> Building apps for iOS requires support for native Sign in with Apple
This part isn't 100% true. It is only a requirement if you have some other form of social login (such as "Login with Facebook") and your app isn't specifically made for using data from that platform (such as a Facebook page managemenet app) [0].
You don't need Sign in with Apple if you only use your own account system.
I can't advocate Supabase enough. Their combo of openness and elegance in their platform leaves me (a developer/entrepreneur) feeling secure.
This is perhaps a future topic, but to me it extends out of SSO:
Paul (@kiwicopple), do you have an opinion on which enterprise-grade AuthZ provider works best with Supabase?
I suspect it's Cerbos or Casbin, but if you ever do it in house (and since you've nailed AuthN that makes great sense), my wishlist:
- It should be as simple as an API end point, .approve(auth.jwt(), Array<Role | Permission>). I.e. be available in Edge Functions, Postgres Functions, and anywhere else.
- Use a policy schema with the most industry support for easier acceptance/integration with the enterprise.
- Flesh out with enterprise-ready policy auditing tools, logging, etc. This is the real time saving for developers.
> do you have an opinion on which enterprise-grade AuthZ provider works best with Supabase?
Since you asked for my personal opinion, then I would say Postgres Row Level Security for AuthZ. RLS is as powerful as it is flexible. It's fully-integrated with the rest of the Supabase stack, and it's portable if you don't like supabase - just pg_dump and take it to your favourite Postgres provider.
That said, I understand why it's useful to have something more structured like RBAC. We have experimented with a ideas here (specifically ABAC), using a custom libraries/extensions/custom claims[0]. We do something similar internally, but aren't 100% happy with the developer experience and don't plan to release it any time soon.
I'm sure the Auth team won't enjoy me saying this, but I like the idea of Zanzibar. I've seen some experimental Postgres extensions[1] that combine Oso[2] + RLS which I'd love to try when I get time.
I’m not currently using supabase but I am using postgrest in a current SSO project, and I ran into major roadblocks with the JWT support. It works fine for versions with symmetric encryption for signing the tokens, where you provide the key to postgrest via config and it uses the key to authenticate requests. However, our identity provider (Azure AD) uses asymmetric encryption for signing tokens, with a public endpoint to retrieve public keys, and postgrest’s support for this is pretty bad. I’ve only been able to work around this issue by serializing the response to a string and providing it as a (really long) config value, and because keys can change over time, I have to restart Postgrest on a daily basis.
Does supabase work around this limitation somehow? How do you get SSO to work for auth providers like Auth0 and AAD that only provide public keys via an endpoint?
Supabase Auth engineer here. PostgREST only has "static" asymmetric JWT support. It can't load from `/.well-known/openid-configuration` endpoints. We are tracking this internally to add better UI and support for third-party OIDC.
Most of the OIDC identity providers don't rotate the keys very often, so you can follow the `/.well-known/openid-configuration` endpoint to get the JWKS JSON, and set that as the JWT Secret in the project's dashboard. (It's a bit hacky I know, we're going to be improving the UI on this.)
I know this has been used with Firebase Auth, which is also OIDC compatible with asymmetric JWTs.
EDIT:
> How do you get SSO to work for auth providers like Auth0 and AAD that only provide public keys via an endpoint?
Actually what you're describing is technically not "SSO" but using another Auth system with the rest of the Supabase stack. OIDC support for SSO -- where you use Supabase Auth with Azure AD for example -- is on the roadmap, but only SAML is supported with this announcement today.
Been doing a lot of Auth related stuff the last day or two so in classic HN style this is very timely for me!
One of the things that I really dislike about most auth providers is that it is very hard to implement login in your native UI. It almost always requires a redirect to a hosted UI page that is very clearly not your UI. We've found this a poor and potentially confusing user experience when you just need a form with username + password.
Question for Supabase: Is it possible to just have a form with username + password and POSTing the login details?
> Question for Supabase: Is it possible to just have a form with username + password and POSTing the login details?
Yes this is how basic email+password sign-in works. No redirects are necessary. For the rest of the flows, some form of redirect is mandatory because that's how the authentication protocols work and we've found it convenient to implement other logins like magic links, email confirmations, etc.
