authcrunch / authcrunch.github.io Goto Github PK

View Code? Open in Web Editor NEW

76.0 76.0 32.0 15.06 MB

Documentation for Caddy v2 Auth Portal and Authorize Plugins.

JavaScript 90.86% CSS 7.51% HTML 0.20% Shell 1.43%

authcrunch.github.io's Introduction

authcrunch

Authentication Portal based on Caddy Security.

authcrunch.github.io's People

Contributors

Stargazers

Watchers

authcrunch.github.io's Issues

panic when trying modified example Caddyfile

I tried out running this with a modified caddyfile:

{
  http_port     8080
  admin off
  debug
}

*:8080 {
   @localhost host localhost
   handle @localhost {
     route /auth* {
       authp {
         crypto default token lifetime 3600
         crypto key sign-verify 0e2fdcf8-6868-41a7-884b-7308795fc286
         backends {
           local_backend {
             method local
             path users.json
             realm local
           }
         }
         ui {
           theme basic
         }
       }
    }

    route /* {
      authorize
      respond "auth"
    }
    route {
      redir http://{hostport}/auth 302
    }
  }
}

I downloaded caddy from the official homepage with your two plugins enabled (and with lego-deprecated, if that is important), and ran it.

When loading http://localhost:8080/auth in a browser, I get a login screen. But when loading http://localhost:8080, I get a panic: exception.txt

I need that different caddyfile structure because I want to use wildcard certificates.
Is there something I'm doing wrong or is this a bug in authp?

cookie strip domain

The cookie strip domain would strip domain from the cookie issued by the portal. It is useful for "all-in-one" websites.

Incorrect crypto key statement in oauth authproxy example

In the Caddyfile example at https://github.com/authp/authp.github.io/blob/main/assets/conf/oauth/authproxy/Caddyfile, you have the line crypto key sign-verify {env.JWT_SHARED_KEY} in both the authentication portal block and the authorization portal block.

If I'm reading the docs at https://authp.github.io/docs/authenticate/auth-cookie correctly, shouldn't that be sign-verify as written in the authentication portal block, but just verify in the authorization policy?

Unable to type password

After submitting my username, I got an "Unauthorized" page, without be able to ever type my password.

In the log, I can see this line:

caddy    | {"level":"debug","ts":1711108495.9933956,"logger":"security","msg":"failed sandbox request","session_id":"d3XyHZGxXv08oWHOsRv2OWvkcPFYGUkVnt32lbGtP3U5D","request_id":"34a7cc42-7cfe-4e9f-a7ef-31cb28da1d84","error":"sandbox secret not found"}

I'm working with Docker-compose.

The Dockerfile I used to build Caddy:

FROM my_xcaddy AS builder

RUN xcaddy build \
    --with github.com/greenpau/caddy-security \
    --with github.com/infogulch/xtemplate-caddy
FROM caddy:alpine

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

My docker-compose.yml file:

version: "3.7"

services:
  caddy:
    build: ./dockers/caddy
    container_name: caddy
    restart: unless-stopped
    ports:
      - "443:443"
    volumes:
      - type: bind
        source: './Caddyfile'
        target: /etc/caddy/Caddyfile
        read_only: true
      - ./site:/usr/share/caddy
      - ./data:/data
  maildev:
    image: maildev/maildev
    container_name: maildev

And, finally, my Caddyfile (strongly inspired from https://github.com/authcrunch/authcrunch.github.io/blob/main/assets/conf/local/Caddyfile):

{
	debug

	order authenticate before respond
	order authorize before basicauth

	security {
		local identity store localdb {
			realm local
			path /data/caddy/users.json
		}

		authentication portal myportal {
			crypto default token lifetime 3600
			enable identity store localdb
			cookie domain localhost
			ui {
				links {
					"My Website" https://test.localhost/ icon "las la-star"
					"Guests" https://test.localhost/guests icon "las la-star"
					"Users" https://test.localhost/users icon "las la-star"
					"Admins" https://test.localhost/admins icon "las la-star"
					"My Identity" "/whoami" icon "las la-user"
				}
			}
			transform user {
				match origin local
				action add role authp/user
				ui link "Portal Settings" /settings icon "las la-cog"
			}
		}

