-Content-Type-Options_ nosniff
Strict-Transport-Security_ max-age=31536000 ; includeSubDomains


#11

+1. This seems to be a common problem… hope to hear from Openanalytics guys.


#12

Hi @Anatoliy_Vuets, @ddovgan,

Can you confirm that you are using https, and have configured this?

server:
  useForwardHeaders: true  

Can you also capture the URL for the OIDC provider that shinyproxy is redirecting to from the login page? It should be a URL containing a state and a redirect_uri parameter.


ShinyProxy auth0 too many redirects