Hi @marybeth.hunter ,
I’ll try to provide as much as possible. This is a reprex app in Shiny using auth0 R package to manage authentication.
library(shiny)
library(bslib)
library(ggplot2)
library(auth0)
data(penguins, package = "palmerpenguins")
ui <- page_sidebar(
title = "Penguins dashboard",
logoutButton(label = "Logout", id = "logout"),
sidebar = sidebar(
title = "Histogram controls",
varSelectInput(
"var", "Select variable",
dplyr::select_if(penguins, is.numeric)
),
numericInput("bins", "Number of bins", 30)
),
card(
card_header("Histogram"),
plotOutput("p")
)
)
server <- function(input, output, session) {
output$p <- renderPlot({
ggplot(penguins) +
geom_histogram(aes(!!input$var), bins = input$bins) +
theme_bw(base_size = 20)
})
observeEvent(input$logout, {
logout()
})
}
# shinyApp(ui, server)
auth0::shinyAppAuth0(ui, server, config_file = "_auth0.yml")
This can be run from RStudio (Run app as run external). The code above should be in a file named app.R. To work with auth0 package we use a yml file named _auth0.yml located in the same folder as app.R, with the following content:
name: app_name
remote_url: 'https://remote_server.com'
auth0_config:
api_url: !expr paste0('https://', env$AUTH0_USER, '.auth0.com')
credentials:
key: !expr env$AUTH0_KEY
secret: !expr env$AUTH0_SECRET
For the app to work I’ve created and configured an Auth0 application on my auth0.com account with the corresponding callback URLs, allowed logout URLs, and allowed web origins to locahost:3838 (to work with the app locally), and remote_server.com (when the app is deployed).
Now, about the issue, when I refresh the app in the browser there are two scenarios I’ve tested:
- URL with code: http://localhost:3838/?code=ffOmIXFJ2iGIlURnGzLGinqKzbDgQoyh5Xtlr3gMhgLfO&state=MdQUSLanHc
When I refresh the app in this scenario I get this error and the app stops.
Error in httr::oauth2.0_access_token: Forbidden (HTTP 403). Failed to get an access token.
57: <Anonymous>
56: stop
55: stop_for_status
54: httr::oauth2.0_access_token
53: auth0_server_verify
40: server
3: runApp
2: print.shiny.appobj
1: <Anonymous>
Error in httr::oauth2.0_access_token(api, app(redirect_uri), params$code) :
Forbidden (HTTP 403). Failed to get an access token.
From the Auth0 dashboard, monitor console I get this message:
2025-01-17T13:53:34.946Z
Failed Exchange
Invalid authorization code
{
"date": "2025-01-17T13:53:34.946Z",
"type": "feacft",
"description": "Invalid authorization code",
"connection_id": "",
- URL without the above code: http://localhost:3838
Using javscript I’ve been able to remove that code and now when the app is refreshed it doesn’t crash, but I takes the user back to login page even right after being logged in.
There is some information I can get from the auth0 package about the credentials: the access token, id_token, scope (comes back with ‘openid profile’), expires_in (comes back with ‘86400’) and token_type (comes back with ‘Bearer’).
Complementing my reprex app, I’m going to leave this github repo link with instructions on how to integrated the auth0 package into a shiny app. GitHub - curso-r/auth0: Authentication in shinyapps using Auth0 service
I hope this is enough info for you to debug and provide some light around why it doesn’t keep the authentication on when refreshing the app. I’ve used this package in another project in the past and this wasn’t happening. All I can think of is changes happened on the Auth0 side.
Regards,
Christian.