Skip to main content

External Apps

What Are External Apps?

External Apps are pre-existing web applications that are registered on Edge and have an application tile on the workbench, but are hosted elsewhere. Clicking on the application tile in Edge redirects users to the app's original URL. If a user enters the URL for the app directly in their browser or clicks on the application tile the app will perform authentication with Edge, redirecting them to Edge's login screen if necessary.

Benefits of External Apps

Why register existing web apps hosted elsewhere with Edge? Registering external apps allows you to better centralize and track your R&D workflows, resulting in the following benefits:

  1. Registering external apps provides a single location to access all data, notebooks, and applications on a project. This makes onboarding new team members significantly easier, and team members spend less time hunting down data, documents, and URLs.
  2. Edge provides functionality to track usage for native apps as well as the external apps that run in the Edge Kubernetes namespace. By keeping you on top of your cloud footprint on a single dashboard, you can manage available computational resources and avoid overdrawing from a limited budget.
  3. Registering external apps makes it easier to comply with organizational, institutional, or governmental data policies and prevent loss of data or intellectual property through the use of unsecured data channels or applications.

Integrating an External App

External Applications can integrate with Edge if they support the OAuth2 Authorization Code Flow. The process for integrating an External Application is as follows:

  • Create an Application record in Edge
  • Create an AppVersion record in Edge
  • Register the Application with a redirect URI
  • Provide the client_id and client_secret to the External App for the Authorization Code Flow

You can see an example for this in our Examples Github repository. Please see External App Example for more details.

Registering the App

Registering an External App is very similar to Publishing an Application. You will require organization developer access and an API token, as well as an EdgeSession created from the enthought_edge EDM package. There are some notable differences when creating an AppVersion record:

  • The kind parameter must be AppKindEnum.External
  • The link parameter must be the URL of the External App App's deployed location

This is an example of code for creating an AppVersion that differs from Adding an Application Version:

version1 = AppVersion(
    app_id="myexternalapp",
    version="1.0.0",
    title="Edge External App Demo, v1.0.0",
    description="Demonstration of an external application",
    icon=ICON,
    kind=AppKindEnum.External,
    link="https://edge-external-demo.edge-dev.enthought.com",
)
edge.applications.add_app_version(version1)

Registering an OAuth2 Client

When an External App requires a user to login, it can perform an OAuth redirection to Edge's login screen. After the user logs in, they are redirected back to the External App. For the OAuth code and token exchange to occur, the External App requires a client_id and client_secret value. These values are provided by Edge when an Organization Developer registers a redirect_url for the app. You can perform this task with your EdgeSession:

result = edge.applications.register_oauth_client(
    "myexternalapp",
    "https://edge-external-demo.edge-dev.enthought.com/authorize"
)
print(result)

The result of this operation will be a dictionary with the client_id and client_secret:

{'client_id': 'service-edge-app-default-myexternalapp',
 'client_secret': 'RANDOM_CLIENT_SECRET',
 'redirect_uri': 'https://edge-external-app-demo.edge-dev.enthought.com/authorize'}

As shown in our External App example, the authorize endpoint processes the result of the OAuth2 redirection.

Important

An application may only have exactly one OAuth client. Registering an OAuth client always invalidates the previous client_secret even if the redirect_uri is the same. This means that the deployed External App will have to be reconfigured with the new client_secret. The previous client_secret is unrecoverable.

External App Requirements

External Apps use the client_id and client_secret along with a few other values to integrate with Edge's authentication. The External App example is a Flask application that demonstrates how to implement the OAuth2 Authorization Code Flow. To see details of how to configure the External Application to use these values, view the example's README.

Important

Edge provides authentication for external applications and guarantees that the ID of a user is genuine. It is up to an External App to determine the authorization for that user to access the External App's resources. For more information, see the README.md file in the External App example.

Deploying external-app-example

There are many ways to deploy an External App. Our example is deployed to https://edge-external-demo.edge-dev.enthought.com using Terraform. If you wish to use the application code and deployment configuration as a template, you will require a Kubernetes namespace for deployment. To configure your deployment, follow the instructions in the Edge External App example's README.

You can contact support@enthought.com if you need our assistance with deploying an external app.