To second @PaoloCampanelli’s comment - now that you have proposed RFC-97 REST APIs in Forge, you will have to make a decision regarding RoA and configurable egress.
There is effectively no difference between the two in terms of control and visibility - an app can egress arbitrary data through either mechanism, and in both cases, it’s the product user who approves the egress and configures authentication between the app and the external system. Whether the egress is initiated internally or externally is an irrelevant detail.
Digging into this farther, it appears that the list of set remotes and domains is not available when there is no user present, such as in the context of a scheduled trigger. If an app requires access to this information, it must separately store this configuration. What’s driving this? It requires duplicate storage and different patterns in different places, neither of which is desirable.
Having the configurable egress feature can unblock many formatting apps to be ROA like markdown, html, reporting. These apps can fetch resources like scripts, images, css from different CDN’s which are customer usage specific.
Thanks for the feedback and good catch; it’s important that backend functions also have awareness of when/where/what permissions have been established, so that they can act accordingly (particularly if a feature if gated by egress being enabled). A lot of the focus of this RFC was on front-end enablement. I’ll take this away for further exploration with the team.
@SeanBourke, can you elaborate more on the timeframe? Because I would expect based on these quotes that the implementation of this RFC will be shipped without a distinct position.
In my interpretation, this means that the initial release of configurable egress will not be RoA compliant. Is that incorrect?