Hub 1.15.1 - How can a team share an App with everyone and use a service user in Oauth?

tescnovonesis · August 15, 2025, 12:20pm

Hi,
We recently upgraded to Hub 1.15.1

Now one of the teams complained, stating that one of their Apps stopped working.
The have a KNIME App, that makes it easy to submit information to Benchling.
In Benchling, they have create a Benchling App, where login is via Oauth.

Until now, they have used the Teams secret manager for storing the Benchling App credentials, and then shared the KNIME App with “everyone”.

Now they see, that they need to specify “Teams” or “Individuals” for sharing the Benchling App credentials. This is not really a maintainable solution for them.

We got it to work, with this workaround.

In the latest year, we have upgraded from Server to Hub.
And we have spent quite a considerable amount of energy, to get users to transition over to using KNIME Hub secret manager.

It would be great to align on the sharing experience for both Apps and Secrets

tobias.koetter · August 20, 2025, 1:29pm

Hello @tescnovonesis ,

with team scope execution you no longer need to share a secret with the users of a Data App. All you need to do is create the secret in the team or share the secret with the team that deploys the Data App. The reason is that with team scope the Data App always runs in the name of the team and not the user that is currently executing the Data App.

We will add some best practices regarding sharing of secrets to the Secrets user guide that should help to clarify the usage.

Bye
Tobias

tescnovonesis · August 21, 2025, 9:26am

Hi Tobias,
We have around ~x00 Teams and license that ~x000 Consumers can consume Apps and Secrets from our Enterprise KNIME Hub.

In management of an App, you can share to users or groups, that have been synced via SCIM or share to any signed in user or with a Link without login.

In management of an Team Secret, you can share to a another Team or user.

How can a Team, that deploy an App, that manage a secret in Team Secret, make that secret available to consumers logging in?

For now, the workaround is to hardcode that secret into the Workflow itself.
But I don’t think that is very secure, and step-backwards from the use KNIME Secret manager.

Thanks
Troels

tkaynak · September 2, 2025, 12:37pm

Hi Troels,

Thank you for the clarification. The most straightforward way is the way that @tobias.koetter mentioned:

Share a secret with a team
As a user of this team, deploy the data app with “Team” scope (under “Advanced settings” → “Additional settings”, see screenshot):

image474×125 4.44 KB
When a consumer now runs this data app, it will be run with the same permissions as a user from the team, so they will be able to access the secret

If, for some reason, this is not feasible for you, there are other ways of making it work:

You can create the secret in every consumer account, and have this Secret Selector built into the Data App: https://hub.knime.com/s/o87-5tUPwoAKZooO
Or you can use the application password of a User with access to the secret on a KNIME Hub Authenticator, and subsequently use the Secret Retriever (not recommended for security reasons)

I hope this helps, best regards,

Tugrul