> Building apps for iOS requires support for native Sign in with Apple
This part isn't 100% true. It is only a requirement if you have some other form of social login (such as "Login with Facebook") and your app isn't specifically made for using data from that platform (such as a Facebook page managemenet app) [0].
You don't need Sign in with Apple if you only use your own account system.
I can't advocate Supabase enough. Their combo of openness and elegance in their platform leaves me (a developer/entrepreneur) feeling secure.
This is perhaps a future topic, but to me it extends out of SSO:
Paul (@kiwicopple), do you have an opinion on which enterprise-grade AuthZ provider works best with Supabase?
I suspect it's Cerbos or Casbin, but if you ever do it in house (and since you've nailed AuthN that makes great sense), my wishlist:
- It should be as simple as an API end point, .approve(auth.jwt(), Array<Role | Permission>). I.e. be available in Edge Functions, Postgres Functions, and anywhere else.
- Use a policy schema with the most industry support for easier acceptance/integration with the enterprise.
- Flesh out with enterprise-ready policy auditing tools, logging, etc. This is the real time saving for developers.
> do you have an opinion on which enterprise-grade AuthZ provider works best with Supabase?
Since you asked for my personal opinion, then I would say Postgres Row Level Security for AuthZ. RLS is as powerful as it is flexible. It's fully-integrated with the rest of the Supabase stack, and it's portable if you don't like supabase - just pg_dump and take it to your favourite Postgres provider.
That said, I understand why it's useful to have something more structured like RBAC. We have experimented with a ideas here (specifically ABAC), using a custom libraries/extensions/custom claims[0]. We do something similar internally, but aren't 100% happy with the developer experience and don't plan to release it any time soon.
I'm sure the Auth team won't enjoy me saying this, but I like the idea of Zanzibar. I've seen some experimental Postgres extensions[1] that combine Oso[2] + RLS which I'd love to try when I get time.
If you need the flexibility of a system that can model both RBAC and ABAC and you also want you want a Zanzibar-inspired design, SpiceDB[0] is the only option that I know checks all the boxes (disclosure: I'm a maintainer).
The UX definitely isn't optimized for Supabase, but I'd love to learn more about how that could be improved. I suspect it might be complicated if Supabase assumes RLS for everything.
I’m not currently using supabase but I am using postgrest in a current SSO project, and I ran into major roadblocks with the JWT support. It works fine for versions with symmetric encryption for signing the tokens, where you provide the key to postgrest via config and it uses the key to authenticate requests. However, our identity provider (Azure AD) uses asymmetric encryption for signing tokens, with a public endpoint to retrieve public keys, and postgrest’s support for this is pretty bad. I’ve only been able to work around this issue by serializing the response to a string and providing it as a (really long) config value, and because keys can change over time, I have to restart Postgrest on a daily basis.
Does supabase work around this limitation somehow? How do you get SSO to work for auth providers like Auth0 and AAD that only provide public keys via an endpoint?
Supabase Auth engineer here. PostgREST only has "static" asymmetric JWT support. It can't load from `/.well-known/openid-configuration` endpoints. We are tracking this internally to add better UI and support for third-party OIDC.
Most of the OIDC identity providers don't rotate the keys very often, so you can follow the `/.well-known/openid-configuration` endpoint to get the JWKS JSON, and set that as the JWT Secret in the project's dashboard. (It's a bit hacky I know, we're going to be improving the UI on this.)
I know this has been used with Firebase Auth, which is also OIDC compatible with asymmetric JWTs.
EDIT:
> How do you get SSO to work for auth providers like Auth0 and AAD that only provide public keys via an endpoint?
Actually what you're describing is technically not "SSO" but using another Auth system with the rest of the Supabase stack. OIDC support for SSO -- where you use Supabase Auth with Azure AD for example -- is on the roadmap, but only SAML is supported with this announcement today.
Been doing a lot of Auth related stuff the last day or two so in classic HN style this is very timely for me!
One of the things that I really dislike about most auth providers is that it is very hard to implement login in your native UI. It almost always requires a redirect to a hosted UI page that is very clearly not your UI. We've found this a poor and potentially confusing user experience when you just need a form with username + password.
Question for Supabase: Is it possible to just have a form with username + password and POSTing the login details?
> Question for Supabase: Is it possible to just have a form with username + password and POSTing the login details?
Yes this is how basic email+password sign-in works. No redirects are necessary. For the rest of the flows, some form of redirect is mandatory because that's how the authentication protocols work and we've found it convenient to implement other logins like magic links, email confirmations, etc.
