search

mattermost / mattermost-mobile

Next generation iOS and Android apps for Mattermost in React Native
https://about.mattermost.com/
Apache License 2.0
2.14k stars 1.3k forks source link

Add support for Zero Trust solutions like Cloudflare Zero Trust, Azure Bastion or AWS Verified Access #7131

Open DonCziken opened 1 year ago

DonCziken commented 1 year ago

Summary

Please add support for handling authentication to Zero Trust Gateways.

This is different from SSO, as the authentication process happens before MM app connect to the server as the endpoint is hidden behind ZT. So when requesting the endpoint Gateway immediately returns page requesting for authentication. The authentication process happens through Gateway (there is myriad of options here) and if succeeds it attaches cookie allowing to bypass gateway and connect to given resource. For more precise description refer to docs from above examples.

Note: Desktop app, a bit clumsy but does support that, the mobile app however does not work at all.

Environment Information

Steps to reproduce

Setup any of above (CF ZT, Azure Bastion, AWS VA) against selfhosted or SaaS hosted (if on custom domain) mattermost server and try to access it via iOS or Android mobile app. The result will be that the server is inaccessible and that's it.

Expected behavior

The app should open a returned webpage, allow to go through whatever web auth proccess would be there and then grab returned cookie and attach it to further requests towards the server.

Possible fixes

For some of those platforms, there is a workaround for above, but we don't like it that much. I.e. in case of Cloudflare Zero Trust it is possible to use 1.1.1.1 application to log in into Zero Trust and connect using WARP to CF. Then set up the Gateway to allow direct access for any client which is connected via WARP.

We are also experimenting with some setup on apache/nginx to enforce mobile app to display the auth webpage, but without success so far.

Third option is to allow mobile app to include custom headers, as typically Gateways have an option to define rules for allowing clients with custom headers. We've noted that there was a request for support for Basic Auth: https://github.com/mattermost/mattermost-mobile/issues/910 but was not accepted. This is slightly different as it would be enough just to allow to attach any custom header. It is a workaround tho, so ideally a full support for Gateway would be much more appreciated.

enahum commented 1 year ago

Thank you for sharing, feel free to share this improvement idea on our feature request forum here https://mattermost.com/suggestions/.

DonCziken commented 1 year ago

@enahum - ok have created a ticket there as well. Tho for us and for this case its specifically related to mobile app, so I've put it here in the first place.