Issues refreshing the .httr-oauth on the server

[matiasdecarli]

Hello! I'm trying the library using this example

library(shiny)
library(googleAuthR)
library(googleID)
options(googleAuthR.scopes.selected = c("https://www.googleapis.com/auth/userinfo.email",
                                        "https://www.googleapis.com/auth/userinfo.profile"))
options("googleAuthR.webapp.client_id" = "my_client_id")		
options("googleAuthR.webapp.client_secret" = "my_client_secret")

ui <- shinyUI(fluidPage(
  googleAuthUI("example1"),
  p("Logged in as: ", textOutput("user_name"))  
))

server <- shinyServer(function(input, output, session) {
  access_token <- callModule(googleAuth, "example1")
  
  ## to use in a shiny app:
  user_details <- reactive({
    validate(
      need(access_token(), "Authenticate")
    )
    with_shiny(get_user_info, shiny_access_token = access_token())
  })
  
  output$user_name <- renderText({
    validate(
      need(user_details(), "getting user details")
    )
    user_details()$displayName
  })  
})

shinyApp(ui = ui, server = server)

and even when it works locally, I can't make it work on a server. I'm using Docker to deploy the app on a remote server and after I authorize the app in google, I get a error message saying

Error: An error has occurred. Check your logs or contact the app author for clarification.

On the log files I see

Request Status Code: 401
Warning: Error in checkGoogleAPIError: JSON fetch error: Invalid Credentials
Stack trace (innermost first):
    102: checkGoogleAPIError
    101: doHttrRequest
    100: g
     99: f
     98: with_shiny
     97: <reactive:user_details> [/srv/shiny-server/app.R#27]
     86: user_details
     85: inherits
     84: isTruthy
     83: need
     82: lapply
     81: sapply
     80: validate
     79: renderText [/srv/shiny-server/app.R#32]
     78: func
     77: origRenderFunc
     76: output$user_name
      1: runApp

I suspect this is an error when trying to fetch/use .httr-oauth. I have force the file creation locally by manually doing googleAuthR::gar_auth() but that doesn't work on the server.

Is there any common flow to generate this file on the server by the user (I've tryed coping the file but doesn't work either)

Any help would be much appreciated!

Thanks

[MarkEdmondson1234]

You need to set the URL of where the app will run for your own Google Project, the details are a bit sparse here but some more are on the googleAuthR Readme https://github.com/MarkEdmondson1234/googleAuthR#for-shiny-use

The default Google Project just uses my example URLs in my own Google Project, so you will need to setup your own Google Project with the correct g+ scopes enabled if you want to run it on your own domain names. Its also setup to use 127.0.0.1 which will work locally for most people

[matiasdecarli]

You need to set the URL of where the app will run for your own Google Project, the details are a bit sparse here but some more are on the googleAuthR Readme https://github.com/MarkEdmondson1234/googleAuthR#for-shiny-use

Yes, I did that. On the panel I've set Authorized JavaScript origins && Authorized redirect URIs to redirect to my application. Also, I've set the scope to Google+ and I can see the requests comming, but apparently the only way to make it work if I use this googleAuthR::gar_auth() to generate the .httr-oauth first

[MarkEdmondson1234]

Generating the .httr-oauth will only work for your own account, so other users will see your details - its not used for Shiny apps that need multi-user auth.

Have you turned on the G+ APIs for your project? You will also need to set the options

    options("googleAuthR.webapp.client_id" = "YOUR_CLIENT_ID")
    options("googleAuthR.webapp.client_secret" = "YOUR_CLIENT_SECRET")

...at the top of your shiny server.R

[matiasdecarli]

Yes, I've set

options("googleAuthR.webapp.client_id" = "YOUR_CLIENT_ID")
options("googleAuthR.webapp.client_secret" = "YOUR_CLIENT_SECRET")

You are correct regarding the multi user auth. What would be the best approach for that scenario?

[MarkEdmondson1234]

Avoid uploading any .httr-oauth file as that will take precedence. The Shiny auth takes care of generating a reactive Shiny version.

Do you get through past the Google auth screen? The issue usually appears when there is a typo in the URL or something - it needs to be https if there and end with the trailing slash.

[MarkEdmondson1234]

Ah and in Docker, you need to make sure that the Shiny Server has the right port exposed for return - are you on port 80 for that? Otherwise you may need to add the port number of where your Shiny installation is to your app URL return.

[matiasdecarli]

Avoid uploading any .httr-oauth file as that will take precedence. The Shiny auth takes care of generating a reactive Shiny version.

👍

Ah and in Docker, you need to make sure that the Shiny Server has the right port exposed for return - are you on port 80 for that? Otherwise you may need to add the port number of where your Shiny installation is.

I have a proxy in front of the docker container that makes the tls termination. This way every request with the desired URL, gets forwarded to the shiny app. Could this be a problem?

When trying on my staging environment (under a docker container, and behind a proxy), the address actually is https (and is set as https on the Authorized JavaScript origins and Authorized redirect URIs)

So, this is the flow:
User clicks on the login button -> gets redirected to Google -> Give consent -> User is sent back to the app with the message Error: An error has occurred. Check your logs or contact the app author for clarification.

When the error message is sent, the URL is https://<app>/?state=<state>&code=<code>

I also should say that running locally without .httr-oauth still works

[MarkEdmondson1234]

I'm just deploying a version to Docker to test it, will see whats up.

It sounds like its finding its ok though, if you get back to your app. The code is the token used to exchange for API requests. The only thing after that that can scupper it is the scopes or the API not being activated. Hmm. Will investigate in my Docker test.

In the meantime, you can avoid the URL version by using the JavaScript authentication version that you've already set up your Google Project for (may be good to test also that that works)

That is as outlined in the RMarkdown document: https://mark.shinyapps.io/googleAuthRMarkdown/

[matiasdecarli]

Thanks a lot! I can show you the configuration that I'm using in the haproxy in front of the docker container.

Basically its

global
   daemon
   maxconn 10000
   tune.ssl.default-dh-param 2048

defaults
   mode http
   timeout connect 5000
   timeout client 50000
   timeout server 50000

frontend http-in
   bind *:80
   redirect scheme https if !{ ssl_fc }

frontend https-in
   bind *:443 ssl crt /certs/cert.pem 
   http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubdomains;\ preload

   acl host_shiny-app hdr(host) -i www.<address of the shiny app>.com

   http-request set-header Upgrade-Insecure-Requests 1
   http-request set-header Pragma no-cache

   reqadd X-Forwarded-Proto:\ https

   use_backend shiny-app if host_shiny-app

backend shiny-app
  redirect scheme https code 301 if !{ ssl_fc }
  server s1 <container_name>:3838 check inter 2000 rise 2 fall 3

Will try the JavaScript authentication version

Thanks again!

[matiasdecarli]

Ok, so I've tested the RMarkup version and its working like a charm inside the container

Thanks a lot @MarkEdmondson1234

[MarkEdmondson1234]

@matiasdecarli great, I'll still test the Docker version just to see if there is more that can be done