search

appsmithorg / appsmith

Platform to build admin panels, internal tools, and dashboards. Integrates with 25+ databases and any API.
https://www.appsmith.com
Apache License 2.0
33.8k stars 3.64k forks source link

[Feature]: Support headers for reverse proxy authentication (Identity Aware Proxies) #9915

Open raags opened 2 years ago

raags commented 2 years ago

Is there an existing issue for this?

Summary

Identity Aware Proxies (IAP) are used to implement the Zero Trust security model which uses the user identity instead of network-based as done by traditional VPNs.

These set specific headers, like X-USER-NAME, which is parsed by the backend to authenticate/create the user. For e.g. Gafana supports this: https://grafana.com/docs/grafana/latest/auth/auth-proxy/

Why should this be worked on?

This feature would allow deploying appsmith in organizations that have implemented IAP solutions, where authentication happens in a single place.

Front logo Front conversations

Nikhil-Nandagopal commented 2 years ago

@raags thanks for the feature request. Is this a form of SSO?

raags commented 2 years ago

Not necessarily - you're essentially offloading the auth to a proxy, which adds the appropriate headers to allow the server to recognise and authorize (e.g. via group mappings) the user. This allows you to keep auth in one place (among other benefits), instead of configuring every app with separate keys. The app also doesn't need to support every SSO protocol.

Nikhil-Nandagopal commented 2 years ago

@raags sure but it does seem like a type of SSO where essentially all the appsmith authentication flows are now proxied through a 3rd party service and that service is what all the backend calls have to interface with to authenticate a user. Am I right in understanding that?

raags commented 2 years ago

Yes, I suppose so - but I suspect it'll be easier to implement (not familiar with appsmith code though)

jpwilksch commented 2 years ago

@raags sure but it does seem like a type of SSO where essentially all the appsmith authentication flows are now proxied through a 3rd party service and that service is what all the backend calls have to interface with to authenticate a user. Am I right in understanding that?

If I understand @raags correctly, the part in bold is incorrect. It is authentication to Appsmith that is proxied, not authentication to backend services with which Appsmith interacts.

I, too, would like to see this added.

GlennMatthys commented 2 years ago

Related: https://github.com/appsmithorg/appsmith/issues/8329

LauridsJMikkelsen commented 11 months ago

Any news on this? Would also greatly appreciate this feature