App proxy questions and proxy/authentication possible improvement suggestions
-
Some apps publish http/https public endpoints.
While Cloudron user management allows to manage the access to the dashboard listing (e.g. app proxy) and sometime the management of such apps (e.g. surfer app - not referring to the Cloudron operators role here), the public endpoint is left just as is: public.
In some scenario, it would be great to have the possibility to restrict access to these public endpoints too, to a different set of Cloudron authenticated users.
Something link: Create Surfer static app -> User Group A can access the _admin part, while User Group B can access the public/published part and all other access is restricted (no public access)
Here I am using the surfer app as an example, but ideally this would be applicable to any Cloudron app which has a free to access/public URL endpoint
I do not think that this is currently possible with Cloudron or is it?
Digging a bit deeper, I am wondering if the integration of something like vouch-proxy could be feasible.
It would lock a public URL endpoint behind a Cloudron authentication which is ultimately what I am looking for.
-
I think your use case is valid . But from Cloudron's POV, there is authentication and authorization. Cloudron OIDC does Authentication i.e verify the user is who he says he is. Authorization i.e whether the verified user has access to a resource is best done inside the app. This is why we also don't do Group setup in packages. For example, one can have some use case where each folder inside Surfer is available to different sets of users etc.
I would say open up feature requests in the apps in question to implement that kind of access control.
