What is the best way for authentication?

Hello everyone,

I developed a few Shiny apps and deployed on ShinyProxy for my company. I’m an only data analyst in the company and beginner about Shinyproxy. Also, IT is not knowladgeable about authentication stuff.

For now, the app deployed on company network but the system needs to be accessible soon for our employees without VPN connection. That’s why, it has to be accessible with an authentication system.

When I read the documentations, I saw that simple authentication is useful for me but it is not secure. The documentation says “Since passwords are contained in clear text in the application.yml file, this is not a secure way to set up authentication, but can be useful for demonstration purposes (e.g. in the absence of a network connection) or for very specific use cases.”

It presents us alternative ways like LDAP, Keycloak and so on. I looked at all of them from the documentations and outsource documentations, articles, videos etc. However I’m confussed about what is the best way in my case.

I guess, LDAP and Keycloack could be more appropriate on my case but I’m not sure. I wonder your experinces and sharings.

It woulde be great a resoure which tells authentication stuff step by step If there is.

1 Like

Hi

I think that for your situation, using Keycloak is the best option. Keycloak will allow you to manage users and passwords. Next you have to connect Keycloak with ShinyProxy using OpenID connect. There are many tutorials and examples on the web.

2 Likes

I confirm what @tdekoninck said, the best way is Keycloak.
I’m using it as SSO for my Shiny Apps, with features like OTP ( one-time password as 2 Factor Auth), roles and user groups.

Also you can found a lot materials for the configuration out there, steps easy way if you are using docker:

  • create docker network
  • run a postgres db with the network attached, don’t forget to set env. var. for the db password … [Image Page]
  • run Keycloak image with the network attached, set env var to configure db [Image Page]
  • connect to keycloak as an admin and creation new realm : My_REALM
  • for testing you can use the Account client already exists in the new realm (My_REALM)
  • put the informations in your application.yaml : ressource, secret and url …

Hope this helps

Ada

2 Likes

Many thanks for your views. I’m sure your comments will be very helpful to newbies like me. I will try keycloak on shiny proxy. @tdekoninck @adanba .

@adanba is it necessary to create a network and run a postgresql container? I already installed shinyproxy and postgresql manually on ubuntu server without docker. I only need for Keycloak.

I thought It would be enough for me only run a Keycloak container. That’s why I run this code on terminal and Keycloak runs succesfully…

docker container run -d --name Keycloak -p 8787:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:legacy 

http://10...*:8787/auth/

I created a realm named shinyproxy.

Then, I created a user and its password.

  • Username: user
  • Password: user

In next step, I should create a client and I defined the client id as shinyproxy.

In next page, there is the capability config of this client. Client authentication was turn off but I turned on it.

Keycloak documentation says that after the client is created, make these updates to the client:

Access settings.

  • Set Valid redirect URIs to https://www.keycloak.org/app/*
  • Set Web origins to https://www.keycloak.org

That’s why I added the url of the shinyproxy and saved the settings.

Valid redirect URIs to http://10.*.*.*:8080/*
Web origins to http://10.*.*.*:8080

In Credentials tab, I see my client secret 6hJMdUJPxpInn03C0VrsdeTXvT0NyiW7

Shinyproxy application.yml

proxy:

  title: Myapp
  landing-page: /
  favicon-path: /ShinyApps/LandingPage/favicon.ico
  template-path: ./templates/modified_navbar 

  heartbeat-rate: 10000
  heartbeat-timeout: 600000
  container-wait-time: 20000 

  port: 8080
  default-max-instances: 10

  stop-proxies-on-shutdown: false
  recover-running-proxies: true
  recover-running-proxies-from-different-config: true

  authentication: keycloak
    realm: shinyproxy #yoursso
    auth-server-url: http://10.*.*.*:8787/auth #http://yoururl.com:8180/auth
    resource: shinyproxy #yourresource
    credentials-secret: 6hJMdUJPxpInn03C0VrsdeTXvT0NyiW7 #your-credentials-secret

  admin-groups: admins

  docker:
    cert-path: /FBCert
    url: http://localhost:2375
    port-range-start: 20000
    internal-networking: true
    
  specs:

  - id: BOR
    display-name: BOR
    description: App1
    logo-url: file:///ShinyApps/LandingPage/fbm.jpg
    container-image: fbm/fbapp:latest
    max-lifetime: 120
    container-cmd: ["R", "-e", "shiny::runApp('/root/App1/app.R', port = 3838, host = '0.0.0.0')"]
    container-volumes: ["/Volumes/App1/reports/BOR:/root/App1/reports/BOR"]
    access-groups: [admins, users]

  - id: REQUEST
    display-name: PR
    description: App2
    logo-url: file:///ShinyApps/LandingPage/fbm.jpg
    container-image: 127.0.0.1:5000/fbm/pr
    max-lifetime: 120
    container-cmd: ["R", "-e", "shiny::runApp('/root/App2/app.R', port = 3838, host = '0.0.0.0')"]
    container-volumes: []
    access-groups: [admins, fbstaff, users]

  container-log-path: /etc/shinyproxy/logs/container-logs

logging:
  file:
    name: /etc/shinyproxy/logs/shinyproxy.log

spring:
  servlet:
    multipart:
      max-file-size: 200MB
      max-request-size: 200MB


server:
  useForwardHeaders: true

After I restart shiny proxy with sudo systemctl restart shinyproxy, It fails like this.

