secure password handling in RShiny & RConnect

anjasumma · May 12, 2021, 3:59pm

Hello,

we were approached by one of our data scientist with the following scenario and questions. We hope you can help us to solve his problems.

The idea is to create a Shiny app as a frontend for a different application. The other application is password-protected and loads user-specific content. Thus, it is necessary for the Shiny app to be able to send username and password of the person currently using it to the other application.

The easiest way is to ask the user for his credentials – but in the documentation of passwordInput Shiny - Create a password input control — passwordInput we didn’t find any way around storing the password. It will always be stored in input$ because of the way these input patterns are designed in RShiny. We are in contact with our QA and Compliance departments, but don’t think that this is a good idea to use.

We also thought about using a different user authentication on our Connect server that would allow this. We are currently using LDAP.

Can you think of any way of how to utilise the user’s credentials when he’s logged in to Connect and running the app, without any need to store the password in our app?
We are glad for hints and ideas or best practices or whatever you can provide us with.
Thank you in advance!
Anja Summa

rstub · May 14, 2021, 11:29am

Can your backend application work with Kerberos tickets? In that case you could switch to PAM authentication and use credential caching together with current user execution.

anjasumma · May 21, 2021, 12:12pm

Hi Ralf,
thank you for your answer. We are currently evaluating this possibility. I'll get back when there is news.

Breakinno · October 18, 2024, 4:28pm

Have you managed to solve this issue with passwords and apps? If yes, please share some tips.

Nozynxte · October 19, 2024, 2:35pm

Handling passwords securely in RShiny can be tricky, especially with the way passwordInput stores everything in input$. One thing that might help is to avoid storing passwords altogether and use a password strength checker to validate them before they’re sent, adding a layer of security without directly saving anything.

Chemixtu · October 23, 2024, 3:23pm

One thing that worked for me was switching to token-based authentication instead of directly asking for passwords in the app. The user logs in through a secure system (like your LDAP), and then a token is generated, which the app can use to access the other application. That way, you don’t have to store or send passwords within the app itself.
Also, when I needed to check the strength of passwords during a project, I used this site to make sure people weren’t creating weak passwords before they got into the system.