Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor
  • Default (No Skin)
  • No Skin
Collapse

Cloudron Forum
Apps | Demo | Docs | Install

Use nginx to Add Authentication to Any Application

Scheduled Pinned Locked Moved Discuss
3 Posts 2 Posters 410 Views
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • O Offline
    O Offline
    oj
    wrote on last edited by
    #1

    "If the web server could handle authenticating users, then each backend system wouldn’t need to worry about it, since the only requests that could make it through would already be authenticated!"

    "In this tutorial, I’ll show you how to use the nginx auth_request module to protect any application running behind your nginx server with OAuth 2.0, without writing any code! Vouch, a microservice written in Go, handles the OAuth dance to any number of different auth providers so you don’t have to."

    Does it make sense to develop Cloudron as an auth provider that could help Cloudron admin's restrict usage of an external webapp (say, Jitsi) to Cloudron users only? (Nextcloud, Gitea already function as auth providers.)

    https://developer.okta.com/blog/2018/08/28/nginx-auth-request
    https://github.com/vouch/vouch-proxy

    1 Reply Last reply
    0
  • nebulonN Offline
    nebulonN Offline
    nebulon Staff
    wrote on last edited by
    #2

    While this is possible and we even already had an OAuth2 provider implemented once, we rolled back on this, because existing implementation in apps varies a lot here and that required much upstream changes, which are hard to justify with upstream devs.
    Another maybe more important issue is, that most apps are intended to run publicly on a server and have various mixes of public and private pages, protected by the app's own authentication. So putting a generic login in front of them often breaks usability. So to cover the "normal" use-cases we would need to provide both then.
    Then there is another point regarding desktop/mobile apps, mostly those work with other APIs of apps to login and acquire an access token any custom auth wall in front of them would break them as well without patching.

    Also discussed in other threads, there are use-cases where one wants to protect an app from general access. So far we can put the authProxy addon in front of that, but support for this is explicitly enabled in the app package. Alternately I think there are some ideas to only make some apps available via a VPN of sorts. This would be the most secure way without breaking experience or mobile apps.

    O 1 Reply Last reply
    5
  • O Offline
    O Offline
    oj
    replied to nebulon on last edited by oj
    #3

    @nebulon Thanks! You have very comprehensive explained why not in an easy to understand way👍 . Relevant discussion here for those who will never visit the "App Packaging and Development" section of the forum!

    1 Reply Last reply
    2

  • Login
  • Don't have an account? Register
  • Login or register to search.
  • First post
    Last post
0
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks