RStudio Connect Trusted Authentication

harrismcgehee · 2018-11-30 15:02:34 UTC

We would like to deploy shiny apps to our Rstudio Connect server to make them available to our organization members. We would deploy a single app, embed it as an iframe, and use query string parameters to identify users' data access (as in https://shiny.rstudio.com/articles/client-data.html)

We currently do something very similar for Tableau using their model for Trusted Authentication (https://onlinehelp.tableau.com/current/server/en-us/trusted_auth.htm). This model prevents members from "URL spoofing" (manually changing the query string to access unauthorized data) because (referenced) steps 1-4 don't occur.

Is there an equivalent model for Rstudio Connect / Shiny Server that

makes shiny apps embeddable
disables "URL spoofing"?

aron · 2018-11-30 17:20:05 UTC

Both RStudio Connect and Shiny Server Pro populate user / group information in the Shiny session object.

http://docs.rstudio.com/connect/user/shiny.html#user-meta-data
http://docs.rstudio.com/shiny-server/#authentication-overview

You can use the session$user object to obtain the username of the incoming client.

shinyServer(function(input, output, session) {
  output$username <- reactive({
    session$user
  })
})

Would this let you perform the necessary access checks?

Remember that users will never reach your Shiny application if they are not given access in the RStudio Connect dashboard or Shiny Server Pro configuration. People frequently use session$user when they want to present different UI or functionality to different users from the same Shiny application.

harrismcgehee · 2018-11-30 20:26:04 UTC

What authentication method would we need to use to do this with an embedded shiny app? The user would not be sent to a Connect login screen. Proxied authentication? Or would it not matter?

Can the webserver embedding the Shiny app "set" the username based on its own authentication methods?

nathan · 2018-11-30 20:48:34 UTC

@harrismcgehee you should use proxied auth if you are providing your own authentication mechanism. After a user authenticates, your proxy should pass headers with the username to RStudio Connect. @aron pointed out that Shiny Server or RStudio Connect will need to recognize the username in order to grant access. But the session variable only needs to be set in shiny if the app experience is different for each user.

I'd recommend that you set up a call with our solutions engineering team to get a more detailed recommendation for your organization. If you're interested, please contact sales@rstudio.com and our team will be happy to discuss solutions with you.

Nathan

aron · 2018-11-30 20:50:00 UTC

The session$user is set by RStudio Connect and Shiny Server Pro and made available in your Shiny application regardless of the authentication method or access controls for the application.

Some examples might help this make more sense.

Let's first assume your Connect-hosted Shiny application permits access to anyone - without requiring login. You could use session$user to determine whether or not you want to show corporate branding (your logged in users are part of your company and get no branding; anonymous users are external and get branding).

Next, let's assume your Connect-hosted Shiny application permits access only to two people (configured in the RStudio Connect dashboard): Harris and Aron. When session$user == "harris", you show additional UI because you manage that app. When session$user == "aron", I get a very basic UI.

If an anonymous (not logged in) user attempts to access a Shiny application that requires authentication, they will see that they do not have access and are prompted for login.

system · 2018-12-21 20:50:57 UTC

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.