App Proxy + OIDC. Does this make sense?

malvim

Hi!

So I did some digging and found App Proxy does support ProxyAuth now, which is great! Is there anything that will act as an app proxy but with OIDC? Is this feasible?

I'll expand: I have cloudron's machine setup as a peer in a wireguard network I use for homelab stuff. This isn't fully supported, I know, but it's been working. So I can install an app in my home server and access it via a cloudron proxy, even having proxyAuth for the apps that have no built-in authentication.

I'd like to install something that DOES have authentication/authorization with OIDC, and it would be awesome if I could have cloudron users log into it via the proxy apps with OIDC support.

I know this entails more complexity, configuring OIDC secrets and ids and whatnot, so I understant the proxy app AS-IS wouldn't work. I guess my question is: Do you think this would be feasible? Stick a few more config options in the proxy app, and make it work with proxied apps via OIDC?

Thanks!

james

Hello @malvim

First, very interesting set-up you are running there.

If I understand you correctly, you would like to combine the feature app-proxy a service that lets one publish a public HTTPS URL endpoint for a non-Cloudron hosted application with essentially proxyauth?
Wait no, you want a non-Cloudron app that has OIDC capabilities to use the odic add-on with the app-proxy feature, right?

So, that the app-proxy which comes by default with proxyauth to instead use odic.
If that is the case and I understood everything correctly, for the odic add-on to work we'd need to make the options that are defined in the CloudronManifest.json dynamically configurable, since the user then needs to configure loginRedirectUri etc. when setting up the app-proxy for the custom non-cloudron hosted application.

If I misinterpreted anything or completely missed the point, please correct me.

malvim

Hi, @james!

Yeah, I think you got it perfectly. Except I don't think the app-proxy would need to use OIDC instead of proxyAuth. Maybe It could be an option: You either use proxyAuth for authentication-only if your proxied app doesn't have auth capabilities, or you use OIDC and the proxied app would use cloudron as an OIDC provider.

I understand there are a few technical hurdles to jump, but I'm thinking they might be feasible. The main one, as you suggested, would be to have the OIDC-related configurations in the manifest dynamically configurable. This feels like it would demand some work, but as I understand it, there's already something along these lines in apps like gitea, where the SSH port is declared in the manifest, but customizable via the web ui.

IMO, this would make for a few more nice usecases for app-proxy, like testing apps, or even hosting them elsewhere (like a homelab in my case, or another machine), but accessing them through cloudron and benefiting from its user management. Also, I don't think it would "compete with" or "exploit" cloudron in any way, since these proxied apps would not benefit from cloudron's other great features like automatic updates, backups, external volumes, etc. All the management ease and just general peace of mind that cloudron brings us.

Would be a nice use case, though, I think.