Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to securely integrate EC2 hosted Shiny app into asp.net project

I have two applications.

  1. R Shiny app hosted on EC2
  2. Asp.net application hosted on Azure.

The asp.net app preforms user authentication and is used to organize a whole data science pipeline. A user provides data, the data scientist transforms the data and delivers a shiny app. Finally, the user opens the Shiny app within the asp.net application.

The problem I have is that I don't know how to integrate the Shiny app that I have developed within the asp.net application securely.

I could solve the problem like this:

enter image description here

Basically, I can make a simple iframe with a link to the public domain of the EC2 instance. However, this is not secure. Anybody can find and access the url with a simple page source click.

Another option that I have considered is to limit the IP address in the EC2 security groups. However, the problem is that the asp.net application is supposed to be used by different entities/independent users. So the security needs to be more granular [does the user have access to app, project within app, container within a project?] than just a server IP address.

Also, I have thought to provide a second level of authentication within the actual Shiny app, however this essentially loses the point of the asp.net authentication in the first place.

Any ideas or hints in what direction I should continue with research?

like image 314
Prometheus Avatar asked Jul 09 '18 07:07

Prometheus


1 Answers

I think you're right, there are two options. The first is to create a secure connection between the two servers and use the .Net app to proxy the traffic, but that defeats the point.

The second is to authenticate the use with both servers. You could do this by having the .Net server somehow pass data about the active sessions to the Shiny app to synchronise them but that isn't ideal.

You could instead use an authentication mechanism such as JWT where the .Net server would issue the client a token (i.e. cookie or embedded into the iFrame URL) when they log in and the client would then pass this to the token to the Shiny server, which would only have to validate the token. If using cookies you would need to make sure both servers are on the same subdomain so that the token is set properly.

like image 181
OllyTheNinja Avatar answered Nov 02 '22 11:11

OllyTheNinja