Launch HN: ShareWith (YC W21) – Easily share internal websites securely
112 points| jakemoshenko | 5 years ago | reply
We’ve been building developer services and tools for over 15 years, and throughout that time we’ve repeatedly run into the problem where whatever authorization solution we pick for a new service at first, turns into a major limitation later down the road. Relational database backed libraries like the ones found in popular web frameworks have proven inflexible and a scaling bottleneck, and distributed policy engines such as Open Policy Agent [1] turn the evaluation scalability problem into one of distribution and consistency. In the past, we’ve even had to shelve product features because the effort required to safely alter the policy and migrate the data was higher than the value of the feature!
To solve these problems we’re building a multi-tenant SaaS platform based on Google’s Zanzibar paper [2], which allows for flexible tenant-defined policy, at planet scale. This new platform offers the consistent experience of a centralized auth solution, with the scalable nature of a distributed system. By taking on the operational overhead of running the platform ourselves and providing users with client libraries that reduce complexity, we're shouldering the burden to enable authorization decisions that are fast, accurate, and accessible across applications.
Today we’re launching our first product integrated with that platform: ShareWith (https://sharewith.io). ShareWith brings Google-docs style sharing to anything that you can run behind a reverse proxy or authenticate with OpenID Connect (OIDC) [3]. We think ShareWith is a great alternative to VPNs, which are hard to set up and configure, hard to federate access to, and don’t allow for fine-grained permissions or sharing with people outside of your organization.
We’ve already found a few interesting uses of the service: We secure traffic to our own internal dashboards by running them behind OAuth2 Proxy [4] instances configured with ShareWith. Other companies are using it to avoid building the boilerplate for adding sharing and permissions into their products entirely!
Because organizations in ShareWith are billed per unique participants that have had resources shared with them, the pricing model shouldn't inhibit protecting new things. Adding another service or adding an existing user to a new service doesn’t impose any additional cost.
ShareWith website protection is implemented using an extended OIDC provider. Normally, an OIDC provider is responsible only for returning an identity. Our provider will also match up a given access request with a pre-designated authorization requirement, and then check that the requestor has had that access shared with them. If not, we will pause the authentication flow and give them an option to request access, which notifies the owner: a familiar pattern to anyone who has ever had to request access to a document.
Underneath the hood, we are making dozens of requests to our platform, from writing and updating policy, to the individual access control checks. To answer an authorization check request, we first build a graph containing edges and nodes from both the policy and the individual relationships between users, groups, and resources. We then take that graph and attempt to find a path from the resource to the user. Once a path is found, or no such path can be found, the service informs the caller of the decision. Thanks to the distributed nature of the service, these answers are quickly computed by building and evaluating subgraphs in parallel, and each piece of data is replicated to ensure reliability.
Try out what we’ve built so far by following our guide (https://sharewith.io/first/) to protect an example service. If you want updates from the team, be sure to sign up for our mailing list (https://sharewith.io/newsletter) or follow us at https://twitter.com/petricorpio. If you're interested in integrating with our underlying authorization platform, you can reach out to us directly at [email protected].
We've learned a lot building ShareWith, but now we want to hear what you think about what we’ve built so far, and the direction in which we’re heading! We’ll be hanging around in the comments today if you have any questions or feedback.
[1] https://www.openpolicyagent.org/
[2] https://research.google/pubs/pub48190/
[+] [-] TheFinalDraw|5 years ago|reply
[+] [-] jzelinskie|5 years ago|reply
At it's core, ShareWith is more about being able to take anything that supports OIDC and adding the ability to dynamically request access in the login flow. OAuth2Proxy, which is a popular way to protect generic HTTP resources, is one convenient way to demonstrate that functionality, but you could leverage that same functionality in a completely different way native to your application if you don't want to have to build that same workflow for your app.
For the borderless network use case, an access request workflow really changes how you use protected resources because getting access to something becomes simple and routine. In a VPN setup, you're unlikely to share with users outside of your organization because of the overhead from provisioning and setup. Consider how you can easily share a Google doc with an outside contractor, but it's not worth the effort to give them access to a JIRA ticket.
[+] [-] mahesh_rm|5 years ago|reply
[+] [-] Zaheer|5 years ago|reply
[+] [-] jschorr|5 years ago|reply
Edit: We provide copyable instructions in-app for running OAuth Proxy via Docker, so that should reduce the initial setup time down a bit
[+] [-] gtank|5 years ago|reply
What are your plans for surfacing the policy relations to developers?
[+] [-] jakemoshenko|5 years ago|reply
For the former, I can see that it might be important and informative to show how the various roles and their relationships relate to access, and we should write a blog post soon explaining how we interact with the platform to create ShareWith!
For the latter, we plan to open up the platform to developers as quickly as we can, so stay tuned!
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] azlyth|5 years ago|reply
Any plans on making something like a Helm chart to deploy to Kubernetes easily?
[+] [-] jschorr|5 years ago|reply
[+] [-] evancordell|5 years ago|reply
How is revocation handled? Will a proxy using sharewith as an oidc provider hit the authz graph on every request?
[+] [-] jzelinskie|5 years ago|reply
[+] [-] js4ever|5 years ago|reply
[+] [-] jzelinskie|5 years ago|reply
For new projects, it might seem like picking up built-in auth system is easier until you realize you have to build a model of hierarchies of organizations, groups, etc... In my experience, some of these libraries cannot even express that model despite it being the most commonly required for web apps. ShareWith implements that model for you and even handles some of the trickier corner-cases like arbitrarily nesting groups.
[+] [-] ldelossa|5 years ago|reply
[+] [-] samkim|5 years ago|reply
[+] [-] jakemoshenko|5 years ago|reply
Because we layer in access at the authentication provider layer, we don't really have any impact on the downstream application. It's possible we could do some smart things with oauth scopes in the future!
[+] [-] dataminded|5 years ago|reply
[+] [-] jakemoshenko|5 years ago|reply
[+] [-] 1-KB-OK|5 years ago|reply