we are loving dash for product prototyping!, we used to deliver quick iteration of data visualization with jupyter to our customers, but with dash… we can show them actual prototype apps, and being python it is just a small additional step to our pandas-plotly based workflow.
We want to include these dash prototypes in our real product (currently angular prog app) by embedding them in iframes, and that includes transparently authorizing the endpoint using our actual OAuth implementation (auth0).
We are deploying each prototype as its own application and serving them via AWS API Gateway acting as a proxy to flask, this way the dash server is not aware of being authenticated. Everything is done in the client where actually we are:
- Authenticating the user when it accesses our app (receiving a JWT token).
- Making a
GET /call to the dash app, inserting an authorization header.
- API Gateway authorizes the client and servers the dash app.
- Response is embedded into an iframe and the app is rendered.
This seems promising, but it has a security hole as right now we can only secure the
/ endpoint, while
_dash_update_component are open, so anyone knowing there is a dash application in there could just query those endpoints with a non browser client to suck the data out.
I would like to mend this extending dash to be able to store a JWT token (localstorage would be great) and blindly sending it away when performing any requests to the server. I could really appreciate the opinion of someone with a deep understanding of dash and maybe a difficulty estimation for this. I am going to invest some time on the issue in case anyone is interested, so let me know!
Thanks for everything!