user_info url not triggered after OpenID auth flow completed

ShinyProxy
1

Hi Everyone,

We are trying to integrate ShinyProxy with OpenID. We have managed to authenticate and obtain an ID token, but we are facing issues with sending a correct userinfo request and are not receiving the necessary claims.

We followed the documentation and used the following configuration, but the flow is not working as expected:

proxy:
...
    authentication: openid
    openid:
        auth-url: https://domain/auth/realms/xxxx/protocol/openid-connect/auth
        token-url: https://domain/auth/realms/xxxx/protocol/openid-connect/token
        jwks-url: https://domain/auth/realms/xxxx/protocol/openid-connect/token
        userinfo-url: https://domain/auth/realms/xxxx/protocol/openid-connect/userinfo
        jwks-signature-algorithm: "PS256"
        client-id: "xxxx"
        client-secret: "xxxxx"
        username-attribute: sub
        scopes:
            - profiles
            - email
            - offline_access
        openid-scopes: 
            - profile
            - email
            - offline_access
        role-claim: email
        groups-claim: profiles
...
    # Example container app
    container-log-path: /opt/shinyproxy/container-logs
    - id: MAPAS
    display-name: APP MAPAS
    description: APP MAPAS
    container-image: image-....
    container-env:
        SUB: "#{oidcUser.attributes['sub']}"
        ID_TOKEN: "#{oidcUser.idToken.tokenValue}"   
        EMAIL: "#{oidcUser.attributes['email']}"
        PROFILE: "#{oidcUser.attributes['profile']}"
        PROFILES: "#{oidcUser.attributes['profiles']}"

The authentication flow seems to work fine. We enter the credentials and receive the ID token, but the userinfo request is not triggered as expected. We are not getting the required claims that are not in the id token.

As a result, we see the landing page after login without errors, but when we try to access the app, we encounter the following error:

eu.openanalytics.containerproxy.ProxyFailedToStartException: Container failed to start
	at eu.openanalytics.containerproxy.service.ProxyService.prepareProxyForStart(ProxyService.java:458) ~[containerproxy-1.1.1.jar!/:1.1.1]
	at eu.openanalytics.containerproxy.service.ProxyService.startOrResumeProxy(ProxyService.java:466) ~[containerproxy-1.1.1.jar!/:1.1.1]
	at eu.openanalytics.containerproxy.service.ProxyService.lambda$startProxy$5(ProxyService.java:293) ~[containerproxy-1.1.1.jar!/:1.1.1]
	at eu.openanalytics.containerproxy.service.ProxyService.lambda$action$12(ProxyService.java:638) ~[containerproxy-1.1.1.jar!/:1.1.1]
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) ~[na:na]
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) ~[na:na]
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1135) ~[na:na]
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) ~[na:na]
	at java.base/java.lang.Thread.run(Thread.java:831) ~[na:na]
Caused by: eu.openanalytics.containerproxy.spec.expression.SpelException: Error while resolving expression: "#{oidcUser.accessTokenAsJwt.claims}", error: EL1021E: A problem occurred whilst attempting to access the property 'accessTokenAsJwt': 'Unable to access property 'accessTokenAsJwt' through getter method'
	at eu.openanalytics.containerproxy.spec.expression.SpecExpressionResolver.evaluate(SpecExpressionResolver.java:111) ~[containerproxy-1.1.1.jar!/:1.1.1]
	at eu.openanalytics.containerproxy.spec.expression.SpecExpressionResolver.evaluateToString(SpecExpressionResolver.java:119) ~[containerproxy-1.1.1.jar!/:1.1.1]
	at eu.openanalytics.containerproxy.spec.expression.SpelField$StringMap.lambda$resolve$0(SpelField.java:328) ~[containerproxy-1.1.1.jar!/:1.1.1]
	at java.base/java.util.LinkedHashMap.forEach(LinkedHashMap.java:723) ~[na:na]
	at eu.openanalytics.containerproxy.spec.expression.SpelField$StringMap.resolve(SpelField.java:328) ~[containerproxy-1.1.1.jar!/:1.1.1]
	at eu.openanalytics.containerproxy.model.spec.ContainerSpec.finalResolve(ContainerSpec.java:142) ~[containerproxy-1.1.1.jar!/:1.1.1]
	at eu.openanalytics.containerproxy.model.spec.ProxySpec.lambda$finalResolve$3(ProxySpec.java:157) ~[containerproxy-1.1.1.jar!/:1.1.1]
	at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197) ~[na:na]
	at java.base/java.util.AbstractList$RandomAccessSpliterator.forEachRemaining(AbstractList.java:720) ~[na:na]
	at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484) ~[na:na]
	at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474) ~[na:na]
	at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:550) ~[na:na]
	at java.base/java.util.stream.AbstractPipeline.evaluateToArrayNode(AbstractPipeline.java:260) ~[na:na]
	at java.base/java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:616) ~[na:na]
	at java.base/java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:622) ~[na:na]
	at java.base/java.util.stream.ReferencePipeline.toList(ReferencePipeline.java:627) ~[na:na]
	at eu.openanalytics.containerproxy.model.spec.ProxySpec.finalResolve(ProxySpec.java:158) ~[containerproxy-1.1.1.jar!/:1.1.1]
	at eu.openanalytics.containerproxy.service.ProxyService.prepareProxyForStart(ProxyService.java:451) ~[containerproxy-1.1.1.jar!/:1.1.1]
	... 8 common frames omitted

We would appreciate it if you could tell us what might be missing or incorrect in our configuration.

2

Hi, I just tested the userinfo-url with keycloak again and for me it’s working.

It also seems that the error you posted is unrelated to the configuration you have, since it’s referring to accessTokenAsJwt and this is not in your configuration. I assume it was just a test , but to be clear: if you want to access the attributes sent in the user-info endpoint, you shouldn’t use accessTokenAsJwt.

My keycloak mapper looks like this:

Screenshot 2025-02-13 at 09-17-13 Keycloak Administration UI
Screenshot 2025-02-13 at 09-17-13 Keycloak Administration UI960×931 93.7 KB

In order to debug the issue, you could add an env variable with all attributes available:

      container-env:
        test: "#{oidcUser.attributes}"

In addition, you could also enable debug logging, see: Troubleshooting | ShinyProxy

Hope this helps with solving the issue.