		authorization policy guests_policy {
			set auth url https://auth.localhost/
			allow roles authp/admin authp/user
			acl rule {
				comment allow guests only
				match role guest authp/guest
				allow stop log info
			}
			acl rule {
				comment default deny
				match any
				deny log warn
			}
		}

		authorization policy users_policy {
			set auth url https://auth.localhost/
			allow roles authp/admin authp/user
			acl rule {
				comment allow users
				match role authp/user
				allow stop log info
			}
			acl rule {
				comment default deny
				match any
				deny log warn
			}
		}

		authorization policy admins_policy {
			set auth url https://auth.localhost/
			allow roles authp/admin authp/user
			acl rule {
				comment allow users
				match role authp/user
				allow stop log info
			}
			acl rule {
				comment default deny
				match any
				deny log warn
			}
		}
	}
}

auth.localhost {
	tls internal
	route {
		authenticate with myportal
	}
}

test.localhost {
	tls internal
	route /guests* {
		authorize with guests_policy
		respond * "test - guests only" 200
	}

	route /users* {
		authorize with users_policy
		respond * "test - users" 200
	}

	route /admins* {
		authorize with admins_policy
		respond * "test - admins" 200
	}

	route {
		respond "test is running"
	}
}

What's wrong with this ?

Unable to register new user without email verification.

Using localdb, I am unable to create a new user.

I don't have a smtp server and I don't one either.

How do I register users without using email smtp?

		messaging email provider localhost-smtp-server {
			address 127.0.0.1:1025
			protocol smtp
			passwordless
			sender root@localhost "My Auth Portal"
			# credentials root@localhost
			bcc greenpau@localhost
		}
		user registration localdbRegistry {
			dropbox /caddy/localtest/registrations.json
			title "User Registration"
			code "GRITT4Life"
			require accept terms
			#require domain mx
			admin email admin@localhost
			email provider localhost-smtp-server
			identity store localdb
		}

The error message is

WARN	security	Failed to send notification	{"session_id": "qeu3ododd3wnyepY8SFNvk6FT4mJFspgxkk5b", "request_id": "986862ab-5b6a-46dd-a9de-a08dfe7fa60e", "registration_id": "JARaZJLRxxwfUpW6D1hVbv7KsTRJgrdmCMiRh2WujzqCRLLgDNrX75LGjifH5RildDAKKvgp3UbrJqGBkckj1tF6N", "registration_type": "registration_confirmation", "error": "notification request via \"localhost-smtp-server\" email provider failed: dial tcp 127.0.0.1:1025: connect: connection refused"}

WARN	security	failed registration	{"session_id": "qeu3ododd3wnyepY8SFvk6FT4mJFspgxkk5b", "request_id": "986862ab-5b6a-46dd-a9de-a08dfe7fa60e", "src_ip": "127.0.0.1", "src_conn_ip": "127.0.0.1", "error": "Internal registration messaging error"}

Note: I did try commenting out the email provider... but that resulted in a run error

adding local users via identity store config

Document the following behavior.

The user directive would force the creation or verification of a user at the initialization of a local identity store.
This configuration applies only to local identity stores. If a user already exists, no action would be taken, unless it is a password overwrite.

        local identity store localdb {
            realm local
            path {$HOME}/.local/caddy/localdb/users.json
            user webadmin {
                name Webmaster
                email [email protected]
                password "bcrypt:10:$2a$10$WiU7BR1vqCNnzP5rZltJ5Ow5RspiIgnenCCFGSeMPrFFUhHRpkIhe" overwrite
                roles authp/admin authp/user
            }
            user jsmith {
                name John Smith
                email [email protected]
                password "My@Password123"
                roles authp/user
            }
        }

ui: setting page directives

The following directive disables sections of the "Settings" page:

authentication portal myportal {
  ui {
    disable settings [gpgkeys|sshkeys|apikeys|connected|mfa|password|general]
  }
}

By default all sections of the "Settings" page are enabled. If disabled, then the section will not be visible in the UI.

Cookie access_tocken being rejected after ~15min

Problem

After approximately 15 minutes the cookie creating by a successful login is rejected and you need to reconnect on next page reload.
This behavior is not related with cookie lifetime in Caddyfile.