- SAML 2.0, for developers can add SSO to their own apps
- PKCE: support for Mobile and server-side auth
- Native Apple login on iOS
We’ve been dogfooding SSO already and it stable.
PKCE is going to be rolled out incrementally across the platform - we’ve tried to engineer it so that there are no breaking changes for your applications, but will exercise caution with the deployment.
A lot of companies were blocked by the lack of iOS support - we had a lot of feedback on this one and so we appreciate the patience while we developed it. Native Android support will follow soon.
Some of the Auth team will be in to answer questions on the technical side. This is the second-to-last day of Launch Week - I promise that you’ll be rid of us after a few more releases tomorrow.
Can’t tell from (admittedly skimming) the announcement: is SSO charged extra? It says availability on Pro plan but pricing page hasn’t changed it only says social auth
* It's not establishment of a "session", but a token set which you're issuing.
* The authorization server will return those tokens after validating the code_verifier.
Also, be careful about PKCE on mobile platforms. Unless you're specifically mapping or restricting redirect_uris to an Android intent, on that platform, you're subject to replay attacks due to some cookie sharing in Chrome.
Is it possible to see some working examples with some of the big SSO providers, e.g. integrating with Okta, Duo and AD installations in particular (like Azure AD and standard ActiveDirectory) in the documentation?
This would go a long way for smaller app developers to get SSO into their apps, even if the examples aren't exhaustive its a starting point. I have found (having done SSO integrations before) that it can be really opaque sometimes reading their API documentation to add support to for such platforms.
I mention AD specifically because its a huge hurdle for the education markets still, for example
> I have found (having done SSO integrations before) that it can be really opaque sometimes reading their API documentation to add support to for such platforms.
Our auth team agrees. We have some docs which you can use as a starter for Azure[0], Google[1], and Okta[2]. These are for our own platform, we'll repurpose them into guides for you to use.
We also have full SAML docs[3], and an example in a PR[4]. You can see the example in action inside the video on the blog post
What I'd love to see with this is a way to use supabase auth itself as an idP/SAMP provider. Have your tools (back-office tools and what not) written in native supabase, or have multiple supabase projects with the one shared auth system. Could be better UX for Sysadmins than OpenLDAP and so forth.
I'm currently building something similar to just do that on top of supabase for work. Happy to see the developments with Supabase Auth anyway.
Hi, Supabase Auth Engineer here. Interesting, just wondering if there's a reason behind choosing to roll your own iDP instead of using one of the big ones out there (Okta, Azure, GSuite) ?
Supabase Auth Engineer here. We initially started off with the SAML 2.0 protocol since it's the one of the oldest protocols and also one that's used by most enterprises. We're definitely looking to add OIDC based SSO support soon so stay tuned!
Really timely! I was about to start building the Apple sign-in flow for my RN app (already built the Google Sign-in). Supabase makes auth incredibly easy, thank you for that.
If you mind me giving some feedback: it took me a while to figure out how to properly build the auth flow with Expo/RN. In the end, I went with Expo AuthSession. IMO, you're missing an easy win with a template/getting-started guide for RN. The only one that exists uses email/password, and the OAuth flow is more convoluted than that :)
This project is very impressive! I do hope Supabase decides to support https://github.com/supabase-community/supabase-py , and not just leave it to the community. I would definitely consider becoming a paid customer, assuming Python was supported well/natively. If I am incorrect about Python support, please do let me know.
Supabase Auth Engineer here, also happen to be one of the Python library maintainers. We're looking into a more general approach for "server-side" languages such as Python, Ruby, etc but at the moment the python library is still community supported.
Do you mind sharing more about what you're building and the features of Supabase which would be most important to you?
Great news! Question to the Supabase team: How does Login with Azure (Social login) and SSO (Azure) differ? From my superficial understanding, implementing Login with Azure is enough for logging-in users with Azure AD accounts (and linking their accounts to existing ones).
any particular feature that you were waiting for in this release? I want to highlight from my comment[0] that PKCE will be rolling out progressively (starting next week). You can reach out to the support team if you want it enabled immediately on any of your projects
Disclosure, I work for FusionAuth, which can both integrate with and compete with Supabase.
