Use nginx to Add Authentication to Any Application
-
"If the web server could handle authenticating users, then each backend system wouldn’t need to worry about it, since the only requests that could make it through would already be authenticated!"
"In this tutorial, I’ll show you how to use the nginx auth_request module to protect any application running behind your nginx server with OAuth 2.0, without writing any code! Vouch, a microservice written in Go, handles the OAuth dance to any number of different auth providers so you don’t have to."
Does it make sense to develop Cloudron as an auth provider that could help Cloudron admin's restrict usage of an external webapp (say, Jitsi) to Cloudron users only? (Nextcloud, Gitea already function as auth providers.)
https://developer.okta.com/blog/2018/08/28/nginx-auth-request
https://github.com/vouch/vouch-proxy -
While this is possible and we even already had an OAuth2 provider implemented once, we rolled back on this, because existing implementation in apps varies a lot here and that required much upstream changes, which are hard to justify with upstream devs.
Another maybe more important issue is, that most apps are intended to run publicly on a server and have various mixes of public and private pages, protected by the app's own authentication. So putting a generic login in front of them often breaks usability. So to cover the "normal" use-cases we would need to provide both then.
Then there is another point regarding desktop/mobile apps, mostly those work with other APIs of apps to login and acquire an access token any custom auth wall in front of them would break them as well without patching.Also discussed in other threads, there are use-cases where one wants to protect an app from general access. So far we can put the authProxy addon in front of that, but support for this is explicitly enabled in the app package. Alternately I think there are some ideas to only make some apps available via a VPN of sorts. This would be the most secure way without breaking experience or mobile apps.
-
While this is possible and we even already had an OAuth2 provider implemented once, we rolled back on this, because existing implementation in apps varies a lot here and that required much upstream changes, which are hard to justify with upstream devs.
Another maybe more important issue is, that most apps are intended to run publicly on a server and have various mixes of public and private pages, protected by the app's own authentication. So putting a generic login in front of them often breaks usability. So to cover the "normal" use-cases we would need to provide both then.
Then there is another point regarding desktop/mobile apps, mostly those work with other APIs of apps to login and acquire an access token any custom auth wall in front of them would break them as well without patching.Also discussed in other threads, there are use-cases where one wants to protect an app from general access. So far we can put the authProxy addon in front of that, but support for this is explicitly enabled in the app package. Alternately I think there are some ideas to only make some apps available via a VPN of sorts. This would be the most secure way without breaking experience or mobile apps.
. Relevant discussion