After a reload, logs are showing messages on why it has been rejected.

What I've tried

changing the setting cookie samesite to lax/strict/none (none of them fix this problem)
checking cookie details: they seems correct

My caddyfile

{
	order authenticate before respond
	order authorize before basicauth
	security {
		ldap identity store main_ldap {
			realm "LDAP server"
			servers {
				ldaps://xxx ignore_cert_errors
			}
			attributes {
				name givenName
				surname sn
				username uid
				member_of gidNumber
				email mail
			}
			username "cn=xxx,dc=xxx"
			password "xxx"
			search_base_dn "ou=xxx,dc=xxx"
			search_filter "(uid=%s)"
			groups {
				"500" admin
			}
  		}
		authentication portal xxx_portal {
			enable identity store main_ldap
			cookie domain xxx.net
			crypto default token lifetime 86400
			cookie lifetime 86400
			cookie samesite lax
		}
		authorization policy xxx_admin {
			set auth url https://auth.xxx.net
			allow roles admin
		}
        }
}

auth.xxx.net {
	authenticate with xxx_portal
}

Successful Oauth Login Immediately Redirects

After successfully getting a login from an OAuth2 authentication server, the security plugin is immediately issuing a redirect back to login. This prevents the user from ever seeing pages despite having a valid AUTHP_SESSION_ID

caddy-1  | {"level":"debug","ts":1706948842.724188,"logger":"security","msg":"decoded claims from OAuth 2.0 authorization server access token","request_id":"cd00a88e-52c4-4cde-80b4-dc27028ffe32","claims":{"email":"[email protected]","exp":1706948902,"iat":1706948842,"iss":"https://keycloak.localhost/realms/master","jti":"3fd3becd-e86d-4f4c-9715-771f7178704e","sub":"5dec20e6-fd69-4e85-bb8a-7d5e84897fc6"}}
caddy-1  | {"level":"info","ts":1706948842.724215,"logger":"security","msg":"Successful login","session_id":"svxpPgaTQRaqpQE4c2qcBU1EXmusMmR2wbIs","request_id":"cd00a88e-52c4-4cde-80b4-dc27028ffe32","auth_method":"oauth2","auth_realm":"keycloak","user":{"email":"[email protected]","exp":1706948902,"iat":1706948842,"iss":"https://keycloak.localhost/realms/master","jti":"3fd3becd-e86d-4f4c-9715-771f7178704e","sub":"5dec20e6-fd69-4e85-bb8a-7d5e84897fc6"}}
caddy-1  | {"level":"debug","ts":1706948842.724238,"logger":"security","msg":"user transformation ended","session_id":"svxpPgaTQRaqpQE4c2qcBU1EXmusMmR2wbIs","request_id":"cd00a88e-52c4-4cde-80b4-dc27028ffe32","user":{"addr":"172.18.0.1","email":"[email protected]","exp":1706952442,"iat":1706948842,"iss":"https://auth.localhost/oauth2/keycloak/","jti":"svxpPgaTQRaqpQE4c2qcBU1EXmusMmR2wbIs","nbf":1706948782000,"origin":"keycloak","realm":"keycloak","roles":["authp/user"],"sub":"5dec20e6-fd69-4e85-bb8a-7d5e84897fc6"}}
caddy-1  | {"level":"info","ts":1706948842.7243025,"logger":"security","msg":"Successful login","session_id":"svxpPgaTQRaqpQE4c2qcBU1EXmusMmR2wbIs","request_id":"cd00a88e-52c4-4cde-80b4-dc27028ffe32","backend":{"name":"keycloak","realm":"keycloak","method":"oauth"},"user":{"addr":"172.18.0.1","email":"[email protected]","exp":1706952442,"iat":1706948842,"iss":"https://auth.localhost/oauth2/keycloak/","jti":"svxpPgaTQRaqpQE4c2qcBU1EXmusMmR2wbIs","nbf":1706948782000,"origin":"keycloak","realm":"keycloak","roles":["authp/user"],"sub":"5dec20e6-fd69-4e85-bb8a-7d5e84897fc6"}}
caddy-1  | {"level":"debug","ts":1706948842.7278128,"logger":"security","msg":"Redirect served","session_id":"xotKDNpvd5QpjsnGgkylffEt3oY3ADNJarnhebO","request_id":"b8be8999-7b36-4436-bc90-d9b5152ca198","redirect_url":"https://auth.localhost/login","status_code":302}