Welcome, Supabase, to the world of SAML/SSO. It's a hairy one, but single sign-on is undifferentiated and really great for customers, so I'm glad you joined.
A few thoughts:
* Consider adding identity linking to your roadmap. I noticed[0] that you don't support it, and will create duplicate accounts if someone uses SSO with the same email address that an existing account has. As a model, FusionAuth offers seven linking strategies[1]. This flexibility lets you handle more use cases.
* I'd encourage you (and your customers) to test across as many SPs as you can. SAML is an 800+ page specification and even though we've been offering SAML for over 10 years and have open sourced our bindings[2], we still have edge cases that pop up.
* I'd love to add FusionAuth as a SAML SSO provider to your docs, so will put that on our team's doc roadmap and submit a PR. :)
* Not related to SAML, but I'm glad that you are supporting PKCE. I hope you deprecate the implicit grant; the XSS threat is very real and the OAuth 2.1 spec (still in progress) basically deprecates that grant[3] through omission. Also, we agree that setting cookies (HTTPOnly and secure, please) is a great way to store tokens[4] and that is worth requiring a server side component in applications.
Finally, I understand why this is part of a paid offering; SAML is often used to segment out enterprise customers with $$$. You like to make money, as do we all. But I'd encourage you to think about a free tier because it is so helpful to the user experience. Maybe 1 SAML connection could be part of the base offering?
[+] [-] oakesm9|2 years ago|reply
This part isn't 100% true. It is only a requirement if you have some other form of social login (such as "Login with Facebook") and your app isn't specifically made for using data from that platform (such as a Facebook page managemenet app) [0].
You don't need Sign in with Apple if you only use your own account system.
[0]https://developer.apple.com/app-store/review/guidelines/#sig...
[+] [-] kangmingtay|2 years ago|reply
[+] [-] andymitchell|2 years ago|reply
This is perhaps a future topic, but to me it extends out of SSO:
Paul (@kiwicopple), do you have an opinion on which enterprise-grade AuthZ provider works best with Supabase?
I suspect it's Cerbos or Casbin, but if you ever do it in house (and since you've nailed AuthN that makes great sense), my wishlist:
- It should be as simple as an API end point, .approve(auth.jwt(), Array<Role | Permission>). I.e. be available in Edge Functions, Postgres Functions, and anywhere else.
- Use a policy schema with the most industry support for easier acceptance/integration with the enterprise.
- Flesh out with enterprise-ready policy auditing tools, logging, etc. This is the real time saving for developers.
- I really recommend Tailscale's ideas for better RBAC in https://tailscale.com/blog/rbac-like-it-was-meant-to-be/
[+] [-] kiwicopple|2 years ago|reply
Since you asked for my personal opinion, then I would say Postgres Row Level Security for AuthZ. RLS is as powerful as it is flexible. It's fully-integrated with the rest of the Supabase stack, and it's portable if you don't like supabase - just pg_dump and take it to your favourite Postgres provider.
That said, I understand why it's useful to have something more structured like RBAC. We have experimented with a ideas here (specifically ABAC), using a custom libraries/extensions/custom claims[0]. We do something similar internally, but aren't 100% happy with the developer experience and don't plan to release it any time soon.
I'm sure the Auth team won't enjoy me saying this, but I like the idea of Zanzibar. I've seen some experimental Postgres extensions[1] that combine Oso[2] + RLS which I'd love to try when I get time.
[0] custom claims: https://dev.to/supabase/supabase-custom-claims-34l2
[2] Oso + RLS: https://github.com/MFAshby/rls_oso
[1] Oso: https://www.osohq.com/
[+] [-] mooreds|2 years ago|reply
* Permit.io: https://www.permit.io/
* Oso: https://www.osohq.com/
And Otterize has an interesting model if you are in the k8s ecosystem: https://otterize.com/
I don't have first hand experience with any of these folks, though I have chatted with some of them.
[+] [-] darksaints|2 years ago|reply
For more info, see this issue:
https://github.com/PostgREST/postgrest/issues/1130
Does supabase work around this limitation somehow? How do you get SSO to work for auth providers like Auth0 and AAD that only provide public keys via an endpoint?
