Authenticate with retool itself?

justinmchase · March 25, 2020, 9:23pm

I have managed to get Auth0 working. After the user has logged in with Auth0 the OAUTH2_TOKEN becomes available and in my backend I can call to the auth0 api to validate that token and get the users details.

I feel like this is an extra step though and that I would much rather use the currently logged in Retool user instead of an extra authentication. I’m not totally sure what this would look like but I think I would like the user to log in to Retool, then once in an application a magic variable called RETOOL_TOKEN (or whatever) is available for me to use in query headers.

Such as:

Authorization: Bearer RETOOL_TOKEN

Or maybe its {{ current_user.token }} or {{ authContext.opaqueToken }} or whatever you want to call it.

Then in my backend I would like to essentially do this:

const { authorization } = req.headers
const { data: payload } = await axios.get("https://mydomain.retool.com/userinfo", {
  headers: { "Authorization": authorization },
});

if (payload) {
  const { sub, email, roles } = payload;
  return {
    ok: true,
    token: createRetoolJwt(sub, email, roles)
  }
} else {
  throw new ForbiddenError()
}

Is there a way to do this currently?

alex-w · April 27, 2020, 11:19pm

Hi @justinmchase! This isn’t possible at the moment, but it is a great idea for users with more complicated auth setups or a large number of APIs where you control the backend. I’m going to go ahead and move this into a feature request so that other interested users can chime in!

justinmchase · April 28, 2020, 4:20pm

I managed to get my scenario working by using Google Auth, which retool supports to auth with retool. Then when we go to have them auth with google again it ends up being easy to use the same cookies. But I will say if it could negate the extra auth workflow steps that would be great and I would have used this api.

alex-w · April 29, 2020, 4:25pm

Oh interesting! I didn’t realize you could reuse that same authentication, thank you for sharing!

loic.alleyne · June 1, 2021, 9:44pm

Hi @justinmchase,
+1 on your suggestion in OP
would you mind sharing how you managed to get it working with Google Auth?

tmsincomb · August 11, 2021, 7:19am

You can now control the components based on user permissions! Fine grained permissions in retool. Basically you can stick this command {{ !_.some(current_user.groups, {name: "admin" })}} in the "Disable when" feature within the component. This makes it so admins can only use this component