{
	debug
	order authenticate before respond
	order authorize before basicauth
	security {
		oauth identity provider keycloak {
			driver generic
			realm keycloak
			client_id caddy
			client_secret 0ke2N2HmGSyaXCBHQErO1SqKHHY7b6fR
			scopes openid profile email
			metadata_url http://keycloak:8080/realms/master/.well-known/openid-configuration
            delay_start 2
		}

		authentication portal myportal {
			crypto default token lifetime 3600
			crypto key sign-verify secretsecret
			enable identity provider keycloak
			cookie domain localhost
			ui {
				links {
					"My Identity" "/whoami" icon "las la-user"
				}
			}
			transform user {
				match origin keycloak
				action add role authp/user
			}
		}

		authorization policy mypolicy {
			set auth url https://auth.localhost/
			allow roles authp/admin authp/user
			crypto key verify secretsecret
		}
	}
}

keycloak.localhost {
    reverse_proxy http://keycloak:8080
}

auth.localhost {
	authenticate with myportal
}

localhost {
    authorize with mypolicy
    respond "Hello World"
}

version: "3"
services:
  keycloak:
    ports:
      - 8080:8080
    environment:
      - KEYCLOAK_ADMIN=admin
      - KEYCLOAK_ADMIN_PASSWORD=admin
      - PROXY_ADDRESS_FORWARDING=true
      - KC_PROXY=edge
      - KC_HOSTNAME_URL=https://keycloak.localhost/
    image: quay.io/keycloak/keycloak:23.0.6
    command: start-dev
  caddy:
    image: ghcr.io/authp/authp:beta
    ports:
      - 443:443
    volumes:
      - ./caddy/:/etc/caddy/

keycloak no id_token

Hello

Using the latest version of keycloak 20.x

my jwt token looks like :

{ "exp": 1670518964, "iat": 1670518904, "auth_time": 1670518904, "jti": "5ec29444-3409-4d6a-8999-c442a1942e0b", "iss": "https://#######/realms/master", "sub": "131d20a2-79d4-40ec-9e65-e4baaa488145", "typ": "Bearer", "azp": "test-caddy", "nonce": "N2giK5dZPbxpgivEMMvE50l0afvGUK00", "session_state": "e755a31c-12bd-4bb6-829a-9afe4cad4772", "scope": "profile email", "sid": "e755a31c-12bd-4bb6-829a-9afe4cad4772", "email_verified": true, "name": "Omar Omari", "groups": [ "authp/admin", "default-roles-master", "authp/user", "authp/guest", "offline_access", "uma_authorization" ], "preferred_username": "oomari", "given_name": "Omar", "family_name": "Omari", "email": "########" }

I have this error

{"level":"debug","ts":1670518426.718966,"logger":"security","msg":"failed fetching OAuth 2.0 access token from the authorization server","session_id":"L4qZa6GSvpwfxej0lrPgQ0AshlmISYR20O2dm86l","request_id":"e0a6d25f-b162-4ce0-a175-483db6900fdb","error":"authorization server response has no \"id_token\" field"}

google oauth: send "prompt" query param

Is it possible to send extra query params when doing oauth with google?

https://developers.google.com/identity/openid-connect/openid-connect#authenticationuriparameters

I would like to send "prompt=select_account" to let users choose which google account they want to use.

Thanks you!

ui: document meta author and description

The following ui directives allow overwriting the defaults:

  ui {
    meta title "Auth Portal"
    meta description "Authenticates users"
    meta author "John Smith"
  }

If not set, then the following is being displayed:

<title>Authentication Portal - {{ .Title }}</title>
<meta name="description" content="Performs user authentication." />
<meta name="author" content="Paul Greenberg github.com/greenpau" />

ldap: document fallback role directive

If a user authenticated successfully, but the group match failed, the following log messages (specifically LDAP authentication failed: no matched groups) gets generates:

