Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Discuss
  3. Use nginx to Add Authentication to Any Application

Use nginx to Add Authentication to Any Application

Scheduled Pinned Locked Moved Discuss
3 Posts 2 Posters 865 Views 2 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O Offline
      O Offline
      oj
      wrote on last edited by
      #1

      "If the web server could handle authenticating users, then each backend system wouldn’t need to worry about it, since the only requests that could make it through would already be authenticated!"

      "In this tutorial, I’ll show you how to use the nginx auth_request module to protect any application running behind your nginx server with OAuth 2.0, without writing any code! Vouch, a microservice written in Go, handles the OAuth dance to any number of different auth providers so you don’t have to."

      Does it make sense to develop Cloudron as an auth provider that could help Cloudron admin's restrict usage of an external webapp (say, Jitsi) to Cloudron users only? (Nextcloud, Gitea already function as auth providers.)

      https://developer.okta.com/blog/2018/08/28/nginx-auth-request
      https://github.com/vouch/vouch-proxy

      1 Reply Last reply
      0
      • nebulonN Offline
        nebulonN Offline
        nebulon
        Staff
        wrote on last edited by
        #2

        While this is possible and we even already had an OAuth2 provider implemented once, we rolled back on this, because existing implementation in apps varies a lot here and that required much upstream changes, which are hard to justify with upstream devs.
        Another maybe more important issue is, that most apps are intended to run publicly on a server and have various mixes of public and private pages, protected by the app's own authentication. So putting a generic login in front of them often breaks usability. So to cover the "normal" use-cases we would need to provide both then.
        Then there is another point regarding desktop/mobile apps, mostly those work with other APIs of apps to login and acquire an access token any custom auth wall in front of them would break them as well without patching.

        Also discussed in other threads, there are use-cases where one wants to protect an app from general access. So far we can put the authProxy addon in front of that, but support for this is explicitly enabled in the app package. Alternately I think there are some ideas to only make some apps available via a VPN of sorts. This would be the most secure way without breaking experience or mobile apps.

        O 1 Reply Last reply
        5
        • nebulonN nebulon

          While this is possible and we even already had an OAuth2 provider implemented once, we rolled back on this, because existing implementation in apps varies a lot here and that required much upstream changes, which are hard to justify with upstream devs.
          Another maybe more important issue is, that most apps are intended to run publicly on a server and have various mixes of public and private pages, protected by the app's own authentication. So putting a generic login in front of them often breaks usability. So to cover the "normal" use-cases we would need to provide both then.
          Then there is another point regarding desktop/mobile apps, mostly those work with other APIs of apps to login and acquire an access token any custom auth wall in front of them would break them as well without patching.

          Also discussed in other threads, there are use-cases where one wants to protect an app from general access. So far we can put the authProxy addon in front of that, but support for this is explicitly enabled in the app package. Alternately I think there are some ideas to only make some apps available via a VPN of sorts. This would be the most secure way without breaking experience or mobile apps.

          O Offline
          O Offline
          oj
          wrote on last edited by oj
          #3

          @nebulon Thanks! You have very comprehensive explained why not in an easy to understand way👍 . Relevant discussion here for those who will never visit the "App Packaging and Development" section of the forum!

          1 Reply Last reply
          2
          Reply
          • Reply as topic
          Log in to reply
          • Oldest to Newest
          • Newest to Oldest
          • Most Votes


            • Login

            • Don't have an account? Register

            • Login or register to search.
            • First post
              Last post
            0
            • Categories
            • Recent
            • Tags
            • Popular
            • Bookmarks
            • Search