> Building apps for iOS requires support for native Sign in with Apple
This part isn't 100% true. It is only a requirement if you have some other form of social login (such as "Login with Facebook") and your app isn't specifically made for using data from that platform (such as a Facebook page managemenet app) [0].
You don't need Sign in with Apple if you only use your own account system.
I can't advocate Supabase enough. Their combo of openness and elegance in their platform leaves me (a developer/entrepreneur) feeling secure.
This is perhaps a future topic, but to me it extends out of SSO:
Paul (@kiwicopple), do you have an opinion on which enterprise-grade AuthZ provider works best with Supabase?
I suspect it's Cerbos or Casbin, but if you ever do it in house (and since you've nailed AuthN that makes great sense), my wishlist:
- It should be as simple as an API end point, .approve(auth.jwt(), Array<Role | Permission>). I.e. be available in Edge Functions, Postgres Functions, and anywhere else.
- Use a policy schema with the most industry support for easier acceptance/integration with the enterprise.
- Flesh out with enterprise-ready policy auditing tools, logging, etc. This is the real time saving for developers.
> do you have an opinion on which enterprise-grade AuthZ provider works best with Supabase?
Since you asked for my personal opinion, then I would say Postgres Row Level Security for AuthZ. RLS is as powerful as it is flexible. It's fully-integrated with the rest of the Supabase stack, and it's portable if you don't like supabase - just pg_dump and take it to your favourite Postgres provider.
That said, I understand why it's useful to have something more structured like RBAC. We have experimented with a ideas here (specifically ABAC), using a custom libraries/extensions/custom claims[0]. We do something similar internally, but aren't 100% happy with the developer experience and don't plan to release it any time soon.
I'm sure the Auth team won't enjoy me saying this, but I like the idea of Zanzibar. I've seen some experimental Postgres extensions[1] that combine Oso[2] + RLS which I'd love to try when I get time.
Supabase Logs will be fully-integrated with the rest of the supabase stack. Since the Auth JWT flows through the HTTP Authorization header, into PostgREST, then into Postgres, we can pluck the Supabase User ID out of the JWT and store it alongside every log entry. You will be able to reference/join every authorized action in your database to an authenticated user.
> RLS can't control access to API end points in places like Edge Functions (again, afaik).
also correct, for now. We released the Edge Runtime[0] this week, and plan to use it as a scriptable Proxy.
> In my experience, RLS has quite a few foot guns in it as schemas migrate
A very fair point. We hope that we'll be able to provide some tooling here.
Thanks for all of this feedback - it's incredibly useful. Our team read the HN comments thoroughly and it shapes our ideas for the product going forward. We have some gaps to fill for your requirements, but we'll get there.
Some additional feedback: In my opinion testing RLS is a problem.
Additionally, I find it hard to keep a good overview over the rules. E.g., in a multi-tenant application one needs to secure every table with a restrictive rule, and it's easy to make a rule permissive, since that is the default & it's not indicated in the Studio UI.
When generating migrations with 'supabase db diff' views are being recreated without 'WITH (security_invoker)' even though they had security_invoker turned on before, leaving your database exposed. Easy to miss, even when you're aware of that.
RLS is just so full of footguns that I find it hard to justify using it in a production system.
we have a lot of work to do for migrations and testing, especially RLS.
for this Launch Week we focused on generating policies (more on that in tomorrows launch week). This is hard for a lot of our audience who aren't familiar with SQL.
In the next few months we'll work on simulating a policy - being able to choose a specific user and see what data would be returned for that user.
We also have `supabase test db`, in case you missed it. It wraps pgTAP and pgProve so that you can write database tests.
> recreated without 'WITH (security_invoker)' even though they had security_invoker turned on before
we use migra for diff'ing. Thanks for raising this - we'll file a bug report asap.
Replacing Kong with Deno is a great step (and by simplifying the stack, in line with the elegance I love Supabase for).
- My request with Supabase Logs is that they're easy to format in ways auditors expect (i.e. similar to major tools). That would be a headline benefit, because:
[1] As your customer, I have an easier time with SOC2
[2] In turn, I can pitch that to our enterprise customers: "your compliance will be easier, as your policy and log audits with us will match your other vendors"
I'm going to shoot this to your support channel, but a little more tiny feedback:
- There's no local way for a webhook Edge Function to flag "--no-verify-jwt", which means my local test environment can't be consistent with staging.
