AppFlowy-Cloud icon indicating copy to clipboard operation
AppFlowy-Cloud copied to clipboard
verified publisher icon AppFlowy-IO

[FR] Support for other authentication methods from gotrue (supabase/auth), e.g. for GitLab login

Open almereyda opened this issue 1 year ago • 4 comments

main use cases of the proposed feature

As an AppFlowy Cloud self-hoster, I need to provide a self-hosted identity method, in order to run a FLOSS deployment that is completely independent from proprietary third parties.

As an AppFlowy Cloud user, I need to use the SSO provided by my self-hosting provider, in order to benefit from seamless login.

what types of users can benefit from using your proposed feature

  • Self-hosters
  • Users

Additional context

The AppFlowy app will only allow to login with Google, GitHub or Discord.

supabase/auth, forked here with its old name gotrue, provides several authentication methods, which are not all surfaced to the end users. Even when GitLab is configured, enabled and shown in the list of authentication methods, neither the app nor the web interface offers it for login:

diff --git a/docker-compose.yml b/docker-compose.yml
index 5ec8121..a6f2590 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -87,6 +87,12 @@ services:
       - GOTRUE_EXTERNAL_DISCORD_CLIENT_ID=${GOTRUE_EXTERNAL_DISCORD_CLIENT_ID}
       - GOTRUE_EXTERNAL_DISCORD_SECRET=${GOTRUE_EXTERNAL_DISCORD_SECRET}
       - GOTRUE_EXTERNAL_DISCORD_REDIRECT_URI=${GOTRUE_EXTERNAL_DISCORD_REDIRECT_URI}
+      # GitLab OAuth config
+      - GOTRUE_EXTERNAL_GITLAB_URL=${GOTRUE_EXTERNAL_GITLAB_URL}
+      - GOTRUE_EXTERNAL_GITLAB_ENABLED=${GOTRUE_EXTERNAL_GITHUB_ENABLED}
+      - GOTRUE_EXTERNAL_GITLAB_CLIENT_ID=${GOTRUE_EXTERNAL_GITHUB_CLIENT_ID}
+      - GOTRUE_EXTERNAL_GITLAB_SECRET=${GOTRUE_EXTERNAL_GITHUB_SECRET}
+      - GOTRUE_EXTERNAL_GITLAB_REDIRECT_URI=${GOTRUE_EXTERNAL_GITHUB_REDIRECT_URI}

72a73,78
> # GitLab OAuth2
> GOTRUE_EXTERNAL_GITLAB_URL=https://gitlab.example.com
> GOTRUE_EXTERNAL_GITLAB_ENABLED=true
> GOTRUE_EXTERNAL_GITLAB_CLIENT_ID=7db7195bea8c9efeeb2f4ac71471f8b4f0895013bead1b04409a6eb648ff8299
> GOTRUE_EXTERNAL_GITLAB_SECRET=gloas-80765a264c168b9e02e88cbc88f5fae477cd6ab9323bca4d6d07754135ac3c73
> GOTRUE_EXTERNAL_GITLAB_REDIRECT_URI=http://localhost/gotrue/callback

http://localhost/gotrue/settings : (thanks to the hint in https://github.com/AppFlowy-IO/AppFlowy/issues/4610#issuecomment-2128323216)

{
  "external": {
    "apple": false,
    "azure": false,
    "bitbucket": false,
    "discord": false,
    "facebook": false,
    "figma": false,
    "fly": false,
    "github": true,
    "gitlab": true,
    "google": false,
    "keycloak": false,
    "kakao": false,
    "linkedin": false,
    "linkedin_oidc": false,
    "notion": false,
    "spotify": false,
    "slack": false,
    "workos": false,
    "twitch": false,
    "twitter": false,
    "email": true,
    "phone": false,
    "zoom": false
  },
  "disable_signup": false,
  "mailer_autoconfirm": true,
  "phone_autoconfirm": false,
  "sms_provider": "",
  "mfa_enabled": false,
  "saml_enabled": false
}

http://localhost/web/login :

image

The fork still contains all authentication methods available upstream. Compare this:

https://github.com/supabase/auth/blob/28967aa4b5db2363cc581c9da0d64e974eb7b64c/internal/api/settings.go#L5-L31

with

https://github.com/AppFlowy-IO/AppFlowy-Cloud/blob/main/libs/gotrue-entity/src/dto.rs#L134-L159

It appears some more plumbing is needed to also expose those in the admin interface and in the app.

The comment in:

  • https://github.com/AppFlowy-IO/AppFlowy/issues/4610#issuecomment-2137382389

also validates that these code paths are live on beta.appflowy.cloud, yet remain unsued for now.

The capability to obtain OAuth tokens for GitLab may also be a sufficient precursor to:

  • https://github.com/AppFlowy-IO/AppFlowy/issues/5420

almereyda avatar Jun 13 '24 21:06 almereyda

Hello,

It would be great to be able to login from Azure AD.

henri9813 avatar Sep 08 '24 21:09 henri9813

I too would strongly prefer to have an alternate/traditional local email login method that does not require 3rd party, closed source systems.

vtgreybeard avatar Sep 20 '24 15:09 vtgreybeard

Just another note to lend support: I can't use AppFlowy Cloud unless there's an option for local authentication (e.g. email/password).

rockerest avatar Sep 25 '24 18:09 rockerest

@almereyda

Even though it is not surface in the frontend, you are still able to login with gitlab to AppFlowy. The workaround is go to a browser, and put in the address bar: http://your-host/gotrue/authorize?provider=gitlab. The frontend web admin icon is simply redirecting the user to that.

I have submitted a PR for login support in the admin web portal, see: https://github.com/AppFlowy-IO/AppFlowy-Cloud/pull/874

speed2exe avatar Oct 14 '24 02:10 speed2exe

@speed2exe I initially didn't recognise your contribution, please excuse my delay in coming back to this.

I've now confirmed that this works with our GitLab, using a confidential OAuth application that redirects to https://appflowy.example.org/gotrue/callback and the read_user scope.

These documents where useful to rediscover these settings after trying to reproduce my own instructions above:

To the others: please post separate issues for the additionally proposed extensions on how to use gotrue.

  1. supabase/auth does support local email authentication and an interested person could try to find out how to apply this configuration successfully to an instance connected to AppFlowy. https://github.com/supabase/auth/blob/master/README.md#top-level
  2. It seems useful to consider to track Azure support upstream in https://github.com/supabase/auth/issues

Closing here for GitLab being available and reproduced with an up-to-date instance.

almereyda avatar Oct 27 '24 14:10 almereyda