Redirected to auth-success "Test" page after login

[tlebars]

Hello,

I have just installed the latest version of ShinyProxy (3.0.2) via the .deb package, on Ubuntu 20.04 and since then, whenever I authenticate (using OpenID or LDAP configurations (tried both)), I am consistently redirected to a blank page named /auth-success that contains the message Test.

To access the homepage, I have to remove /auth-success from the URL and refresh the page. Afterwards, everything works correctly.

Here's my configuration file:

proxy:
  title: Title
  logo-url: file:///logo.png
  favicon-path: /path/to/favico.png
  landing-page: /
  authentication: openid
  admin-groups: admin-group
  openid:
    auth-url: https://domain/auth
    token-url: https://domain/token
    jwks-url: https://domain/certs
    userinfo-url: https://domain/userinfo
    client-id: shinyproxy
    client-secret: secret
    roles-claim: groups
    logout-url: logout-url
    username-attribute: preferred_username
  stop-proxies-on-shutdown: false
  recover-running-proxies: true
  recover-running-proxies-from-different-config: true
  support:
    mail-to-address: my@email
    mail-from-address: from@email
  specs:
  - id: app
    display-name: app
    description: cool app
    container-cmd: ["R", "-e", "shiny::runApp('/app/app.R')"]
    container-image: app:latest
    access-groups: [users]

spring:
  session:
    store-type: redis
  redis:
    host: localhost
    password: password
    database: 1
  mail:
    host: smtp.url
    port: 25
    properties:
      # For StartTLS
      mail.smtp.starttls.enable: true

server:
  secure-cookies: true
  frame-options: sameorigin

logging:
  file:
    name: /var/log/shinyproxy.log

Could I have forgotten to configure something?

Thanks !

[LEDfan]

Hi, thanks for reporting this.
The browser should redirect you to the main page after landing on the /auth-success page. Which browser + version are you using? Can you check whether you see any errors in the console of the browser? (press F12 and click on console, and try to refresh the /auth-success page).

[tlebars]

Hello,

I tried using: Brave (1.56.11) and Firefox (115.0.2) browsers.

Here is the error when refreshing auth-success page, on Firefox:

Uncaught DOMException: The operation is insecure.
    <anonymous> https://mydomain/auth-success:32

and Brave:

Uncaught DOMException: Failed to execute 'pushState' on 'History': A history state object with URL 'http://mydomain/' cannot be created in a document with origin 'https://mydomain' and URL 'https://mydomain/auth-success'.

Here is my apache2 reverse proxy configuration too (I removed all irrelevant parameters):

<VirtualHost *:80>
        ServerName        mydomain
        RedirectMatch     temp ^(?!/.well-known/)(.*)  https:/mydomain$1
</VirtualHost>
<VirtualHost *:443>
        ServerName         mydomain

        SSLEngine               on
        SSLCertificateFile      /etc/apache2/certs/mydomain/cert.pem
        SSLCertificateChainFile /etc/apache2/certs/mydomain/chain.pem
        SSLCertificateKeyFile   /etc/apache2/certs/mydomain/privkey.pem

        ProxyPreserveHost                    On

        RewriteEngine on
        RewriteCond %{HTTP:Connection} Upgrade [NC]
        RewriteCond %{HTTP:Upgrade} websocket [NC]
        RewriteRule ^/?(.*) "ws://myIP:8080/$1" [P,L]

        <Location />
                ProxyPass                    http://myIP:8080/
                ProxyPassReverse             http://myIP:8080/
        </Location>
</VirtualHost>

For information:

• I haven't changed anything in my configuration compared to version 3.0.1, where the issue did not occur.
• I tried to add: forward-headers-strategy: native but still the same.

Thanks for you help

[LEDfan]

Hi, the auth-success page is new in this release and is used to fix an issue where users accidentally may go back to the page of the IDP. The issue here is that Apache does not automatically add the X-Forwarded-Proto header and therefore ShinyProxy is generating URLs using HTTP instead of HTTPs. You can fix this by adding the following line to your VirtualHost:

RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}

(note that this requires the headers module to be enabled)

Next you'll have to add the following configuration to ShinyProxy (on the root level of the configuration file, not nested under proxy):

server:
  forward-headers-strategy: native

I updated the documentation to includes this fix.

[tlebars]

Hello,

Thank you very much for the explanations. I made the changes and everything works fine now !

[fang19911030]

Hi, I still have the same issue. Here is my configuration for shinyproxy and apache2. Could you take a look? I am using shinyproxy 3.0.2. Thank you.

server:
  forward-header-strategy: native
proxy:
  title: Open Analytics Shiny Proxy
  logo-url: https://www.openanalytics.eu/shinyproxy/logo.png
  landing-page: /
  heartbeat-rate: 10000
  heartbeat-timeout: 60000
  port: 8080
  authentication: simple
  admin-groups: scientists
  # Example: 'simple' authentication configuration
  users:
    - name: jack
      password: password
      groups: scientists
    - name: jeff
      password: password
      groups: mathematicians
  docker:
    url: http://localhost:2375
    port-range-start: 20000
  specs:
    - id: 01_hello
      display-name: Hello Application
      description: Application which demonstrates the basics of a Shiny app
      container-cmd: [ "R", "-e", "shinyproxy::run_01_hello()" ]
      container-image: openanalytics/shinyproxy-demo
      access-groups: [ scientists, mathematicians ]
    - id: 06_tabsets
      container-cmd: [ "R", "-e", "shinyproxy::run_06_tabsets()" ]
      container-image: openanalytics/shinyproxy-demo
      access-groups: scientists

logging:
  file:
    name: shinyproxy.log

<VirtualHost *:80>
	ServerName mydomain
	ServerAlias www.xxx
	
	ServerAdmin xxx
	ErrorLog /var/log/apache2/xxxx_error.log
	CustomLog /var/log/apache2/xxx_access.log combined
	RewriteEngine On
	RewriteCond %{SERVER_NAME} =xxx.com [OR]
	RewriteCond %{SERVER_NAME} =www.xxx.com
	RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]	
</VirtualHost>

<VirtualHost *:443>
	DocumentRoot "/srv/shinyproxy"
	ServerName xxx.com
	ServerAlias www.xxx.com

	ProxyRequests Off
	ProxyPreserveHost On
	ProxyPass / http://127.0.0.1:8080/
	ProxyPassReverse / http://127.0.0.1:8080

	RewriteEngine On
	RewriteCond %{HTTP:Upgrade} =websocket
	RewriteRule /(.*) ws://127.0.0.1:8080/$1 [P,L]

	SSLEngine On
	SSLCertificateFile /etc/letsencrypt/live/xxx.com/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/xxx.com/privkey.pem
	Include /etc/letsencrypt/options-ssl-apache.conf
	RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
</VirtualHost>

[LEDfan]

Hi @fang19911030

It seems you made a typo here:

server:
  forward-header-strategy: native

The correct could should have headers instead of header:

server:
  forward-headers-strategy: native