- SAML 2.0, for developers can add SSO to their own apps
- PKCE: support for Mobile and server-side auth
- Native Apple login on iOS
We’ve been dogfooding SSO already and it stable.
PKCE is going to be rolled out incrementally across the platform - we’ve tried to engineer it so that there are no breaking changes for your applications, but will exercise caution with the deployment.
A lot of companies were blocked by the lack of iOS support - we had a lot of feedback on this one and so we appreciate the patience while we developed it. Native Android support will follow soon.
Some of the Auth team will be in to answer questions on the technical side. This is the second-to-last day of Launch Week - I promise that you’ll be rid of us after a few more releases tomorrow.
Can’t tell from (admittedly skimming) the announcement: is SSO charged extra? It says availability on Pro plan but pricing page hasn’t changed it only says social auth
It's available on the Pro Tier. You get 50 free users, then $0.015 per additional MAU. We always aim for simple, transparent, and pricing - we're hoping this is a good balance.
And just to be clear, this is for building SSO for your own apps, this is not SSO for the supabase platform (which we're still figuring out pricing for, and yes - we're well aware of the SSO Tax).
* It's not establishment of a "session", but a token set which you're issuing.
* The authorization server will return those tokens after validating the code_verifier.
Also, be careful about PKCE on mobile platforms. Unless you're specifically mapping or restricting redirect_uris to an Android intent, on that platform, you're subject to replay attacks due to some cookie sharing in Chrome.
Supabase Auth Engineer here. You are right that a token set is issued and that the authorization server will return an access_token and a refresh_token after validating the code_verifier we chose the term "session" instead of token set as a token (loosely speaking) maps to a server session and we felt that might be easier to understand for our readers who are coming in without an auth background. Sorry for any confusion caused that might have caused.
Thanks for the heads up about replay attacks - we'll be sure to let the Kotlin/Java library developers know about the potential vulnerabilities that you've mentioned.
Is it possible to see some working examples with some of the big SSO providers, e.g. integrating with Okta, Duo and AD installations in particular (like Azure AD and standard ActiveDirectory) in the documentation?
This would go a long way for smaller app developers to get SSO into their apps, even if the examples aren't exhaustive its a starting point. I have found (having done SSO integrations before) that it can be really opaque sometimes reading their API documentation to add support to for such platforms.
I mention AD specifically because its a huge hurdle for the education markets still, for example
> I have found (having done SSO integrations before) that it can be really opaque sometimes reading their API documentation to add support to for such platforms.
Our auth team agrees. We have some docs which you can use as a starter for Azure[0], Google[1], and Okta[2]. These are for our own platform, we'll repurpose them into guides for you to use.
We also have full SAML docs[3], and an example in a PR[4]. You can see the example in action inside the video on the blog post
What I'd love to see with this is a way to use supabase auth itself as an idP/SAMP provider. Have your tools (back-office tools and what not) written in native supabase, or have multiple supabase projects with the one shared auth system. Could be better UX for Sysadmins than OpenLDAP and so forth.
I'm currently building something similar to just do that on top of supabase for work. Happy to see the developments with Supabase Auth anyway.
Hi, Supabase Auth Engineer here. Interesting, just wondering if there's a reason behind choosing to roll your own iDP instead of using one of the big ones out there (Okta, Azure, GSuite) ?
Disclaimer: I haven't built this yet (primarily because it's too hard today).
I want to build self-hostable servers, to give our customers the option of privacy and easier compliance.
In that arrangement, there'd be:
- Our main / central server, for regular SaaS customers. It also provides public assets ("knowledge bases" in this case, but it could be anything - even just licensing info) that all signed-in users have access to. This would be the iDP.
- Many self-hosted clones of our central server, per customer
Because the central server has the most up-to-date shareable assets, which might be ahead of any upgrade schedule a self-hosted customer has, they'd want their signed in employees to have transparent access to those latest ones too. I.e. without the extra friction of additional sign-in.
tl;dr the ability to offer our customers an easy self-hosted option of our Supabase platform (with limited federated access to central data) is highly desirable, now that even SMEs request better infosec. Doing it all inside a Supabase Docker - rather than mixing in Okta - is what makes it maintainable and easy to share.
--- EDIT ---
This use-case could be written more simply:
- There's a platform/app server (built on Supabase). Customers can optionally self-host it for their business.
- There's a data server (also built on Supabase, but not self-hosted), that provides shareable assets, even to self-hosted servers.
My goal is that it's _seamless_ for self-hosted users to access the data server.
So the data server would need to be an iDP.
My preference for Supabase to do this (instead of Okta), is because offering a self-hosting option is currently an intimidating maintenance burden, so fewer moving parts (no Okta) is desirable.
