[Feature]: OBO flow for REST API authentication

appsmithorg / appsmith

Platform to build admin panels, internal tools, and dashboards. Integrates with 25+ databases and any API.

https://www.appsmith.com

Apache License 2.0

33.35k stars 3.61k forks source link

[Feature]: OBO flow for REST API authentication #30048

Open rhuanbarreto opened 8 months ago

rhuanbarreto commented 8 months ago

Is there an existing issue for this?

[X] I have searched the existing issues

Summary

Appsmith SSO can retrieve a token and make it available to be used in REST API calls. But for Azure AD SSO (my case), the scopes requested by the login (openid, offline_access, profile) cannot be used to call other REST endpoints that require different scopes.

In order to use the SSO token to call those REST API with the user identity, you need to use the OBO flow.

My request is to support the OBO flow so the token can be exchanged to a token that has the right scope to call my REST APIs

Why should this be worked on?

Today Appsmith has this big weakness about authentication that doesn't allow you to reuse the auth token to call other services that relies on the same auth scheme. With the auth token provided you can only call the scopes that the token is requested for.

This is important for business customers.

Nikhil-Nandagopal commented 8 months ago

@rhuanbarreto is this different from the need for #22047 that you had talked to me about? Because I remember that was also about not having user specific scopes requested

Also why not have a separate datasource depending on the scopes you need or having a single datasource that requests for all the scopes?

rhuanbarreto commented 8 months ago

Yes. OBO flow reuses the token from SSO. PKCE issues a token regardless of SSO

Nikhil-Nandagopal commented 8 months ago

@rhuanbarreto if you're just looking to reuse the token from SSO, wouldn't substituting the access token in the API call work for you? https://docs.appsmith.com/getting-started/setup/instance-configuration/authentication/json-web-tokens-jwt#access-token

rhuanbarreto commented 8 months ago

I need to first call the MSFT auth endpoint to request a new token with the right scope sending the <<APPSMITH_USER_OAUTH2_ACCESS_TOKEN>> and then the token I get in result must be passed to call the REST endpoint.

Nikhil-Nandagopal commented 8 months ago

@rhuanbarreto so can you store the token you get in result in the appsmith store and send it in the next API?

rhuanbarreto commented 8 months ago

Yes. Correct

Nikhil-Nandagopal commented 8 months ago

@rhuanbarreto to confirm, this means that this flow is possible today, what you are suggesting is just a more convenient way of achieving it. Am I correct?

rhuanbarreto commented 8 months ago

Today it's not possible. Appsmith backend must call the OIDC authorization endpoint again to exchange the token.