Authenticate against Azure AD (Microsoft Graph API) does return authorization_code instead of access_token in variable SHINYPROXY_OIDC_ACCESS_TOKEN

[FrankCRoth]

The current implementation of OpenIDAuthentication does not return the correct access token in the container variable SHINYPROXY_OIDC_ACCESS_TOKEN. Instead it does return authorization_code and hence does not provide a valid JWT to use further.

[LEDfan]

Hi

The SHINYPROXY_OIDC_ACCESS_TOKEN contains the access token as defined by the OpenID (Connect) protocol. It is used for authenticating an user (and can be passed around to do so), but typically, this token does not contain all information over an user. The id token on the other hand, does typically contain this information. From OIDC perspective there is no obligation to use the JWT format for access tokens, i.e. Azure can perfectly return an opaque string. The ID token should be formatted as an JWT.

You can read more on the differences of these two tokens here:

• https://developer.okta.com/docs/guides/validate-id-tokens/overview/#verify-the-claims
• https://www.c-sharpcorner.com/article/accesstoken-vs-id-token-vs-refresh-token-what-whywhen/

That's also the reason your PR is working, instead of providing the access token you now provide the id token. I understand that this solves your use case, but the code isn't correct in the sense that you are passing the ID token to a variable named access token.

There is also some good news :) You can configure ShinyProxy to pass the ID token to applications, using:

  - id: 01_hello
    display-name: Hello Application
    description: Application which demonstrates the basics of a Shiny app
    container-image: shinyproxy-flask
    port: 80
    container-env:
      ID_TOKEN: "#{@userService.getCurrentAuth().getPrincipal().idToken.tokenValue}"

IMO this is a bit an ugly hack and therefore we will provide a better way to do this in the next ShinyProxy version. Of course we will provide some examples in our documentation at that point.

[FrankCRoth]

Hi Tobia,

thank for the explanation and provided links. The solution provided with the ID token does work perfectly.
According to Microsoft Documentation access token should actually be in JWT format.

I do have a different issue with trying to get token for additional scope that might still produce a patch. I will keep you posted. Just wondering if you already came across such a use case.

[LEDfan]

Hi, as discussed above, it is possible to send the ID token to the container. Since 2.5.0 there is also a better way to achieve this: https://shinyproxy.io/documentation/spel/#openid-connect

There I'm going to close this issue, however, if you have any other question, don't hesitate to open a new issue!