Supabase Auth Engineer here. We initially started off with the SAML 2.0 protocol since it's the one of the oldest protocols and also one that's used by most enterprises. We're definitely looking to add OIDC based SSO support soon so stay tuned!
Readit News
This part isn't 100% true. It is only a requirement if you have some other form of social login (such as "Login with Facebook") and your app isn't specifically made for using data from that platform (such as a Facebook page managemenet app) [0].
You don't need Sign in with Apple if you only use your own account system.
[0]https://developer.apple.com/app-store/review/guidelines/#sig...
This is perhaps a future topic, but to me it extends out of SSO:
Paul (@kiwicopple), do you have an opinion on which enterprise-grade AuthZ provider works best with Supabase?
I suspect it's Cerbos or Casbin, but if you ever do it in house (and since you've nailed AuthN that makes great sense), my wishlist:
- It should be as simple as an API end point, .approve(auth.jwt(), Array<Role | Permission>). I.e. be available in Edge Functions, Postgres Functions, and anywhere else.
- Use a policy schema with the most industry support for easier acceptance/integration with the enterprise.
- Flesh out with enterprise-ready policy auditing tools, logging, etc. This is the real time saving for developers.
- I really recommend Tailscale's ideas for better RBAC in https://tailscale.com/blog/rbac-like-it-was-meant-to-be/
Since you asked for my personal opinion, then I would say Postgres Row Level Security for AuthZ. RLS is as powerful as it is flexible. It's fully-integrated with the rest of the Supabase stack, and it's portable if you don't like supabase - just pg_dump and take it to your favourite Postgres provider.
That said, I understand why it's useful to have something more structured like RBAC. We have experimented with a ideas here (specifically ABAC), using a custom libraries/extensions/custom claims[0]. We do something similar internally, but aren't 100% happy with the developer experience and don't plan to release it any time soon.
I'm sure the Auth team won't enjoy me saying this, but I like the idea of Zanzibar. I've seen some experimental Postgres extensions[1] that combine Oso[2] + RLS which I'd love to try when I get time.
[0] custom claims: https://dev.to/supabase/supabase-custom-claims-34l2
[2] Oso + RLS: https://github.com/MFAshby/rls_oso
[1] Oso: https://www.osohq.com/
Re: RLS:
Pros
- The simplicity+security is hard to beat
- Supabase is built around it. I really want the purity of just one platform.
Cons (in order)
- Our enterprise customers need regular oversight of policy + logs for their compliance (and our ongoing relationship). RLS doesn't expose that afaik.
- RLS can't control access to API end points in places like Edge Functions (again, afaik). Same for any 3rd party systems you might have mixed in.
- In my experience, RLS has quite a few foot guns in it as schemas migrate and evolve (security gaps open up, or recursion bites you).
The UX definitely isn't optimized for Supabase, but I'd love to learn more about how that could be improved. I suspect it might be complicated if Supabase assumes RLS for everything.
[0]: https://github.com/authzed/spicedb
* Permit.io: https://www.permit.io/
* Oso: https://www.osohq.com/
And Otterize has an interesting model if you are in the k8s ecosystem: https://otterize.com/
I don't have first hand experience with any of these folks, though I have chatted with some of them.
For more info, see this issue:
https://github.com/PostgREST/postgrest/issues/1130
Does supabase work around this limitation somehow? How do you get SSO to work for auth providers like Auth0 and AAD that only provide public keys via an endpoint?
Most of the OIDC identity providers don't rotate the keys very often, so you can follow the `/.well-known/openid-configuration` endpoint to get the JWKS JSON, and set that as the JWT Secret in the project's dashboard. (It's a bit hacky I know, we're going to be improving the UI on this.)
I know this has been used with Firebase Auth, which is also OIDC compatible with asymmetric JWTs.
EDIT:
> How do you get SSO to work for auth providers like Auth0 and AAD that only provide public keys via an endpoint?
Actually what you're describing is technically not "SSO" but using another Auth system with the rest of the Supabase stack. OIDC support for SSO -- where you use Supabase Auth with Azure AD for example -- is on the roadmap, but only SAML is supported with this announcement today.
One of the things that I really dislike about most auth providers is that it is very hard to implement login in your native UI. It almost always requires a redirect to a hosted UI page that is very clearly not your UI. We've found this a poor and potentially confusing user experience when you just need a form with username + password.
Question for Supabase: Is it possible to just have a form with username + password and POSTing the login details?
> Question for Supabase: Is it possible to just have a form with username + password and POSTing the login details?
