Restrict Bubble app to organization

chocolatebubble · 2021-01-29T18:34:12.078Z

Since it’s not possible to host Bubble on-prem, I wonder if there’s a way to restrict an app to users in an organization without needing them to sign up?

Some possibilities:

[hacky, not super secure] Creating a launch page inside the intranet that passes a static token to the external Bubble app
[hacky] same as above, but with a TOTP.
[proper] Enabling SAML on the Bubble app (but looks like it’s not yet possible; there’s an Auth0 workaround but exorbitant).

Any thoughts?

johnny · 2021-01-29T18:45:04.591Z

For an app I built, it was still required for the user to “create an account,” but this was all handled through Signing in with Google Workspace accounts. And the specific oauth info I used was restricted to users within the Google Workspace Organization.

Maybe that’ll help?

chocolatebubble · 2021-01-29T19:06:47.916Z

Thanks for your answer – yes that’s a good data point. It doesn’t work in my case because my organization uses Microsoft Active Directory (not connected to any OAuth providers), but definitely a solution for Google Workspace users.

johnny · 2021-01-29T19:08:27.104Z

Hmm… does Outlook offer something similar?

lantzgould · 2021-01-29T19:13:32.337Z

I use AD for our org setup. Only users in our tenant have access. There’s a few plugins for this, but we ended up setting up the API connector to control the scopes of what users have access to.

chocolatebubble · 2021-01-29T19:21:50.526Z

I believe Outlook uses Active Directory for identity management, so the key would be to get AD to work with Bubble somehow.

chocolatebubble · 2021-01-29T19:22:50.722Z

Could say more about how AD was used? This is exactly my use case – I’d like to restrict access to AD users within my org’s tenant.

lantzgould · 2021-01-29T19:52:25.365Z

Sure,

So as long as you have access to your orgs Azure account, you’ll just want to register an Azure ‘app’, get your keys, choose which API permissions within the app that users should have, then use this info to setup in bubble api connector.

In bubble, you’ll use ‘log in with social network’ instead of the traditional bubble database. Within the app, you can control finer grain permissions if you need to, but at base level whatever permissions you choose from Azure, will reflect with what users are allowed to do in your bubble app.

chocolatebubble · 2021-02-01T22:32:44.353Z

Thanks for your reply – I really appreciate your help. I think I need just a little more help to connect the dots. I’m trying to set up a product catalog for folks internal to my organization and I’m using Uphunt as a template.

The desired behavior is that all the webpages would be blank to anyone not authenticated using an AD login (outside the org), and that the pages would display correctly to anyone who is authenticated via AD (inside the org – we have ADFS).

So as long as you have access to your orgs Azure account, you’ll just want to register an Azure ‘app’, get your keys,

I do have access to the Azure portal and I can spin up an Azure App Service (is that what you mean?), where I can run a REST endpoint.

choose which API permissions within the app that users should have, then use this info to setup in bubble api connector.

I’m not sure what the permissions in an Azure App Service would be in this scenario.

What is the function of this Azure App Service? Does it function as an authorization service that the Bubble app calls via the Bubble API Connector?

Would a user of the Bubble “login with social network”, which then triggers a call to the App Service, which returns a token to the Bubble app?

Thanks in advance for sharing your thoughts.

EDIT: there is another thread on this forum on using ADFS with Bubble using OAuth2 as a mechanism but I’m not sure it was resolved.

Using Bubble with Microsoft ADFS / OAuth2 Question

Hi everyone, I understand Bubble can integrate with Microsoft Active Directory Federation Services (MS-ADFS) to achieve single-sign on capabilities if OAuth2 is enabled. I’m looking at exposing my app to a client company that users MS-ADFS. Can someone describe (or point me in the direction of the doc that describes it) what the user experience would be in that case and what happens “under the hood”? For example, for the user experience, I imagine that to access my app, users from the compan…

lantzgould · 2021-02-01T23:06:06.946Z

Gotcha.

So in Bubble, you’ll use the sign in with social network. You can simply use the ‘User is logged out’ workflow to redirect to index if user is not logged in.

chocolatebubble:

I do have access to the Azure portal and I can spin up an Azure App Service (is that what you mean?), where I can run a REST endpoint.

Correct. The Azure App allows your Bubble app to communicate with your organization. You can find the App ID and Secret in the azure app.

To help you get started, you can use this video as a baseline in creating one to your liking.

chocolatebubble:

I’m not sure what the permissions in an Azure App Service would be in this scenario.

Check out the video on choosing the API permissions. For basic functionality, probably their ‘read basic’ options.

That plugin page should be open source. So you can see how the setup behind the scenes.

ed727 · 2021-02-02T00:42:39.172Z

If the organization has its own IP address, could another approach be to install Bubble’s Ipiphy plugin to access the IP address and then restrict viewing only to users with that address?

chocolatebubble · 2021-02-02T21:30:00.991Z

Unfortunately I can’t use it in my case because the way our VPN is configured, folks can be on random IP blocks so it’s hard to limit by IP range, but Ipiphy sounds like a great plugin! It would be an easy solution for folks who can limit by IP range.

chocolatebubble · 2021-02-02T21:32:20.210Z

Thank you so much for your explanation – it really did fill in the gaps in my knowledge and put me on the right track.

On that note, I stumbled on this (fairly new) Bubble plugin “Login With Microsoft” which works on the same principles. I created a new Application Registration in Azure Active Directory, copied some IDs and secrets over per instructions in the video, and it worked!

lantzgould · 2021-02-02T21:37:43.072Z

Glad to hear you got it working.