[Feature]: Ability to pass custom headers via mobile apps #1604
Replies: 10 comments
-
Does it actually return the SSO login page for that url or does it send a redirect? Did this mean your have to sign in twice on the web? |
Beta Was this translation helpful? Give feedback.
-
@jrasm91 It sends a temporary redirect (302) - here's the output from
So Cloudflare redirects to their page where you need to e.g. login with one-time PIN sent via email or custom OIDC providers like Google. The access rules are fully configurable on Cloudflare side. When using service auth tokens, the 302 redirection doesn't occur. curl -H "CF-Access-Client-Id: ..." -H "CF-Access-Client-Secret: ..." -v https://example.com/api # no -L, so it won't follow redirects Response:
I know Immich has OIDC support, but I'd like to have a second layer of authentication with special access rules. Just to filter out the traffic, as this would be a publicly accessible instance with private data 🙂 Do you see a different solution to that? |
Beta Was this translation helpful? Give feedback.
-
Yeah, I don't think there is any easy/straightforward way to implement this. Is Immich the first self-hosted service with a mobile app? Or, the rest you just can't use either? We could try to detect the redirect in the mobile app, follow it, and then include the cookies in future requests, but that isn't very easy or straightforward, plus it's so specific to this use case and provider. Another option would definitely be to provide a place to manually add additional options for auth - headers, tokens, etc. This seems related to "proxy authentication" where the user delegates authentication to another system, which communicates directly with immich. |
Beta Was this translation helpful? Give feedback.
-
Yes, unfortunately other apps I self-host have web apps only, and that's the first case I wanted to connect from the mobile app.
Yes, that sounds good. But I'm also thinking about some custom proxy which I could prepare for modifying requests from mobile app 🤔 Let's see if I'm the only one who wants to set up headers for API requests from mobile app. I'll also reach back when I'll find a workaround with a separate proxy. Thanks for the ultra-fast reply! |
Beta Was this translation helpful? Give feedback.
-
Also a new user of Cloudflared and Immich. It's frustrating that there isn't a more standard way to handle page redirects in apps as I'd ultimately prefer to use the Zero Trust auth to handle all of my authentication period, but the moment something dedicated app that goes out the window. I mainly use the Google Account OIDC and since Immich has this anyway, I'm fine for now just having Zero Trust bypass for the subdomain and going to Immich directly with Google auth enabled there. However, what's also nice about using Cloudflare for auth is that if you're using split-horizon DNS to access your services locally, then you just intrinsically bypass that layer. Not that it's a huge deal, but enabling OAuth2 through Immich will mean that it will be required even when I'm connecting from home. It would be nice in the future if some elegant way was figured out to support this. |
Beta Was this translation helpful? Give feedback.
-
Just giving my +1 for this. Ideally you would want to be able to identify such redirects and follow the flow but from a project plan and complexity I would opt for a simple stupid solution initially. What about some interceptor like dio or other similar solution from this SO: |
Beta Was this translation helpful? Give feedback.
-
Another +1, loving the added protection layer of cloudflare, but it annoys me having to use a separate vpn for the app. Having the headers option would open up a lot of scenarios. |
Beta Was this translation helpful? Give feedback.
-
+1 for some kind of solution via Cloudflare (it's been great for all the other applications I'm hosting at home)
Home Assistant, at least, does that. When I try to login it opens up an embedded browser window for me to login to Cloudflare. However, I don't know for sure, but I strongly suspect their app might just be a wrapper over an embedded browser anyway. So maybe not as complicated for them. |
Beta Was this translation helpful? Give feedback.
-
I found that Swift paperless (paperless-ngx iOS app) has this functionality and it works well: paulgessinger/swift-paperless#11 Hopes immich would support it! |
Beta Was this translation helpful? Give feedback.
-
+1 from me too. |
Beta Was this translation helpful? Give feedback.
-
Feature detail
Hello there 👋
Firstly, I'd like to thank you for such an awesome project. It's incredible how fast it improves with brand-new features! 🚀
Context
I set up Immich on my NAS, and wanted to secure it with Cloudflare Zero Trust on a public hostname. That means, I want to have Immich accessible publicly, but behind another layer of authentication provided by Cloudflare. If user navigates to the public hostname, the user is redirected by Cloudflare to log in via SSO. Based on custom access rules defined in Cloudflare Dashboard, the user is able to access the app or not.
It works perfectly in the web browser, but it doesn't in a mobile app, as it cannot connect because of the redirection to the login form. However, Cloudflare allows generating Service tokens, which means that if a client provides two custom headers and will follow the redirection, it will authenticate the client and can access the original site (based on the access policies).
So, basically, this won't work:
curl -vL https://immich.example.com/api # fetches Cloudflare login site
But this will:
Idea
An ability to set multiple custom headers as a part of the login screen to the mobile app. If I were able to set two custom headers from the login view, it would mean Cloudlfare Zero Trust and also other auth solutions can be used with the mobile app. Of course, the app would need to use them with each API request.
I imagine this could be implemented as a button/link (e.g. "Advanced") on the login view, which could open a modal with additional configuration options: additional headers and later something more (e.g. "Accept self-signed certificate"). Something like this:
I'd be happy to contribute, however I don't know Dart and that could be a problem for me to develop some advanced views 🤔 Any guidance is warmly welcome.
But first, let me know what do you think about this idea! Cheers!
Platform
Mobile App
Beta Was this translation helpful? Give feedback.
All reactions