Open raags opened 2 years ago
@raags thanks for the feature request. Is this a form of SSO?
Not necessarily - you're essentially offloading the auth to a proxy, which adds the appropriate headers to allow the server to recognise and authorize (e.g. via group mappings) the user. This allows you to keep auth in one place (among other benefits), instead of configuring every app with separate keys. The app also doesn't need to support every SSO protocol.
@raags sure but it does seem like a type of SSO where essentially all the appsmith authentication flows are now proxied through a 3rd party service and that service is what all the backend calls have to interface with to authenticate a user. Am I right in understanding that?
Yes, I suppose so - but I suspect it'll be easier to implement (not familiar with appsmith code though)
@raags sure but it does seem like a type of SSO where essentially all the appsmith authentication flows are now proxied through a 3rd party service and that service is what all the backend calls have to interface with to authenticate a user. Am I right in understanding that?
If I understand @raags correctly, the part in bold is incorrect. It is authentication to Appsmith that is proxied, not authentication to backend services with which Appsmith interacts.
I, too, would like to see this added.
Any news on this? Would also greatly appreciate this feature
Is there an existing issue for this?
Summary
Identity Aware Proxies (IAP) are used to implement the Zero Trust security model which uses the user identity instead of network-based as done by traditional VPNs.
These set specific headers, like X-USER-NAME, which is parsed by the backend to authenticate/create the user. For e.g. Gafana supports this: https://grafana.com/docs/grafana/latest/auth/auth-proxy/
Why should this be worked on?
This feature would allow deploying appsmith in organizations that have implemented IAP solutions, where authentication happens in a single place.
Front conversations