2022/06/11 18:20:17.408 DEBUG   security        LDAP search succeeded   {"server": "ldap://ldap.forumsys.com", "entry_count": 1, "search_base_dn": "DC=EXAMPLE,DC=COM", "search_user_filter": "(&(|(uid=riemann)(mail=riemann))(objectClass=inetOrgPerson))", "users": [{"DN":"uid=riemann,dc=example,dc=com","Attributes":[{"Name":"cn","Values":["Bernhard Riemann"],"ByteValues":["QmVybmhhcmQgUmllbWFubg=="]},{"Name":"uid","Values":["riemann"],"ByteValues":["cmllbWFubg=="]},{"Name":"mail","Values":["[email protected]"],"ByteValues":["cmllbWFubkBsZGFwLmZvcnVtc3lzLmNvbQ=="]}]}]}
2022/06/11 18:20:17.418 WARN    security        Bad Request     {"session_id": "1UOKHLTUlBiAD1DCziSd015yDi2tTO5yzzFlE", "request_id": "fd841467-c8be-4e09-b1eb-d534c2745a76", "error": "LDAP authentication failed: no matched groups", "source_address": "10.0.2.2"}

I will be adding a new directive - fallback role <role_name> [<role_name>]

        ldap identity store example.com {
            groups {
                "ou=scientists,dc=example,dc=com" authp/user
            }
            fallback role authp/user
        }

This way, if no matched groups appears, the user will be assigned one or more roles specified via fallback role directive.

Can't enable local authentication setup

Hi,

I'm trying to replicate https://github.com/authp/authp.github.io/blob/main/assets/conf/local/Caddyfile but I keep getting server timeouts on all authentication domains. The minimally reproducible example is something like:

{
	  security {
	      authentication portal myportal {
			  cookie domain agucova.dev
	          backend local {env.HOME}/.local/caddy/users.json local
	      }
	  }
}

lepton.agucova.dev {
    route {
        authenticate with myportal
    }
    tls {
        dns cloudflare REDACTED
    }
}

But all I get is constant timeouts from the server. This is caddy latest built from the page with caddy-security under Linux ARM64.

The logs themselves aren't really helpful, and seem completely normal.

My objective is to have an authentication domain (lepton.agucova.dev) and use it to authorize access to internal apps on other subdomains.

login icon configuration

Directives:

icon priority 200
icon "Gitlab" "lab la-gitlab la-2x" "white" "#fc6d26" priority 100

Allowed Colors:

#03a9f4
#0d47a1
#1e88e5
#24292f
#324960
#37474f
#455a64
#e53935
#f6f8fa
#fb8c00

new database and default admin username, password and email

When new database gets initialized, the admin username, password and email may be derived from env vars. If not set, then the defaults apply.

        req := &requests.Request{
            User: requests.User{
                Username: os.Getenv("AUTHP_ADMIN_USER"),
                Password: os.Getenv("AUTHP_ADMIN_SECRET"),
                Email:    os.Getenv("AUTHP_ADMIN_EMAIL"),
                Roles:    []string{"authp/admin"},
            },
        }

        if req.User.Username == "" {
            req.User.Username "webadmin"
        }

        if req.User.Password == "" {
            req.User.Password = uuid.NewV4().String()
        }

        if req.User.Email == "" {
            req.User.Email = "[email protected]"
        }

add getting started page with configuration examples

Thankyou for taking the time to explain. I'm approaching this as a user rather than a developer. My use case is to put a simple auth layer in front of Kibana, and was looking for the simplest configuration to enable that. I was reading the doco and seeing snippets of config and trying to piece these together. I now see you have provided complete Caddyfiles in the Git repo. For me, these are the most useful starting point. I will return to the doco for further explanation.

A suggestion for improvement would be to update the 'Get started' page with some very simple step by step instructions for creating a basic auth scenario. At the moment the user is taken to an 'Introduction' page which talks about the project but not clear what the next step is.

