When it comes to securing your application, the first thing that comes to mind is protecting access with proper authentication. This means only allowing people that you create accounts for to access your platform. RStudio Connect authentication makes this process relatively easy with options for either internal or external authentication providers.
The second thing is to allow those with access, only the required permissions to perform their duties. You can do that by applying the rule of least privilege implemented as authorization. For example, if the user only needs to view the app, it serves no purpose to give them edit or delete rights. But how do you properly implement that? Authentication and authorization are big vector attacks. There are many examples where misconfiguration led to privilege escalations, unauthorized access, data breaches, and so on.
In this article, I will explain how both authentication and authorization work and show what options are available with RStudio Connect Authorization. If you’re ready to level up your security, continue reading.
- Why authentication and authorization are important
- RStudio Connect authentication
- RStudio Connect authorization
- Security and reliability
Why authentication and authorization are important
Authentication and authorization are so important that you’re likely better off delegating these tasks to specialists. Ask yourself, are you willing to risk these vital entry points by implementing them yourself? Nowadays, there are many platforms that provide authentication and authorization capabilities. So instead of managing users, groups, and their access by yourself, you can use a provider to handle this and integrate your applications with the platform. If you choose to delegate here, and we recommend that you do, there are plenty of high-quality 3rd party providers to choose from like Google, Microsoft (Azure), Okta, OneLogin, Auth0, PingIdentity, and more.
Organize data science teams and overcome the challenges of remote work with RStudio Connect
So now that you have your preferred provider, defined your users and groups, and their permissions, what comes next? You’ll need to integrate your application to be able to communicate with the Identity Provider. This will allow a secure exchange of the necessary information to let people into your app and give them assigned permissions. But how do you implement that in your shiny app? Choosing to do this yourself will be a very complicated process requiring constant updates and maintenance, and there is no need for you to do so. You can leverage RStudio Connect platform features to integrate it with most of the popular identity providers.
RStudio Connect authentication
There are numerous 3rd party providers and products that can be integrated with RStudio Connect. RStudio Connect only supports a single provider at a time. So select a 3rd party provider carefully depending on your preference and project needs. RStudio Connect also has native, built-in password authentication that is not integrated with an external authentication service. But it should only be used for PoCs, user training, small-scale testing, and groups isolated from a centralized IT system. RStudio recommends integrating your organization’s preferred identity provider for most cases. What you will gain from using an identity provider instead of built-in authentication?
As an administrator you will be able to:
- manage users from a single platform
- quickly deactivate users from all systems at once
- centrally control requirements like password complexity and multi-factor authentication (MFA)
Users will not have to:
- track different sets of credentials
- change passwords within RStudio Connect
The Admin Guide for RStudio Connect authentication covers in-depth, available options and integration methods.
If default RStudio connect configurations are not overwritten for your instance, then you’ll be offered a simple password authentication provider. The password authenticator uses user accounts backed by RStudio’s Connect database (SQLite or PostgreSQL depending on your configuration). And as mentioned above, this is not integrated with an external authentication service and is the only provider that permits users to change passwords within RStudio Connect.
Users can be either created by an administrator or self-registered. Admin-created users will receive an email and be prompted to configure a password. Self-registered users will be assigned the default user role, which can be defined as either publisher or viewer.
If you’re looking to quickly start and launch a PoC, then this is an excellent option. However, this is not recommended if you’ll be using it as an authentication method on something like a production server. Instead, integrate with your organization’s existing authentication provider like G-Suite or Active Directory.
Single sign-on (SSO) is an authentication method that enables users to securely authenticate with multiple applications and websites by using a single set of credentials. It’s a trust relationship between an application as the service provider, which in our case is RStudio Connect, and an identity provider, like Google, Active Directory, etc.
So instead of using your username and password, like with built-in password authentication, you’ll use an identity provider (e.g Google) to log in, allow RStudio Connect to access your Google Account, and exchange the required information to the service provider (e.g RStudio Connect).
If you want to check out examples, there’s no better place than RStudio’s authentication docs.
RStudio Connect authorization
After authentication, you might like to know your user permissions. As we mentioned previously, this is where authorization comes into play. In RStudio Connect, authorization is divided into user roles and permissions. Roles control default capabilities on the system, while permissions control access to a specific piece of content (e.g., your Shiny application).
Remote Data Science Team Best Practices: Scrum, GitHub, Docker, and More
- Administrator – the most comprehensive access control
- Publisher – allowed to deploy content, configure settings, and access controls
- Viewer – can sign in, see all users and groups, and view permitted content
- Anonymous – automatically assigned role for non-authenticated users with no view into the RStudio Connect platform and rights to view apps that have been marked as viewable by “Anyone”
User Permissions – The functionality available to any user for any specific piece of content will depend upon their default role and the specific permissions they have been granted. Permissions modify the user’s role downward (becoming more restrictive) for a specific piece of content (i.e. a publisher may become a collaborator or viewer or have no access).
If you want to read more about roles and permissions, I recommend the user-management section of RStudio Connect’s Admin Guide.
Security and reliability
Even armed with the comprehensive tutorial in RStudio’s documentation, you might encounter problems that are not described. In such a case, you can reach out to RStudio for full support. RStudio’s support is fast and reliable. Give them a description of your issue and you will receive instructions and documentation that will help you resolve the problem. Having access to support from RStudio ensures you won’t spend countless hours debugging the issue on your own, leaving your website unavailable for users and exposing yourself to security threats caused by misconfiguration. If you think these types of issues won’t happen to you, here are a few real-life examples showing why you shouldn’t take risks:
- Improper authentication in the GitLab SAML integration had a validation issue that permitted an attacker to take over another user’s account
- IBM Data Risk Manager allowed a remote attacker to bypass security restrictions when configured with SAML authentication
Often security vulnerabilities are introduced by Service Providers that improperly validate and process SAML responses received from Identity Providers. Meaning that if you want to configure SSO integration, then you should trust your Service Provider. If security is important to you, then you shouldn’t be using packages developed once by a few developers and left unmaintained. Instead, you should be using a secure platform that releases new updates regularly and is maintained by a team of specialists.
Scale for hundreds of concurrent users with better Shiny app performance on an infrastructure level
Updating applications on a regular basis is so important. We can’t stress this enough. So don’t leave your app vulnerable to attacks. With RStudio Connect you make sure that when new security vulnerabilities appear, a team of security engineers will take care of them and fix the software as quickly as it’s possible.
You’ve invested a lot into your application. Now be sure to secure it properly using RStudio Connect authentication. If you feel unsure about proceeding, feel free to reach out to the Appsilon team. We’re a proud RStudio Full Service Certified Partner. Whether your team requires training, implementation, management, or development services, we’re here to help enterprises succeed with R and RStudio.