Yes this is how basic email+password sign-in works. No redirects are necessary. For the rest of the flows, some form of redirect is mandatory because that's how the authentication protocols work and we've found it convenient to implement other logins like magic links, email confirmations, etc.
this one is really 3 launches for auth:
- SAML 2.0, for developers can add SSO to their own apps
- PKCE: support for Mobile and server-side auth
- Native Apple login on iOS
We’ve been dogfooding SSO already and it stable.
PKCE is going to be rolled out incrementally across the platform - we’ve tried to engineer it so that there are no breaking changes for your applications, but will exercise caution with the deployment.
A lot of companies were blocked by the lack of iOS support - we had a lot of feedback on this one and so we appreciate the patience while we developed it. Native Android support will follow soon.
Some of the Auth team will be in to answer questions on the technical side. This is the second-to-last day of Launch Week - I promise that you’ll be rid of us after a few more releases tomorrow.
It's available on the Pro Tier. You get 50 free users, then $0.015 per additional MAU. We always aim for simple, transparent, and pricing - we're hoping this is a good balance.
And just to be clear, this is for building SSO for your own apps, this is not SSO for the supabase platform (which we're still figuring out pricing for, and yes - we're well aware of the SSO Tax).
Deleted Comment
* It's not establishment of a "session", but a token set which you're issuing. * The authorization server will return those tokens after validating the code_verifier.
Also, be careful about PKCE on mobile platforms. Unless you're specifically mapping or restricting redirect_uris to an Android intent, on that platform, you're subject to replay attacks due to some cookie sharing in Chrome.
Thanks for the heads up about replay attacks - we'll be sure to let the Kotlin/Java library developers know about the potential vulnerabilities that you've mentioned.
Is it possible to see some working examples with some of the big SSO providers, e.g. integrating with Okta, Duo and AD installations in particular (like Azure AD and standard ActiveDirectory) in the documentation?
This would go a long way for smaller app developers to get SSO into their apps, even if the examples aren't exhaustive its a starting point. I have found (having done SSO integrations before) that it can be really opaque sometimes reading their API documentation to add support to for such platforms.
I mention AD specifically because its a huge hurdle for the education markets still, for example
Our auth team agrees. We have some docs which you can use as a starter for Azure[0], Google[1], and Okta[2]. These are for our own platform, we'll repurpose them into guides for you to use.
We also have full SAML docs[3], and an example in a PR[4]. You can see the example in action inside the video on the blog post
[0] Azure: https://supabase.com/docs/guides/platform/sso/azure
[1] Google: https://supabase.com/docs/guides/platform/sso/gsuite
[2] Okta: https://supabase.com/docs/guides/platform/sso/okta
[3] SAML: https://supabase.com/docs/guides/auth/sso/auth-sso-saml
[4] SSO example: https://github.com/supabase/supabase/pull/13678
It's essentially "Stripe Checkout" but for enterprise features like SAML and SCIM. Live demo: https://demo.workos.com/
(I work at WorkOS - sorry if this is hijacking this thread!)
I'm currently building something similar to just do that on top of supabase for work. Happy to see the developments with Supabase Auth anyway.
Disclaimer: I haven't built this yet (primarily because it's too hard today).
I want to build self-hostable servers, to give our customers the option of privacy and easier compliance.
In that arrangement, there'd be:
- Our main / central server, for regular SaaS customers. It also provides public assets ("knowledge bases" in this case, but it could be anything - even just licensing info) that all signed-in users have access to. This would be the iDP.
- Many self-hosted clones of our central server, per customer
Because the central server has the most up-to-date shareable assets, which might be ahead of any upgrade schedule a self-hosted customer has, they'd want their signed in employees to have transparent access to those latest ones too. I.e. without the extra friction of additional sign-in.
tl;dr the ability to offer our customers an easy self-hosted option of our Supabase platform (with limited federated access to central data) is highly desirable, now that even SMEs request better infosec. Doing it all inside a Supabase Docker - rather than mixing in Okta - is what makes it maintainable and easy to share.
--- EDIT ---
This use-case could be written more simply:
- There's a platform/app server (built on Supabase). Customers can optionally self-host it for their business.
- There's a data server (also built on Supabase, but not self-hosted), that provides shareable assets, even to self-hosted servers.
My goal is that it's _seamless_ for self-hosted users to access the data server.
So the data server would need to be an iDP.
My preference for Supabase to do this (instead of Okta), is because offering a self-hosting option is currently an intimidating maintenance burden, so fewer moving parts (no Okta) is desirable.
I'm super excited because as a newcomer to needing to implement that feature, other SaaSes like auth0 were complicated and overwhelmed me.
Since we have Supabase employees here, one thing that isn't clear to me is if OIDC based SSO is supported, or will be?