Supabase Auth: SSO, Mobile, and Server-Side Support

183 点作者 bennyp101大约 2 年前

17 条评论

oakesm9大约 2 年前

> Building apps for iOS requires support for native Sign in with AppleThis part isn't 100% true. It is only a requirement if you have some other form of social login (such as "Login with Facebook") and your app isn't specifically made for using data from that platform (such as a Facebook page managemenet app) [0].You don't need Sign in with Apple if you only use your own account system.[0]<a href="https://developer.apple.com/app-store/review/guidelines/#sign-in-with-apple" rel="nofollow">https://developer.apple.com/app-store/review/guidelines/#sig...</a>

评论 #35556682 未加载

andymitchell大约 2 年前

I can't advocate Supabase enough. Their combo of openness and elegance in their platform leaves me (a developer/entrepreneur) feeling secure.This is perhaps a future topic, but to me it extends out of SSO:Paul (@kiwicopple), do you have an opinion on which enterprise-grade AuthZ provider works best with Supabase?I suspect it's Cerbos or Casbin, but if you ever do it in house (and since you've nailed AuthN that makes great sense), my wishlist:- It should be as simple as an API end point, .approve(auth.jwt(), Array<Role | Permission>). I.e. be available in Edge Functions, Postgres Functions, and anywhere else.- Use a policy schema with the most industry support for easier acceptance/integration with the enterprise.- Flesh out with enterprise-ready policy auditing tools, logging, etc. This is the real time saving for developers.- I really recommend Tailscale's ideas for better RBAC in <a href="https://tailscale.com/blog/rbac-like-it-was-meant-to-be/" rel="nofollow">https://tailscale.com/blog/rbac-like-it-was-meant-to-be/</a>

评论 #35556819 未加载

评论 #35559703 未加载

darksaints大约 2 年前

I’m not currently using supabase but I am using postgrest in a current SSO project, and I ran into major roadblocks with the JWT support. It works fine for versions with symmetric encryption for signing the tokens, where you provide the key to postgrest via config and it uses the key to authenticate requests. However, our identity provider (Azure AD) uses asymmetric encryption for signing tokens, with a public endpoint to retrieve public keys, and postgrest’s support for this is pretty bad. I’ve only been able to work around this issue by serializing the response to a string and providing it as a (really long) config value, and because keys can change over time, I have to restart Postgrest on a daily basis.For more info, see this issue:<a href="https://github.com/PostgREST/postgrest/issues/1130">https://github.com/PostgREST/postgrest/issues/1130</a>Does supabase work around this limitation somehow? How do you get SSO to work for auth providers like Auth0 and AAD that only provide public keys via an endpoint?

评论 #35558310 未加载

xcskier56大约 2 年前

Been doing a lot of Auth related stuff the last day or two so in classic HN style this is very timely for me!One of the things that I really dislike about most auth providers is that it is very hard to implement login in your native UI. It almost always requires a redirect to a hosted UI page that is very clearly not your UI. We've found this a poor and potentially confusing user experience when you just need a form with username + password.Question for Supabase: Is it possible to just have a form with username + password and POSTing the login details?

评论 #35558419 未加载

评论 #35565893 未加载

评论 #35558197 未加载

kiwicopple大约 2 年前

hey hn, supabase ceo herethis one is really 3 launches for auth:- SAML 2.0, for developers can add SSO to their own apps- PKCE: support for Mobile and server-side auth- Native Apple login on iOSWe’ve been dogfooding SSO already and it stable.PKCE is going to be rolled out incrementally across the platform - we’ve tried to engineer it so that there are no breaking changes for your applications, but will exercise caution with the deployment.A lot of companies were blocked by the lack of iOS support - we had a lot of feedback on this one and so we appreciate the patience while we developed it. Native Android support will follow soon.Some of the Auth team will be in to answer questions on the technical side. This is the second-to-last day of Launch Week - I promise that you’ll be rid of us after a few more releases tomorrow.

评论 #35555586 未加载

评论 #35557862 未加载

no_wizard大约 2 年前

I think this question deserves a separate thread:Is it possible to see some working examples with some of the big SSO providers, e.g. integrating with Okta, Duo and AD installations in particular (like Azure AD and standard ActiveDirectory) in the documentation?This would go a long way for smaller app developers to get SSO into their apps, even if the examples aren't exhaustive its a starting point. I have found (having done SSO integrations before) that it can be really opaque sometimes reading their API documentation to add support to for such platforms.I mention AD specifically because its a huge hurdle for the education markets still, for example

评论 #35556151 未加载

评论 #35558296 未加载

paradaux大约 2 年前

What I'd love to see with this is a way to use supabase auth itself as an idP/SAMP provider. Have your tools (back-office tools and what not) written in native supabase, or have multiple supabase projects with the one shared auth system. Could be better UX for Sysadmins than OpenLDAP and so forth.I'm currently building something similar to just do that on top of supabase for work. Happy to see the developments with Supabase Auth anyway.

