Need to Implement SSL Certificate Authentication on shinyapps.io

shiny shinyapps.io
#1

Hi all,

I have built a shiny application that acts as a dashboard for showing us redirects users from a REDCap survey to a shiny application I am hosting on shinyapps.io. In order for the application to work it needs access to an API from which the data can be accessed. The institution will not provide us with a token for API access until we can show that there is SSL certificate authentication. I have read several post about this, but I am still not understanding if it is possible for me to have my application that is hosted on shinyapps.io implement SSL authentication.

Any guidance would be appreciated!

#2

Can you clarify a bit more about what you mean by "SSL authentication?" Usually SSL is used for https traffic (and shinyapps.io does have HTTPS traffic by default).

SSL is used to encrypt traffic / communication over the web. As such, there are two pieces to keep in mind:

# this is provided by shinyapps.io by default
SSL from browser -> shinyapps.io

# this is provided by the API itself and the R code you use to access it
SSL from shinyapps.io -> backend API

However, if you can clarify a bit more what you mean, we may be able to help more in handling the request!

1 Like
#4

Awesome, thanks for clarifying there!

I suspect the second item makes sense to you (given your response)? That is talking about your application logging data access, who has visited, what they saw, etc. You probably want to do this somewhere external to the app itself (i.e. via another API request, writing to a database, etc.) since shinyapps.io logs do not have great persistence.

As for the first item, it seems a bit strange to me that this request is being made, since this is something the browser usually takes care of for you as a part of the browser session management. My understanding of how SSL/TLS works is that the certificate is verified as a part of the startup process, and then a session token is created / encrypted using that certificate so that future communications can be had without re-verifying the certificate (although all future communication is encrypted using the session token, so communication is still secure).

It would be good to understand the attack vector that is in mind here, as the existence of a valid certificate is usually sufficient to trust that TLS is encrypting properly (although sometimes there is a desire to enforce a certain level of TLS encryption or version). Each new browser session / connection verifies the certificate and creates a session token, which is then used for the duration of the session.

This is articulated more clearly here, I think:

#3

Hi Cole,

Thanks so much for the speedy response! Sorry if the question is not clear, I feel quite out of my depths with the SSL Certificates and cyber-security aspects of what I am working on. I have copied the two questions that I was asked in regard to my application below:

  1. The SSL certificate of the REDCap application is validated on every request from the service.
  2. Individual access to data is logged. REDCap identifies and logs access using the API token to determine identity. If the service does not use different API tokens for different user access, the service must separately log individual access.

I think what I am asking is if there is a way I can ensure that the SSL certificate from my shinyapps.io webpage is being validated whenever someone opens the application? Does this make more sense?