- I'm having to use Edge Functions for webhooks despite Postgres Functions being more desirable, because either Kong or PostgREST always requires a JWT. I'm guessing the switch to Deno will make this solvable.
If you use Supabase CLI to serve functions locally, you can use the `--no-verify-jwt` flag, ie. `supabase functions serve --no-verify-jwt` will skip JWT checks locally.
Is that what you're after? if you have any further issues with serving functions locally, can follow up on the support ticket.
If you need the flexibility of a system that can model both RBAC and ABAC and you also want you want a Zanzibar-inspired design, SpiceDB[0] is the only option that I know checks all the boxes (disclosure: I'm a maintainer).
The UX definitely isn't optimized for Supabase, but I'd love to learn more about how that could be improved. I suspect it might be complicated if Supabase assumes RLS for everything.
While SpiceDB looks good. My only concern is if they will go the mongo route once they get more adoption and need to satisfy investors as opposed to customers/developers and make most of their features paid and leave the open source version hanging.
Well, you're in luck because AuthZed, the business behind SpiceDB, has a fantastic track record in this regard. We're quite conservative with fundraising and the first year of the company was bootstrapped by the founders. The founding team also has a strong history of properly balancing open source businesses from their experience in leadership roles over the past decade at CoreOS and Red Hat.
Glad to chat with anyone privately if they want more details.
I’m not currently using supabase but I am using postgrest in a current SSO project, and I ran into major roadblocks with the JWT support. It works fine for versions with symmetric encryption for signing the tokens, where you provide the key to postgrest via config and it uses the key to authenticate requests. However, our identity provider (Azure AD) uses asymmetric encryption for signing tokens, with a public endpoint to retrieve public keys, and postgrest’s support for this is pretty bad. I’ve only been able to work around this issue by serializing the response to a string and providing it as a (really long) config value, and because keys can change over time, I have to restart Postgrest on a daily basis.
Does supabase work around this limitation somehow? How do you get SSO to work for auth providers like Auth0 and AAD that only provide public keys via an endpoint?
Supabase Auth engineer here. PostgREST only has "static" asymmetric JWT support. It can't load from `/.well-known/openid-configuration` endpoints. We are tracking this internally to add better UI and support for third-party OIDC.
Most of the OIDC identity providers don't rotate the keys very often, so you can follow the `/.well-known/openid-configuration` endpoint to get the JWKS JSON, and set that as the JWT Secret in the project's dashboard. (It's a bit hacky I know, we're going to be improving the UI on this.)
I know this has been used with Firebase Auth, which is also OIDC compatible with asymmetric JWTs.
EDIT:
> How do you get SSO to work for auth providers like Auth0 and AAD that only provide public keys via an endpoint?
Actually what you're describing is technically not "SSO" but using another Auth system with the rest of the Supabase stack. OIDC support for SSO -- where you use Supabase Auth with Azure AD for example -- is on the roadmap, but only SAML is supported with this announcement today.
Been doing a lot of Auth related stuff the last day or two so in classic HN style this is very timely for me!
One of the things that I really dislike about most auth providers is that it is very hard to implement login in your native UI. It almost always requires a redirect to a hosted UI page that is very clearly not your UI. We've found this a poor and potentially confusing user experience when you just need a form with username + password.
Question for Supabase: Is it possible to just have a form with username + password and POSTing the login details?
> Question for Supabase: Is it possible to just have a form with username + password and POSTing the login details?
Yes this is how basic email+password sign-in works. No redirects are necessary. For the rest of the flows, some form of redirect is mandatory because that's how the authentication protocols work and we've found it convenient to implement other logins like magic links, email confirmations, etc.
- SAML 2.0, for developers can add SSO to their own apps
- PKCE: support for Mobile and server-side auth
- Native Apple login on iOS
We’ve been dogfooding SSO already and it stable.
PKCE is going to be rolled out incrementally across the platform - we’ve tried to engineer it so that there are no breaking changes for your applications, but will exercise caution with the deployment.
A lot of companies were blocked by the lack of iOS support - we had a lot of feedback on this one and so we appreciate the patience while we developed it. Native Android support will follow soon.
Some of the Auth team will be in to answer questions on the technical side. This is the second-to-last day of Launch Week - I promise that you’ll be rid of us after a few more releases tomorrow.
Can’t tell from (admittedly skimming) the announcement: is SSO charged extra? It says availability on Pro plan but pricing page hasn’t changed it only says social auth
It's available on the Pro Tier. You get 50 free users, then $0.015 per additional MAU. We always aim for simple, transparent, and pricing - we're hoping this is a good balance.
And just to be clear, this is for building SSO for your own apps, this is not SSO for the supabase platform (which we're still figuring out pricing for, and yes - we're well aware of the SSO Tax).
I'm distinctly looking at it from an application point of view right now, SSO just made Supabase very attractive, as well as the SOC Type 2 certification recently announced (yesterday iirc). These were hurdles for our customers, so I'm checking this out with great interest.
Great job team!
EDIT: With Regards To The SOC Certification a short announcement might be useful for linking purposes.
* It's not establishment of a "session", but a token set which you're issuing.
* The authorization server will return those tokens after validating the code_verifier.
Also, be careful about PKCE on mobile platforms. Unless you're specifically mapping or restricting redirect_uris to an Android intent, on that platform, you're subject to replay attacks due to some cookie sharing in Chrome.
Supabase Auth Engineer here. You are right that a token set is issued and that the authorization server will return an access_token and a refresh_token after validating the code_verifier we chose the term "session" instead of token set as a token (loosely speaking) maps to a server session and we felt that might be easier to understand for our readers who are coming in without an auth background. Sorry for any confusion caused that might have caused.
Thanks for the heads up about replay attacks - we'll be sure to let the Kotlin/Java library developers know about the potential vulnerabilities that you've mentioned.
Is it possible to see some working examples with some of the big SSO providers, e.g. integrating with Okta, Duo and AD installations in particular (like Azure AD and standard ActiveDirectory) in the documentation?
This would go a long way for smaller app developers to get SSO into their apps, even if the examples aren't exhaustive its a starting point. I have found (having done SSO integrations before) that it can be really opaque sometimes reading their API documentation to add support to for such platforms.
I mention AD specifically because its a huge hurdle for the education markets still, for example
> I have found (having done SSO integrations before) that it can be really opaque sometimes reading their API documentation to add support to for such platforms.
Our auth team agrees. We have some docs which you can use as a starter for Azure[0], Google[1], and Okta[2]. These are for our own platform, we'll repurpose them into guides for you to use.
We also have full SAML docs[3], and an example in a PR[4]. You can see the example in action inside the video on the blog post
What I'd love to see with this is a way to use supabase auth itself as an idP/SAMP provider. Have your tools (back-office tools and what not) written in native supabase, or have multiple supabase projects with the one shared auth system. Could be better UX for Sysadmins than OpenLDAP and so forth.
I'm currently building something similar to just do that on top of supabase for work. Happy to see the developments with Supabase Auth anyway.
Hi, Supabase Auth Engineer here. Interesting, just wondering if there's a reason behind choosing to roll your own iDP instead of using one of the big ones out there (Okta, Azure, GSuite) ?
Disclaimer: I haven't built this yet (primarily because it's too hard today).
I want to build self-hostable servers, to give our customers the option of privacy and easier compliance.
In that arrangement, there'd be:
- Our main / central server, for regular SaaS customers. It also provides public assets ("knowledge bases" in this case, but it could be anything - even just licensing info) that all signed-in users have access to. This would be the iDP.
- Many self-hosted clones of our central server, per customer
Because the central server has the most up-to-date shareable assets, which might be ahead of any upgrade schedule a self-hosted customer has, they'd want their signed in employees to have transparent access to those latest ones too. I.e. without the extra friction of additional sign-in.
tl;dr the ability to offer our customers an easy self-hosted option of our Supabase platform (with limited federated access to central data) is highly desirable, now that even SMEs request better infosec. Doing it all inside a Supabase Docker - rather than mixing in Okta - is what makes it maintainable and easy to share.
--- EDIT ---
This use-case could be written more simply:
- There's a platform/app server (built on Supabase). Customers can optionally self-host it for their business.
- There's a data server (also built on Supabase, but not self-hosted), that provides shareable assets, even to self-hosted servers.
My goal is that it's _seamless_ for self-hosted users to access the data server.
So the data server would need to be an iDP.
My preference for Supabase to do this (instead of Okta), is because offering a self-hosting option is currently an intimidating maintenance burden, so fewer moving parts (no Okta) is desirable.
I'm struggling to understand your use case here, but here are some thoughts that may be helpful.
You can use one Supabase Auth project to do all of your user management. You can use the JWTs issued by this project across any other system. You need to configure those systems to "trust" those JWTs, usually by sharing the signing key (JWT secret) with them. They can then base their allow / deny decisions on the JWT.
You can even do this with as many Supabase projects you want. You don't have to use Supabase Auth with all of them. Do note that once you use physically different machines, you need to sync them up and that's quite a big can of worms.
Supabase Auth Engineer here. We initially started off with the SAML 2.0 protocol since it's the one of the oldest protocols and also one that's used by most enterprises. We're definitely looking to add OIDC based SSO support soon so stay tuned!
Really timely! I was about to start building the Apple sign-in flow for my RN app (already built the Google Sign-in). Supabase makes auth incredibly easy, thank you for that.
If you mind me giving some feedback: it took me a while to figure out how to properly build the auth flow with Expo/RN. In the end, I went with Expo AuthSession. IMO, you're missing an easy win with a template/getting-started guide for RN. The only one that exists uses email/password, and the OAuth flow is more convoluted than that :)
This project is very impressive! I do hope Supabase decides to support https://github.com/supabase-community/supabase-py , and not just leave it to the community. I would definitely consider becoming a paid customer, assuming Python was supported well/natively. If I am incorrect about Python support, please do let me know.
Supabase Auth Engineer here, also happen to be one of the Python library maintainers. We're looking into a more general approach for "server-side" languages such as Python, Ruby, etc but at the moment the python library is still community supported.
Do you mind sharing more about what you're building and the features of Supabase which would be most important to you?
Great news! Question to the Supabase team: How does Login with Azure (Social login) and SSO (Azure) differ? From my superficial understanding, implementing Login with Azure is enough for logging-in users with Azure AD accounts (and linking their accounts to existing ones).
any particular feature that you were waiting for in this release? I want to highlight from my comment[0] that PKCE will be rolling out progressively (starting next week). You can reach out to the support team if you want it enabled immediately on any of your projects
The `SAML 2.0, for developers can add SSO to their own apps` - I was looking at using BoxyHQ for it, but didn't really want another moving part, so this nicely fills in that space!
good luck building and let us know if you get stuck.
BoxyHQ is also a fantastic product, and their developers have contributed OAuth providers and patched to Supabase Auth. I highly recommend it if you are looking outside the Supabase ecosystem.
Disclosure, I work for FusionAuth, which can both integrate with and compete with Supabase.
Welcome, Supabase, to the world of SAML/SSO. It's a hairy one, but single sign-on is undifferentiated and really great for customers, so I'm glad you joined.
A few thoughts:
* Consider adding identity linking to your roadmap. I noticed[0] that you don't support it, and will create duplicate accounts if someone uses SSO with the same email address that an existing account has. As a model, FusionAuth offers seven linking strategies[1]. This flexibility lets you handle more use cases.
* I'd encourage you (and your customers) to test across as many SPs as you can. SAML is an 800+ page specification and even though we've been offering SAML for over 10 years and have open sourced our bindings[2], we still have edge cases that pop up.
* I'd love to add FusionAuth as a SAML SSO provider to your docs, so will put that on our team's doc roadmap and submit a PR. :)
* Not related to SAML, but I'm glad that you are supporting PKCE. I hope you deprecate the implicit grant; the XSS threat is very real and the OAuth 2.1 spec (still in progress) basically deprecates that grant[3] through omission. Also, we agree that setting cookies (HTTPOnly and secure, please) is a great way to store tokens[4] and that is worth requiring a server side component in applications.
Finally, I understand why this is part of a paid offering; SAML is often used to segment out enterprise customers with $$$. You like to make money, as do we all. But I'd encourage you to think about a free tier because it is so helpful to the user experience. Maybe 1 SAML connection could be part of the base offering?
this says nothing about scale. I mean a company who is large(1M +users). This details the complexities of the migration but does not really paint a strong case for using Supabase.
This part isn't 100% true. It is only a requirement if you have some other form of social login (such as "Login with Facebook") and your app isn't specifically made for using data from that platform (such as a Facebook page managemenet app) [0].
You don't need Sign in with Apple if you only use your own account system.
[0]https://developer.apple.com/app-store/review/guidelines/#sig...