I work on a Product A with its own authentication method. I’m exploring Appsmith using the self-hosted deployment method.
Product A is responsible to manage Appsmith users, i.e. create an Appsmith user per Product A.
Inside Product A, I display an iframe with an embedded Appsmith app. Before pulling the Appsmith app document, Product A makes sure the iframe has a valid Appsmith SESSION (if not, the user is automatically logged in using the Appsmith API behind the scenes). At this point, the iframe has both sessions (Product A and Appsmith).
Now, the Appsmith app has an Authenticated API datasource and Queries/JS configured to reach Product A’s API.
I confirmed A’s API is being reached from the embedded app and public endpoints are returning the response correctly.
However, the private endpoints (behind A’s authentication) return 401 because A’s Session is not present in the Cookie header. Using the browsers dev tools, I can confirm that the iframe is sending A’s Session in the Cookie header (to Appsmith’s API: /api/v1/actions/execute ) but that Cookie header is not reaching A’s API at all.
My assumption is that Appsmith’s backend is not capable of passing certain HTTP Header from the apps request onto the target/API request.
So, the question is: How can the embedded Appsmith app perform requests to an Authenticated API when rely on my own authentication method? The data pulled by and displayed in the embedded app must depend on the parent A user.