[+] [-] BuySomeDip|2 years ago|reply
Most of the OIDC identity providers don't rotate the keys very often, so you can follow the `/.well-known/openid-configuration` endpoint to get the JWKS JSON, and set that as the JWT Secret in the project's dashboard. (It's a bit hacky I know, we're going to be improving the UI on this.)
I know this has been used with Firebase Auth, which is also OIDC compatible with asymmetric JWTs.
EDIT:
> How do you get SSO to work for auth providers like Auth0 and AAD that only provide public keys via an endpoint?
Actually what you're describing is technically not "SSO" but using another Auth system with the rest of the Supabase stack. OIDC support for SSO -- where you use Supabase Auth with Azure AD for example -- is on the roadmap, but only SAML is supported with this announcement today.
[+] [-] xcskier56|2 years ago|reply
One of the things that I really dislike about most auth providers is that it is very hard to implement login in your native UI. It almost always requires a redirect to a hosted UI page that is very clearly not your UI. We've found this a poor and potentially confusing user experience when you just need a form with username + password.
Question for Supabase: Is it possible to just have a form with username + password and POSTing the login details?
[+] [-] BuySomeDip|2 years ago|reply
> Question for Supabase: Is it possible to just have a form with username + password and POSTing the login details?
Yes this is how basic email+password sign-in works. No redirects are necessary. For the rest of the flows, some form of redirect is mandatory because that's how the authentication protocols work and we've found it convenient to implement other logins like magic links, email confirmations, etc.
[+] [-] kangmingtay|2 years ago|reply
[+] [-] niklasd|2 years ago|reply
[+] [-] kiwicopple|2 years ago|reply
this one is really 3 launches for auth:
- SAML 2.0, for developers can add SSO to their own apps
- PKCE: support for Mobile and server-side auth
- Native Apple login on iOS
We’ve been dogfooding SSO already and it stable.
PKCE is going to be rolled out incrementally across the platform - we’ve tried to engineer it so that there are no breaking changes for your applications, but will exercise caution with the deployment.
A lot of companies were blocked by the lack of iOS support - we had a lot of feedback on this one and so we appreciate the patience while we developed it. Native Android support will follow soon.
Some of the Auth team will be in to answer questions on the technical side. This is the second-to-last day of Launch Week - I promise that you’ll be rid of us after a few more releases tomorrow.
[+] [-] no_wizard|2 years ago|reply
[+] [-] krooj|2 years ago|reply
* It's not establishment of a "session", but a token set which you're issuing. * The authorization server will return those tokens after validating the code_verifier.
Also, be careful about PKCE on mobile platforms. Unless you're specifically mapping or restricting redirect_uris to an Android intent, on that platform, you're subject to replay attacks due to some cookie sharing in Chrome.
[+] [-] no_wizard|2 years ago|reply
Is it possible to see some working examples with some of the big SSO providers, e.g. integrating with Okta, Duo and AD installations in particular (like Azure AD and standard ActiveDirectory) in the documentation?
This would go a long way for smaller app developers to get SSO into their apps, even if the examples aren't exhaustive its a starting point. I have found (having done SSO integrations before) that it can be really opaque sometimes reading their API documentation to add support to for such platforms.
I mention AD specifically because its a huge hurdle for the education markets still, for example
[+] [-] kiwicopple|2 years ago|reply
Our auth team agrees. We have some docs which you can use as a starter for Azure[0], Google[1], and Okta[2]. These are for our own platform, we'll repurpose them into guides for you to use.
We also have full SAML docs[3], and an example in a PR[4]. You can see the example in action inside the video on the blog post
[0] Azure: https://supabase.com/docs/guides/platform/sso/azure
[1] Google: https://supabase.com/docs/guides/platform/sso/gsuite
[2] Okta: https://supabase.com/docs/guides/platform/sso/okta
[3] SAML: https://supabase.com/docs/guides/auth/sso/auth-sso-saml
[4] SSO example: https://github.com/supabase/supabase/pull/13678
[+] [-] grinich|2 years ago|reply
It's essentially "Stripe Checkout" but for enterprise features like SAML and SCIM. Live demo: https://demo.workos.com/
(I work at WorkOS - sorry if this is hijacking this thread!)