Per https://github.com/greenpau/caddy-authorize/issues/89#issuecomment-966649742, add the above.

oauth: document enable logout directive

document enable logout directive.

keycloak in the same Caddyfile

Hi Team,

Is it possible to have on the same Caddyfile the keycloak service and other services to secure with the cadd-security ?

the metadata_url try to check if keycloak is up before running the caddy ...

authenticate: custom claims via user transforms

Document custom claim injection:

transform user {
    match origin local
    action add _couchdb.roles _admin as string list
}

Registration documentation needs to be updated for the new user registration section

The page at https://authp.github.io/docs/authenticate/local/user-registration needs to be updated to reflect the changes described in greenpau/caddy-security#85.

login template customization with custom logo and custom css

        authentication portal myportal {
            ui {
                template login /path/to/login.template
                logo url /assets/custom/logo.svg
                static_asset "assets/custom/logo.svg" "image/svg+xml" /path/to/logo.svg
                static_asset "assets/css/login.css" "text/css" /path/to/login.css
                static_asset "assets/js/login.js" "text/javascript" /path/to/login.js
            }

when trying to register a user via the portal it errors

I am trying to register a new user via the portal, and when I verify I get an error stating the file system is read only.
I have given full perms to the users.json, registrations.json along with the auth and local dirs however no luck.
In my config, its local auth, with the dir being /etc/caddy/auth/local (env.home did not work at all, didnt validate when i ran caddy adapt)

oauth: document the use of id_token cookie

The following directive enabled the adding of id_token token via a cookie. The cookie_name, e.g. `X-ID-Token", is optional.

oauth identity provider <name> {
  enable id_token cookie [<cookie_name>]
}

The cookie value could be retrieved together with the regular whoami payload by adding id_token=true URL param.

https://<auth_portal>/whoami?format=json&id_token=true

How does authp interact with the acme challenge URLs?

I just started using authp and it is absolutely terrific - easiest way to put a SSO authenticating proxy in front of other services that may not be so secure.

I had one question: I use automatic certificates ("tls " style). I understand that there are .well-known urls that LE will eventually want to ping when caddy tries to renew the certificate.

Would authp block these acme challenge requests? Or does caddy handle them before authp kicks in?

I can't find any thing related to these in the Caddy or Authp docs.

fail to send mail to smtp-mail.outlook.com

I'm trying to use the localhost-smtp-server for local registration, but it fails with Unrecognized authentication type for some reason.

Any pointers in how to set this up with outlook.com accounts?

        credentials info@mail {
          username {$SMTP_USERNAME}
          password {$SMTP_PASSWORD}
        }

        messaging email provider localhost-smtp-server {
			address smtp-mail.outlook.com:587
			protocol smtp
                        credentials info@mail
			sender {$SMTP_USERNAME} "User Registration for server.{$DOMAIN}"
		}

"notification request via \"localhost-smtp-server\" email provider failed: Unrecognized authentication type [DUZPR01CA0102.eurprd01.prod.exchangelabs.com 2023-04-04T09:52:09.922Z 08DB316C8DF17388]"

Keycloak user/group/role mapping

I don't understand the user-group-role mapping right now.

The only config where I can change role user mappings is the Caddyfile?

  "roles": [
    "authp/user"
  ],

I thought I can add them in keycloak and the roles are updated when I authenticate again.
We have users with different roles (based on permissions) but I can't see them in the json after the login.
The only mapping that is applied is:

                        transform user {
                                match origin keycloak
                                action add role authp/user
                        }

So everybody that login with keycloac gets the authp/user role.
Did I miss a mapping from the keycloak roles?

If you need the keycloak instance again I still got it offline =)

document aws saml login

Feature request: automaticaly activate newly self-registered users

I read here:

An administrator must manually move entries from registrations.json to users.json file.

Well, in case we want to run a public app open to registration, it can became a pain to handle new users this way. IMO, you should provide an option to enable automatic user activation.

caddy-security doc update

Update non-compliant configurations for configs referencing authp {:

Feature request: store users in database

Storing users in a local file is great, but it should be great also if you provide the ability to store them in a database like PostgreSQL. It should be even easier to handle automatic user activation in this case.

whoami: document beacon and id_token

https://auth.myfiosgateway.com:8443/beacon?format=json
https://auth.myfiosgateway.com:8443/whoami?format=json&id_token=true

update oauth github docs

Just to let you know the docs here still has the deprecated user subdirective.

