You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello! I'd like to report an issue related to OpenID Connect (OIDC) and the roles-claim: Shinyproxy does not support parsing a roles claim from OIDC userinfo.
I am configuring a new ShinyProxy installation, using OpenID Connect. The IdP is running Shibboleth. (Shibboleth has been known for a long time as a SAML IdP; since version 3.x, Shibboleth has supported OIDC as an IdP.) ShinyProxy is configured with Auth/Token/Userinfo/JWKS URls, and PKCE is enabled.
In my case, the roles information is contained in an OIDC claim named eduPersonEntitlement, and to get this claim, I need to request the scope eduperson_entitlement. I have confirmed that ShinyProxy is properly requesting this scope from the IdP (I can see it when I look at the HTTP requests using Firefox dev tools). I have talked to the Shibboleth admins, and they confirmed I am making the request properly, and that the eduPersonEntitlement claim is being provided.
I turned on auth debugging, so I could see the claims that were being examined, but I still did not see my eduPersonEntitlement claim. I also noticed that some other claims were not being provided. I started to wonder if the userinfo endpoint was not being checked.
Eventually, I found createAuthoritiesMapper in eu.openanalytics.containerproxy.auth.OpenIDAuthenticationBackend:
I see the code is looking at the ID Token (on line 218), but it doesn't look like the userinfo is being checked. So, I think that is the problem: When looking for the roles, only the ID Token is being checked, not the userinfo.
Although I was able to find (what I think is) the issue, I do not have the Java skills necessary to patch, build, or test.
Please let me know if you have any questions, or if I put this report in the wrong place. Thanks very much!
The text was updated successfully, but these errors were encountered:
Hello! I'd like to report an issue related to OpenID Connect (OIDC) and the roles-claim: Shinyproxy does not support parsing a roles claim from OIDC userinfo.
I am configuring a new ShinyProxy installation, using OpenID Connect. The IdP is running Shibboleth. (Shibboleth has been known for a long time as a SAML IdP; since version 3.x, Shibboleth has supported OIDC as an IdP.) ShinyProxy is configured with Auth/Token/Userinfo/JWKS URls, and PKCE is enabled.
In my case, the roles information is contained in an OIDC claim named
eduPersonEntitlement
, and to get this claim, I need to request the scopeeduperson_entitlement
. I have confirmed that ShinyProxy is properly requesting this scope from the IdP (I can see it when I look at the HTTP requests using Firefox dev tools). I have talked to the Shibboleth admins, and they confirmed I am making the request properly, and that theeduPersonEntitlement
claim is being provided.I turned on auth debugging, so I could see the claims that were being examined, but I still did not see my
eduPersonEntitlement
claim. I also noticed that some other claims were not being provided. I started to wonder if the userinfo endpoint was not being checked.Eventually, I found
createAuthoritiesMapper
ineu.openanalytics.containerproxy.auth.OpenIDAuthenticationBackend
:containerproxy/src/main/java/eu/openanalytics/containerproxy/auth/impl/OpenIDAuthenticationBackend.java
Lines 209 to 240 in 2c71c88
I see the code is looking at the ID Token (on line 218), but it doesn't look like the userinfo is being checked. So, I think that is the problem: When looking for the roles, only the ID Token is being checked, not the userinfo.
Although I was able to find (what I think is) the issue, I do not have the Java skills necessary to patch, build, or test.
Please let me know if you have any questions, or if I put this report in the wrong place. Thanks very much!
The text was updated successfully, but these errors were encountered: