Package: shinyOAuth 0.5.0.9000

shinyOAuth: Provider-Agnostic OAuth Authentication for 'shiny' Applications

Provides a simple, configurable, provider-agnostic 'OAuth 2.0' and 'OpenID Connect' (OIDC) authentication framework for 'shiny' applications using 'S7' classes. Defines providers, clients, and tokens, as well as various supporting functions and a 'shiny' module. Features include cross-site request forgery (CSRF) protection, state encryption, 'Proof Key for Code Exchange' (PKCE) handling, validation of OIDC identity tokens (nonces, signatures, claims), automatic user info retrieval, asynchronous flows, and hooks for audit logging.

Authors:Luka Koning [aut, cre, cph]

shinyOAuth_0.5.0.9000.tar.gz
shinyOAuth_0.5.0.9000.zip(r-4.7)shinyOAuth_0.5.0.9000.zip(r-4.6)shinyOAuth_0.5.0.9000.zip(r-4.5)
shinyOAuth_0.5.0.9000.tgz(r-4.6-any)shinyOAuth_0.5.0.9000.tgz(r-4.5-any)
shinyOAuth_0.5.0.9000.tar.gz(r-4.7-any)shinyOAuth_0.5.0.9000.tar.gz(r-4.6-any)
shinyOAuth_0.5.0.9000.tgz(r-4.6-emscripten)
manual.pdf |manual.html
DESCRIPTION |NEWS
card.svg |card.png
shinyOAuth/json (API)

# Install 'shinyOAuth' in R:
install.packages('shinyOAuth', repos = c('https://lukakoning.r-universe.dev', 'https://cloud.r-project.org'))

Bug tracker:https://github.com/lukakoning/shinyoauth/issues

Pkgdown/docs site:https://lukakoning.github.io

On CRAN:

Conda:

7.59 score 28 stars 22 scripts 530 downloads 34 exports 40 dependencies

Last updated from:1930716b44. Checks:7 NOTE, 2 OK. Indexed: yes.

TargetResultTimeFilesSyslog
linux-devel-x86_64NOTE314
source / vignettesOK214
linux-release-x86_64NOTE311
macos-release-arm64NOTE249
macos-oldrel-arm64NOTE225
windows-develNOTE282
windows-releaseNOTE201
windows-oldrelNOTE249
wasm-releaseOK120

Exports:client_bearer_reqcustom_cacheerror_on_softenedget_userinfohandle_callbackintrospect_tokenis_ok_hostoauth_clientoauth_client_mtls_registrationoauth_client_secret_appleoauth_form_post_uioauth_module_serveroauth_provideroauth_provider_appleoauth_provider_auth0oauth_provider_githuboauth_provider_googleoauth_provider_keycloakoauth_provider_microsoftoauth_provider_oidcoauth_provider_oidc_discoveroauth_provider_oktaoauth_provider_slackoauth_provider_spotifyOAuthClientOAuthProviderOAuthTokenperform_client_bearer_reqperform_resource_reqprepare_callrefresh_tokenresource_reqrevoke_tokenuse_shinyOAuth

Dependencies:askpassbase64encbslibcachemclicommonmarkcurldigestfastmapfontawesomefsgluehtmltoolshttpuvhttr2josejquerylibjsonlitelaterlifecyclemagrittrmemoisemimeopensslotelpromisesR6rappdirsRcpprlangS7sassshinysourcetoolssystriebeardurltoolsvctrswithrxtable

Advanced security configuration
Overview | Start with discovery when possible | Mutual TLS (mTLS) | JWT-secured authorization request (JAR) | Pushed authorization requests (PAR) | Form Post response mode | JWT-secured authorization response mode (JARM) | Demonstrating proof-of-possession (DPoP)

Last update: 2026-05-31
Started: 2026-05-28

Audit logging and hooks
Overview | Receiving audit events | Event structure | HTTP context sanitization | Excluding HTTP context entirely | Audit events from async workers (mirai daemons) | Digest fields and keying | Event catalog | Authorization redirect issuance | Event: audit_redirect_issued | Callback query rejected | Event: audit_callback_query_rejected | Callback issuer validation | Event: audit_callback_iss_missing | Event: audit_callback_iss_mismatch | Event: audit_callback_iss_validation_failed | Callback received | Event: audit_callback_received | Callback validation | Event: audit_callback_validation_success | Event: audit_callback_validation_failed | State store access | Event: audit_state_store_lookup_failed | Event: audit_state_store_removal_failed | Token exchange | Event: audit_token_exchange | Event: audit_token_exchange_error | Token introspection | Event: audit_token_introspection | Login result | Event: audit_login_success | Event: audit_login_failed | Logout and session clears | Event: audit_logout | Event: audit_session_cleared | Token revocation | Event: audit_token_revocation | Refresh failures while keeping the session (indefinite sessions) | Event: audit_refresh_failed_but_kept_session | Browser cookie/WebCrypto error | Event: audit_browser_cookie_error | Invalid browser token | Event: audit_invalid_browser_token | Token refresh | Event: audit_token_refresh | Userinfo fetch | Event: audit_userinfo | State parsing failures | Event: audit_state_parse_failure | Error response state consumption | Event: audit_error_state_consumed | Event: audit_error_state_consumption_failed | Module/session lifecycle | Event: audit_session_started | Event: audit_session_ended | Event: audit_session_ended_revoke | Authentication state changes | Event: audit_authenticated_changed | Error events | Event: error | Event: http_error | Event: transport_error