评论 #35557237 未加载

zinclozenge大约 2 年前

So if anybody else got excited about multi-tenant SSO but was wondering how to implement it, the docs page is here <a href="https://supabase.com/docs/guides/auth/sso/auth-sso-saml">https://supabase.com/docs/guides/auth/sso/auth-sso-saml</a>.I'm super excited because as a newcomer to needing to implement that feature, other SaaSes like auth0 were complicated and overwhelmed me.Since we have Supabase employees here, one thing that isn't clear to me is if OIDC based SSO is supported, or will be?

评论 #35557518 未加载

lelo_tp大约 2 年前

Really timely! I was about to start building the Apple sign-in flow for my RN app (already built the Google Sign-in). Supabase makes auth incredibly easy, thank you for that.If you mind me giving some feedback: it took me a while to figure out how to properly build the auth flow with Expo/RN. In the end, I went with Expo AuthSession. IMO, you're missing an easy win with a template/getting-started guide for RN. The only one that exists uses email/password, and the OAuth flow is more convoluted than that :)

评论 #35556872 未加载

评论 #35556420 未加载

mkl95大约 2 年前

Supabase are killing it. I wish they had a Terraform provider.

评论 #35559087 未加载

评论 #35565599 未加载

infocollector大约 2 年前

This project is very impressive! I do hope Supabase decides to support <a href="https://github.com/supabase-community/supabase-py">https://github.com/supabase-community/supabase-py</a> , and not just leave it to the community. I would definitely consider becoming a paid customer, assuming Python was supported well/natively. If I am incorrect about Python support, please do let me know.

评论 #35558111 未加载

niklasd大约 2 年前

Great news! Question to the Supabase team: How does Login with Azure (Social login) and SSO (Azure) differ? From my superficial understanding, implementing Login with Azure is enough for logging-in users with Azure AD accounts (and linking their accounts to existing ones).

jordanmorgan10大约 2 年前

I want, want, want to use Supabase - I yearn for a first party SDK for iOS.

评论 #35556904 未加载

bennyp101大约 2 年前

I've been waiting for this! Super excited to try it out!

评论 #35555461 未加载

raphaelcosta大约 2 年前

It works with Supabase self-hosted?

评论 #35566955 未加载

mooreds大约 2 年前

Disclosure, I work for FusionAuth, which can both integrate with and compete with Supabase.Welcome, Supabase, to the world of SAML/SSO. It's a hairy one, but single sign-on is undifferentiated and really great for customers, so I'm glad you joined.A few thoughts:* Consider adding identity linking to your roadmap. I noticed[0] that you don't support it, and will create duplicate accounts if someone uses SSO with the same email address that an existing account has. As a model, FusionAuth offers seven linking strategies[1]. This flexibility lets you handle more use cases.* I'd encourage you (and your customers) to test across as many SPs as you can. SAML is an 800+ page specification and even though we've been offering SAML for over 10 years and have open sourced our bindings[2], we still have edge cases that pop up.* I'd love to add FusionAuth as a SAML SSO provider to your docs, so will put that on our team's doc roadmap and submit a PR. :)* Not related to SAML, but I'm glad that you are supporting PKCE. I hope you deprecate the implicit grant; the XSS threat is very real and the OAuth 2.1 spec (still in progress) basically deprecates that grant[3] through omission. Also, we agree that setting cookies (HTTPOnly and secure, please) is a great way to store tokens[4] and that is worth requiring a server side component in applications.Finally, I understand why this is part of a paid offering; SAML is often used to segment out enterprise customers with $$$. You like to make money, as do we all. But I'd encourage you to think about a free tier because it is so helpful to the user experience. Maybe 1 SAML connection could be part of the base offering?0: <a href="https://supabase.com/docs/guides/platform/sso">https://supabase.com/docs/guides/platform/sso</a>1: <a href="https://fusionauth.io/docs/v1/tech/identity-providers/#linking-strategies" rel="nofollow">https://fusionauth.io/docs/v1/tech/identity-providers/#linki...</a>2: <a href="https://github.com/FusionAuth/fusionauth-samlv2/commits/master?after=337e5cc5ad09676009a8f23c1e9788f558b48693+104&branch=master&qualified_name=refs%2Fheads%2Fmaster">https://github.com/FusionAuth/fusionauth-samlv2/commits/mast...</a>3: <a href="https://oauth.net/2.1/" rel="nofollow">https://oauth.net/2.1/</a>4: <a href="https://fusionauth.io/learn/expert-advice/oauth/oauth-token-storage" rel="nofollow">https://fusionauth.io/learn/expert-advice/oauth/oauth-token-...</a>