The documentation on Group-based authorization claims that:
The value of the group claim should ideally be a JSON array, although ShinyProxy is more flexible on the format.
However, when the IdP actually send over an ID Token that includes only a string instead of an array, ShinyProxy parsed the roles claim as an empty array (see logging below):
memberOf -> QS1-InnoTrans-ShinyProxy-Admin
2026-07-07T13:16:31.788Z DEBUG 1 --- [ XNIO-1 task-4] e.o.c.a.i.OpenIDAuthenticationBackend : Matching claim found in user info: memberOf -> QS1-InnoTrans-ShinyProxy-Admin (class java.lang.String)
2026-07-07T13:16:31.788Z DEBUG 1 --- [ XNIO-1 task-4] e.o.c.a.i.OpenIDAuthenticationBackend : Parsed roles claim as JSON: memberOf -> [] (class java.util.ArrayList)
As a result, it doesn't actually recognize the role/group value. For example, the admin-groups doesn't work, and trying to query in an app's pod with echo $SHINYPROXY_USERGROUPS returns nothing.
Here is my config, in case it's relevant:
admin-groups: QS1-InnoTrans-ShinyProxy-Admin
authentication: openid
openid:
auth-url: 'https://fedauthtst.pg.com/as/authorization.oauth2'
token-url: 'https://fedauthtst.pg.com/as/token.oauth2'
jwks-url: 'https://fedauthtst.pg.com/pf/JWKS'
userinfo-url: 'https://fedauthtst.pg.com/idp/userinfo.openid' # optional
client-id: 'ShinyProxy DMT (TEST)'
client-authentication-method: none
with-pkce: true
username-attribute: sub
roles-claim: memberOf
The documentation on Group-based authorization claims that:
However, when the IdP actually send over an ID Token that includes only a string instead of an array, ShinyProxy parsed the roles claim as an empty array (see logging below):
As a result, it doesn't actually recognize the role/group value. For example, the
admin-groupsdoesn't work, and trying to query in an app's pod withecho $SHINYPROXY_USERGROUPSreturns nothing.Here is my config, in case it's relevant: