Since it’s not possible to host Bubble on-prem, I wonder if there’s a way to restrict an app to users in an organization without needing them to sign up?
Some possibilities:
Any thoughts?
For an app I built, it was still required for the user to “create an account,” but this was all handled through Signing in with Google Workspace accounts. And the specific oauth info I used was restricted to users within the Google Workspace Organization.
Maybe that’ll help?
Thanks for your answer – yes that’s a good data point. It doesn’t work in my case because my organization uses Microsoft Active Directory (not connected to any OAuth providers), but definitely a solution for Google Workspace users.
Hmm… does Outlook offer something similar?
I use AD for our org setup. Only users in our tenant have access. There’s a few plugins for this, but we ended up setting up the API connector to control the scopes of what users have access to.
I believe Outlook uses Active Directory for identity management, so the key would be to get AD to work with Bubble somehow.
Could say more about how AD was used? This is exactly my use case – I’d like to restrict access to AD users within my org’s tenant.
Sure,
So as long as you have access to your orgs Azure account, you’ll just want to register an Azure ‘app’, get your keys, choose which API permissions within the app that users should have, then use this info to setup in bubble api connector.
In bubble, you’ll use ‘log in with social network’ instead of the traditional bubble database. Within the app, you can control finer grain permissions if you need to, but at base level whatever permissions you choose from Azure, will reflect with what users are allowed to do in your bubble app.
Thanks for your reply – I really appreciate your help. I think I need just a little more help to connect the dots. I’m trying to set up a product catalog for folks internal to my organization and I’m using Uphunt as a template.
The desired behavior is that all the webpages would be blank to anyone not authenticated using an AD login (outside the org), and that the pages would display correctly to anyone who is authenticated via AD (inside the org – we have ADFS).
So as long as you have access to your orgs Azure account, you’ll just want to register an Azure ‘app’, get your keys,
I do have access to the Azure portal and I can spin up an Azure App Service (is that what you mean?), where I can run a REST endpoint.
choose which API permissions within the app that users should have, then use this info to setup in bubble api connector.
I’m not sure what the permissions in an Azure App Service would be in this scenario.
What is the function of this Azure App Service? Does it function as an authorization service that the Bubble app calls via the Bubble API Connector?
Would a user of the Bubble “login with social network”, which then triggers a call to the App Service, which returns a token to the Bubble app?
Thanks in advance for sharing your thoughts.
EDIT: there is another thread on this forum on using ADFS with Bubble using OAuth2 as a mechanism but I’m not sure it was resolved.
Gotcha.
So in Bubble, you’ll use the sign in with social network. You can simply use the ‘User is logged out’ workflow to redirect to index if user is not logged in.
Correct. The Azure App allows your Bubble app to communicate with your organization. You can find the App ID and Secret in the azure app.
To help you get started, you can use this video as a baseline in creating one to your liking.
Check out the video on choosing the API permissions. For basic functionality, probably their ‘read basic’ options.
That plugin page should be open source. So you can see how the setup behind the scenes.
If the organization has its own IP address, could another approach be to install Bubble’s Ipiphy plugin to access the IP address and then restrict viewing only to users with that address?
Unfortunately I can’t use it in my case because the way our VPN is configured, folks can be on random IP blocks so it’s hard to limit by IP range, but Ipiphy sounds like a great plugin! It would be an easy solution for folks who can limit by IP range.
Thank you so much for your explanation – it really did fill in the gaps in my knowledge and put me on the right track.
On that note, I stumbled on this (fairly new) Bubble plugin “Login With Microsoft” which works on the same principles. I created a new Application Registration in Azure Active Directory, copied some IDs and secrets over per instructions in the video, and it worked!
Glad to hear you got it working. 
