-
Notifications
You must be signed in to change notification settings - Fork 0
/
README.Rmd
129 lines (94 loc) · 5.04 KB
/
README.Rmd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
---
output: github_document
---
<!-- README.md is generated from README.Rmd. Please edit that file -->
```{r, include = FALSE}
knitr::opts_chunk$set(
collapse = TRUE,
comment = "#>",
fig.path = "man/figures/README-",
out.width = "100%"
)
```
# shiny.AADB2C
<!-- badges: start -->
<!-- badges: end -->
{shiny.AADB2C} is designed to help you get started with integration [Azure Active Directory B2C](https://azure.microsoft.com/en-us/services/active-directory-b2c/) authentication into your shiny application.
```{r setup}
library(shiny.AADB2C)
```
## Installation
You can install the package with:
```{r install, eval=FALSE}
remotes::install_github("lockedata/shiny.AADB2C")
```
## Working with AAD B2C and shiny
### Locally
{shiny} runs on 127.0.0.1:port locally but AAD B2C will only accept http://localhost:port as a Redirect URL for an AAD B2C client application. To manage this, we recommend you run [nginx](http://nginx.org/) on your machine to route traffic from localhost to 127.0.0.1 if this isn't happening naturally.
To make nginx work with shiny locally, I had to change the `nginx.conf` file and included values like:
```
http {
include mime.types;
default_type application/octet-stream;
# web socket-y stuff to make shiny work with nginx
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
server_name localhost;
location / {
proxy_set_header Host $host;
proxy_http_version 1.1;
# When doing local dev it's helpful to fix your shiny port
proxy_pass http://127.0.0.1:4537;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
# When doing local dev it's helpful to fix your shiny port
proxy_redirect http://127.0.0.1:4537/ http://$host/;
}
```
### In production
You will need to use SSL to be able to have shiny deployed in production with authentication as http://localhost is the only non-https address allowed. Current, common approaches to putting shiny behind SSL include:
- [Shiny Server Pro](https://rstudio.com/products/shiny-server-pro/) / [RStudio Connect](https://rstudio.com/products/connect/)
- [ShinyProxy](https://www.shinyproxy.io/)
- Container behind a routing solution / proxy e.g. [Azure Container Instances](https://azure.microsoft.com/en-us/services/container-instances/) and [Azure Application Gateway](https://docs.microsoft.com/en-us/azure/application-gateway/overview)
## `aadb2c_js()`
The first required component is the JavaScript code that uses the [msal.js](https://github.com/AzureAD/microsoft-authentication-library-for-js) library to authenticate a user via a popup.
Most of the code you might want to modify to manage buttons and shiny communication happen in the `updateUI()` function. There are instructions to show and hide "Sign In" and "Sign Out" buttons and pass a piece of information when authenticated to shiny as an input.
```{r js, eval=FALSE}
aadb2c_js(
output_dir = "inst/app/www",
shiny_input = "email",
tenant = "demotenant",
client_id = "a0cfc440-c766-43db-9ea8-40a1efbe22ac",
signin_policy = "B2C_1_signup_signin",
scopes = c("email","openid", "https://demotenant.onmicrosoft.com/appname/read"
)
```
### Configure authentication
To configure the JS script, you need the following pieces of information:
- The AAD B2C tenant name, e.g the demotenant in demotenant.onmicrosoft.com
- The application ID of the AAD B2C app
- The User Flow / Policy to use to Sign In
- The scopes that should be requested, including a URI
You will want to use your browsers developer tools to help you get any error mesages you might encounter. The scopes in particular can be pesky!
You may also want to / need to provide further configuration details. This documentation can be found at [docs.microsoft.com/.../msal-client-application-configuration](https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-client-application-configuration)
## Integrating the JS into shiny
Included in this package are functions providing some basic code to demonstrate the minimum needed to provide login functionality and do something based on the authentication.
```{r ui}
aadb2c_ui()
```
This includes how to:
- call to the latest main msal.js library from Microsoft
- include our bespoke integration code generated via `aadb2c_js()`
+ you will need to make the directory it's stored in available to your shiny dashboard with `shiny::addResourcePath()`
- buttons that appear conditionally based on authentication state
+ visibility is controlled based on class and is managed in our custom msal.js file
- an output dependent on the server receiving the authentication details
It's provided in a tagList but the individual functions can be included in a general UI object.
```{r server}
aadb2c_server()
```
This is pretty simple - it merely translates the input created in the msal.js when someone successfully authenticates into a text output. This code snippet can be added to the `server()` function.