Hi @LeoAdamek,
This request is still in our queue. The users that access the embedded app are considered external users, but an external user is priced at the same rate as an end user on the Business plan.
Hi folks, just wanted to provide more clarification of OAuth within embedded applications. To clarify, this is not a bug!
The OAuth 2.0 spec specifically advises against using OAuth within embedded browsers due to security concerns around clickjacking, which is why certain Identity Providers have clickjacking protection on by default. One of the primary targets of clickjacking attacks is to steal login credentials.
The spec recommends setting headers to deny OAuth inside of an iframe and most Identity Providers like Okta have this on by default.
The workarounds here would be to:
- Integrate Retool with an identity provider, which lets you pass in user JWTs obtained from SSO directly into your queries (docs).
- Using an alternative auth mechanism (like authenticating on the backend)
- for example: use the API-based approach to generate a single-use URL. In the process you could pass in whatever token you need into the
metadataproperty (docs here). So if your parent app uses OAuth when the user is logging in, you could pass in the OAuth token intometadataand it will be stored on thecurrent_userobject in the application. From there, that OAuth token can be referenced in subsequent requests made to the customer's Resources.
- for example: use the API-based approach to generate a single-use URL. In the process you could pass in whatever token you need into the
2 Likes