Proxied authentication with Posit Connect

This article is based on this section of the administrator's guide.

Posit Connect supports proxied authentication. This allows an external system to intercept requests and handle the authentication of users visiting the Connect dashboard or applications Connect is hosting.

How this works

A service (like Apache, for example) runs as your customized authentication server. It is responsible for intercepting all requests to Posit Connect and performing the required authentication and authorization. Requests from authenticated users will have a custom HTTP header added before the request is proxied through to Posit Connect. That HTTP header contains the username of that visitor. Posit Connect will take the value from the HTTP header and treat the current user as the username specified in the header.

We have no means of validating that this HTTP header was added by your authentication server and not by the user directly. So it is very important from a security perspective that the RStudio Connect server is properly firewalled off in your network and that all access to the Connect server is proxied through your authentication server.

Important Note

The username HTTP header should never be set by the requester. In all cases, your authentication server should delete that header if it exists before authenticating the user and adding the header itself.

Posit Connect does not currently support directing users to a login page when using proxied authentication. Therefore, we recommend that your proxy prevent anonymous access to Posit Connect; only allow authenticated users.

Deployment from the RStudio IDE

Deploying from the RStudio IDE is a unique situation. The IDE uses an R package rsconnect to obtain deployment credentials from RStudio Connect. Those credentials are used to sign deployment requests.

Deployment requests are signed with credentials obtained during an earlier, authenticated session, and should pass through your proxy without alteration.

The following three headers when used together identify deployment requests and should pass through your proxy without attempting to authenticate the user:

• X-Auth-Token
• X-Auth-Signature
• X-Content-Checksum

Configuring Proxied Authentication

To configure Posit Connect to use proxied authentication, set Authentication.Provider toproxy.

[Authentication]
Provider = proxy 

Proxied authentication requires that you set Server.Address to point at your proxy server. If you do not configure Server.Address, the browser may not have all its requests routed through your authenticating proxy. See this section of the administrator's guide for more information about Server.Address.

[Server]
Address = https://myproxy.company.com/

You can customize the name of the header that your authentication server will send upon a successful authentication. By default, this key name is X-Auth-Username.

[ProxyAuth]
UsernameHeader = X-Auth-Username

Groups

Groups are supported when using proxied authentication in RStudio Connect versions 1.7.2 and later. Please reference the administrator's guide for more information.