This site is unreachable
10.*.*.* refused to connect.
Try the following:
* Checking your connection
* Checking proxy and firewall
* ERR_CONNECTION_REFUSED

What am I doing wrong in which step?

Hi @Ekrem_Bayar
1 - remove the “/auth” in the auth-server-url: from the application.yaml.
2 - try to ping the postgres db from the keycloak container to get the right address.
3 - try to ping the keycloak from the server where shinyproxy is installed.

Which keycloak version did you use ? the new one doesn’t include “/auth” in the auth-url by default.

When you start Shinyproxy, i think it can’t reach your keycloak server …
Also i don’t see where did you put the postgre username/password for keycloak …
Show us the shiny proxy logs when your start it, also the keycloak logs ?

Hi @adanba

Thanks a lot for your response and questions. They made me having idea what should I do.

I had no idea what version of keycloak to use. I was trying to run quay.io/keycloak/keycloak image and it was new versions. Then, I tried to run old versions but there were some problems I couldn’t understand. After your response, I tried another docker image and ran container successfully. I used this jboss/keycloak image.

I achieved to assemble Shinyproxy and Keycloak successfully. On Keycloak, I created a new realm as shinyproxy and I created users and groups. Also I assigned the users to each group where they belong to. After these configurations, I can connect to shinyproxy on Keycloak right now. Shinyproxy opens with its landing page and it shows me the shiny apps, however when I want to run any of app I get this error.

Error
Status code: 500
Message: value may not be null for key SHINYPROXY_USERNAME

There is still lots of things I will learn. I created user and groups on keycloak but I didn’t make any changes in application.yml. Probably, this is the main reason. I should figure out how to assing user and groups to specific apps.

Here is my application.yml

proxy:

  title: Shinyproxy
  landing-page: /
  favicon-path: /ShinyApps/LandingPage/favicon.ico
  template-path: ./templates/modified_navbar 
  
  heartbeat-rate: 10000
  heartbeat-timeout: 600000
  container-wait-time: 20000 

  port: 8080
  
  default-max-instances: 10 

  stop-proxies-on-shutdown: false
  recover-running-proxies: true
  recover-running-proxies-from-different-config: true

  authentication: keycloak
    keycloak:
      realm: shinyproxy
      auth-server-url: http://*.*.*.*:8787/auth
      resource: shinyproxy
      credentials-secret: gMHrFanXYkS7Szhr4TLILbhKqprOhn0I

  admin-groups: [admin]
  
  docker:
    cert-path: /FBCert 
    url: http://localhost:2375
    port-range-start: 20000
    port-range-max: 20030 

    
  specs:
    
    - id: REQUEST
      display-name: App1
      description: App1
      logo-url: file:///ShinyApps/LandingPage/fbm.jpg
      container-image: image/app1
      max-lifetime: 120
      container-cmd: ["R", "-e", "shiny::runApp('/root/App1/app.R', port = 3838, host = '0.0.0.0')"]
      container-volumes: ["/Volumes/App1/BOR:/root/App1/reports/BOR"]

    - id: App2
      display-name: App2
      description: App2
      logo-url: file:///ShinyApps/LandingPage/fbm.jpg
      container-image: image/app2
      max-lifetime: 120
      container-cmd: ["R", "-e", "shiny::runApp('/root/App2/app.R', port = 3838, host = '0.0.0.0')"]
      container-volumes: []


  container-log-path: /etc/shinyproxy/logs/container-logs

logging:
  file:
    name: /etc/shinyproxy/logs/shinyproxy.log
  level:
    org.keycloak: debug

spring:
  servlet:
    multipart:
      max-file-size: 200MB
      max-request-size: 200MB


server:
  useForwardHeaders: true


For beginners like me :slight_smile:

Also I would like to explain all steps for beginners like me. I hope it will help people.

First of all, I had installed shinyproxy and postgresql on ubuntu server manually. They work fine. I just needed Keycloak to manage authentication.

In addition, I created a new DB named Keycloak on postgres. There must be a DB connection in Keycloak. That’s why I have to set DB environment variables for docker container . Then, I tested this connection and it ran succesfully.

You can see the code below. It will work for you, if DB runs.

docker run -d -p 8787:8080 -e DB_VENDOR=postgres -e DB_USER=postgres -e DB_PASSWORD=password -e DB_ADDR=*.*.*.* -e DB_PORT=5432 -e DB_DATABASE=Keycloak -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin jboss/keycloak

When the container created successfully, you can go to Keycloak page by using IP + Port info.

I created a new realm as shinyproxy.

I created users and groups. Also I assigned the users to each group where they belong to.


As final step, I created a client on Keycloak. I defined Valid Redirect Urls and got credential secret.


Also you can check DB connection between postgres and keycloak on Rstudio.

library(RPostgres)
con <- dbConnect(RPostgres::Postgres(),
                 host = "*.*.*.*",
                 port = 5432,
                 dbname = "Keycloak",
                 user = "postgres",
                 password = "password")

sort(dbListTables(con))

dbReadTable(con, "user_entity")

After these configurations, you will be able to have your login page.

1 Like

I found the indentation is not ok in your application.yml file.

Your version :

Right version :

  authentication: keycloak
  keycloak:
    realm: shinyproxy
    auth-server-url: http://*.*.*.*:8787/auth
    resource: shinyproxy
    credentials-secret: gMHrFanXYkS7Szhr4TLILbhKqprOhn0I