[+] [-] paradaux|2 years ago|reply
I'm currently building something similar to just do that on top of supabase for work. Happy to see the developments with Supabase Auth anyway.
[+] [-] kangmingtay|2 years ago|reply
[+] [-] zinclozenge|2 years ago|reply
I'm super excited because as a newcomer to needing to implement that feature, other SaaSes like auth0 were complicated and overwhelmed me.
Since we have Supabase employees here, one thing that isn't clear to me is if OIDC based SSO is supported, or will be?
[+] [-] kangmingtay|2 years ago|reply
[+] [-] lelo_tp|2 years ago|reply
If you mind me giving some feedback: it took me a while to figure out how to properly build the auth flow with Expo/RN. In the end, I went with Expo AuthSession. IMO, you're missing an easy win with a template/getting-started guide for RN. The only one that exists uses email/password, and the OAuth flow is more convoluted than that :)
[+] [-] unknown|2 years ago|reply
[deleted]
[+] [-] kiwicopple|2 years ago|reply
https://github.com/supabase-community/create-t3-turbo
Unfortunately we didn't quite finish it for the launch today, but it will be ready next week and we'll add it to the documentation.
[+] [-] mkl95|2 years ago|reply
[+] [-] jacurtis|2 years ago|reply
https://github.com/orgs/supabase/discussions/5166
[+] [-] kangmingtay|2 years ago|reply
What are some other things you'd like to see in the Terraform provider?
[1]: supabase-terraform (https://github.com/supabase-community/supabase-terraform)
[+] [-] infocollector|2 years ago|reply
[+] [-] aceofspade|2 years ago|reply
Do you mind sharing more about what you're building and the features of Supabase which would be most important to you?
[+] [-] niklasd|2 years ago|reply
[+] [-] jordanmorgan10|2 years ago|reply
[+] [-] kiwicopple|2 years ago|reply
We'll double-down on iOS now that we have shipped native Apple logins.
[+] [-] bennyp101|2 years ago|reply
[+] [-] kiwicopple|2 years ago|reply
[0] https://news.ycombinator.com/item?id=35555385
[1] support: https://app.supabase.com/support/new
[+] [-] raphaelcosta|2 years ago|reply
[+] [-] kiwicopple|2 years ago|reply
[+] [-] mooreds|2 years ago|reply
Welcome, Supabase, to the world of SAML/SSO. It's a hairy one, but single sign-on is undifferentiated and really great for customers, so I'm glad you joined.
A few thoughts:
* Consider adding identity linking to your roadmap. I noticed[0] that you don't support it, and will create duplicate accounts if someone uses SSO with the same email address that an existing account has. As a model, FusionAuth offers seven linking strategies[1]. This flexibility lets you handle more use cases.
* I'd encourage you (and your customers) to test across as many SPs as you can. SAML is an 800+ page specification and even though we've been offering SAML for over 10 years and have open sourced our bindings[2], we still have edge cases that pop up.
* I'd love to add FusionAuth as a SAML SSO provider to your docs, so will put that on our team's doc roadmap and submit a PR. :)
* Not related to SAML, but I'm glad that you are supporting PKCE. I hope you deprecate the implicit grant; the XSS threat is very real and the OAuth 2.1 spec (still in progress) basically deprecates that grant[3] through omission. Also, we agree that setting cookies (HTTPOnly and secure, please) is a great way to store tokens[4] and that is worth requiring a server side component in applications.
Finally, I understand why this is part of a paid offering; SAML is often used to segment out enterprise customers with $$$. You like to make money, as do we all. But I'd encourage you to think about a free tier because it is so helpful to the user experience. Maybe 1 SAML connection could be part of the base offering?
0: https://supabase.com/docs/guides/platform/sso
1: https://fusionauth.io/docs/v1/tech/identity-providers/#linki...
2: https://github.com/FusionAuth/fusionauth-samlv2/commits/mast...
3: https://oauth.net/2.1/
4: https://fusionauth.io/learn/expert-advice/oauth/oauth-token-...
[+] [-] asdev|2 years ago|reply
[+] [-] kiwicopple|2 years ago|reply
[+] [-] vrglvrglvrgl|2 years ago|reply
[deleted]