Google Auth Tokens Exposed?
I am working on a project that exposes some API endpoints but would like to secure it on the server-side. Does Windmill Cloud App expose a way to fetch OAuth tokens/create SSO that I could pass to the API endpoint for user verification?
11 Replies
Users would be expected to go through the OAuth flow from within windmill which will store them as resources and rotate them using the refresh token but that sounds very different from what you need.
Yeah slightly different use-case. After OAuth flow on Windmill, is there a way to send over any form of auth token (maybe generated from Google via Windmill scripts) to the API, which will verify the user using something like google-auth-library
at the moment no
you can however watch all resources and trigger upon new oauth resources
you could even watch the db with triggers
it does require quite a bit of work
Yeah hoping to have some lightweight way to verify that whoever is pinging the server is indeed who they claim to be
Seems like it would be a good enhancement, especially if users are trying to integrate sensitive DB data with internal admin UI tooling offered by WM
I think I don't even understand the use-case
Suppose a dev would like to use WM App as an internal admin tool that allows for basic CRUD operations on something like User preferences. If the server/DB is externally hosted and the dev would just like to use WM as a UI App to make calls to the API endpoints exposed by the server, but don't want to allow just anybody to make the API call publicly
I saw in an earlier message that there are a couple of IP addresses associated w/ the Cloud but I assume those are IP addresses for everybody, so if a malicious actor got a hold of the API endpoint, created a WM script, they could hit the endpoint still
Why not use a shared secret ?
you can even sign each payload in the header
Yeah that seems like a good approach. How are secrets encrypted/stored in WM?
Thinking maybe then IP restrict incoming requests and have some shared secret (sounds like overkill but would do the job)
There is a bit more to read in the docs I think
@Ask Inkeep is pretty good too
Please tag me in threads that I was a part of from the start.
Great. Thank you for your help bouncing off ideas i dont know why i didnt think of a shared secret