Last update: 2026-05-31
Started: 2025-10-27

Usage
Overview | Minimal Shiny module example | Manual login button variant | Making authenticated API calls | Async mode to keep UI responsive | 'mirai' async backend (recommended) | 'future' async backend | Logout | Using response_mode = "form_post" | Deploying on Posit Connect Cloud (avoiding embedded deployment) | Global options | Observability/logging | Networking/security | Extra parameter overrides | Async timeout (mirai) | Async condition replay | Token lifetime fallback | HTTP settings (timeout, retries, user agent) | State store | Size caps | State envelope | Callback query | Development/debugging | Browser cookie & preventing XSS | Multi‑process deployments: share state store, key, and policy | Security checklist

Last update: 2026-05-29
Started: 2025-10-27

Authentication flow
Overview | What happens during the authentication flow? | 1. First page load: set a browser token | 2. Decide whether to start login | 3. Build the authorization URL (prepare_call()) | 4. App redirects to the provider | 5. User authenticates and authorizes | 6. Provider redirects user back to the app | What changes with response_mode = "form_post"? | 7. Callback processing & state verification (oauth_module_server()) | 8. Exchange authorization code for tokens | What changes when mTLS is enabled (RFC 8705) | What changes when DPoP is enabled (RFC 9449) | 9. Validate ID token (OIDC only) | 10. Fetch userinfo (optional) | 11. Build the OAuthToken object | 12. Token introspection (optional) | 13. Mark session as authenticated | 14. Clean URL & tidy UI; clear browser token | 15. Post-flow session management | Refresh behavior (refresh_token()) | 16. Logout and token revocation

Last update: 2026-05-28
Started: 2025-10-27

OpenTelemetry
Overview | Logs | Traces | Span catalog | Span: shinyOAuth.module.init | Span: shinyOAuth.login.request | Span: shinyOAuth.login.par | Span: shinyOAuth.login.par.http | Span: shinyOAuth.callback | Span: shinyOAuth.form_post | Span: shinyOAuth.form_post.bridge | Span: shinyOAuth.callback.validate | Span: shinyOAuth.callback.worker | Span: shinyOAuth.token.exchange | Span: shinyOAuth.token.exchange.http | Span: shinyOAuth.token.verify | Span: shinyOAuth.userinfo | Span: shinyOAuth.userinfo.http | Span: shinyOAuth.refresh | Span: shinyOAuth.refresh.worker | Span: shinyOAuth.logout | Span: shinyOAuth.session.end.revoke | Span: shinyOAuth.token.revoke | Span: shinyOAuth.token.revoke.http | Span: shinyOAuth.token.revoke.worker | Span: shinyOAuth.token.introspect | Span: shinyOAuth.token.introspect.http | Span: shinyOAuth.token.introspect.worker

Last update: 2026-05-27
Started: 2026-04-25

Example: Spotify login to display listening data
Overview | Code

Last update: 2026-05-14
Started: 2025-10-27

Readme and manuals

Help Manual

Help pageTopics
Alias for 'resource_req()'client_bearer_req
Create a custom cache backend (cachem-like)custom_cache
Get user info from OAuth 2.0 providerget_userinfo
Handle OAuth 2.0 callback: verify state, swap code for token, verify tokenhandle_callback
Introspect an OAuth 2.0 tokenintrospect_token
Check if URL(s) are HTTPS and/or in allowed hosts listsis_ok_host
Create generic OAuthClientoauth_client
Build RFC 8705 mTLS registration metadataoauth_client_mtls_registration
Create an Apple client secret JWToauth_client_secret_apple
Wrap a Shiny UI to enable OAuth 2.0/OIDC form_post callbacksoauth_form_post_ui
OAuth 2.0 & OIDC authentication module for Shiny applicationsoauth_module_server
Create generic OAuthProvideroauth_provider
Create an Apple OAuthProvideroauth_provider_apple
Create an Auth0 OAuthProvider (via OIDC discovery)oauth_provider_auth0
Create a GitHub OAuthProvideroauth_provider_github
Create a Google OAuthProvideroauth_provider_google
Create a Keycloak OAuthProvider (via OIDC discovery)oauth_provider_keycloak
Create a Microsoft (Entra ID) OAuthProvideroauth_provider_microsoft
Create a generic OpenID Connect (OIDC) OAuthProvideroauth_provider_oidc
Discover and create an OpenID Connect (OIDC) OAuthProvideroauth_provider_oidc_discover
Create an Okta OAuthProvider (via OIDC discovery)oauth_provider_okta
Create a Slack OAuthProvider (via OIDC discovery)oauth_provider_slack
Create a Spotify OAuthProvideroauth_provider_spotify
OAuthClient S7 classOAuthClient
OAuthProvider S7 classOAuthProvider
OAuthToken S7 classOAuthToken
Alias for 'perform_resource_req()'perform_client_bearer_req
Build and perform an authenticated httr2 request for a protected resourceperform_resource_req
Prepare a OAuth 2.0 authorization call and build an authorization URLprepare_call
Refresh an OAuth 2.0 tokenrefresh_token
Build an authenticated httr2 request for a protected resourceresource_req
Revoke an OAuth 2.0 tokenrevoke_token
Add JavaScript dependency to the UI of a Shiny appuse_shinyOAuth