Source: https://github.com/greenpau/caddy-auth-portal/issues/196#issuecomment-966406883

Allow both unauthenticated and authenticated access

I am writing a collection of services backed by caddy and caddy-security. These services allow authenticated users to generate datasets via an API. Once the datasets are produced, users can choose to make them publicly accessible.

Using a combination of forward_auth and reverse proxy, I can write a private endpoint in my API that authorizes users before serving datasets to them. This works great for authenticated users, and allows me to only serve users the datasets they should be able to see (public datasets and their own private datasets).

However, I am unable to serve the public datasets to anonymous / unauthenticated users using the same service. As soon as a route has authorize with my-policy all requests require that the request be made by an authenticated user.

I would like a way to specify in either an authentication portal or a authorization policy that anonymous users are allowed, but still allow users to authenticate themselves with the portal (via the portal UI or via the portal API endpoints). The API itself would deal with only showing users the content they are authorized to see, including handling anonymous users.

Requests from anonymous users could be passed on to the API with either no X-Token-User-Email / X-Token-User-Roles etc headers, or the presence of a X-Token-User-Anonymous, or some other indication. My preference is for anonymous users to be indicated by no headers being present.

Anonymous requests to the /whoami endpoint in the auth portal could change to respond with a HTTP 401 with payload {"message": "No token provided"} or similar, to distinguish from supplying an invalid or expired token. Currently all requests which do not successfully authenticate for any reason respond with a HTTP 401 with payload {"message": "Access denied"}

This change would be strictly opt-in to keep backwards compatibility for existing configurations which do not want anonymous access.

authorize: document basic auth and API key auth

security {
  authorization policy mypolicy {
    with basic auth portal myportal realm local
    with api key auth portal myportal realm local
  }
}

messaging: document file provider

Instead of emailing, the file provider stores emails in a directory, e.g. {$HOME}/.local/caddy/localdb/registry

        messaging file provider localhost-file-server {
            rootdir {$HOME}/.local/caddy/localdb/registry
        }

        user registration localdbRegistry {
            #disabled
            dropbox {$HOME}/.local/caddy/localdb/registrations.json
            title "User Registration"
            code "NY2020"
            require accept terms
            require domain mx
            admin email [email protected] [email protected]
            email provider localhost-file-server
            identity store localdb
        }

username/password recovery and contact support email/link

Document the directives:

local identity store localdb {
  enable password recovery
  enable username recovery
  enable contact support
  support link /help
  support email [email protected]
}

Remove references to password_recovery_enabled under UI.

Azure OIDC Expired Tokens Redirect URL Issue

I've setup a protected website for my teams internal HTML documentation using the Azure OIDC Enterprise application configuration.
Authentication works like charm however if the token expires, e.g. after you continue reading documentation after a lunch break, the http redirect to Azure OIDC provider for re-issuing a new token will always create an Azure authentication error.

I did some investigations and it seems to be that the login_hint parameter send to Azure OIDC endpoint includes the redirect_url parameter that is not supported by Azure. If I remove that parameter from the GET request re-authentication and redirect to Caddy security auth portal is working.

So in case of an expired token and using Azure OIDC provider your only choice currently is to set disable auth redirect query inside the authorization policy configuration.

This works as a workaround because now in case of an expired token you will be redirected to Caddy security authorization portal but not the referring documentation page where the token expired and you left reading the docs.

Question: Is there a way to redirect instead of Azure OIDC endpoint in case of an expired token to Caddys auth endpoint which applies the redirect_url parameter so you will continue on the web page where you left?

Caddy security docs reads (https://authp.github.io/docs/authorize/auto-redirect-url ):

Importantly, if the plugin finds expired token, it attempts to extract the token's issuer value. Then, it checks whether the value starts with http. If it is, then the set auth url will be overwritten with the issuer's web address.

fix cognito docs

The sequence of commands in AWS Shell:

export TARGET_EMAIL="[email protected]"
export TARGET_POOL="us-east-1_Kwldk8dj"
export TARGET_USER="greenpau"
export TARGET_USER_NAME="Paul Greenberg"
export TARGET_USER_SECRET="My@Password"
export TARGET_USER_ROLES="authp/admin|authp/user"
export TARGET_TIMEZONE="America/NewYork"

aws cognito-idp admin-create-user \
  --user-pool-id ${TARGET_POOL} --username ${TARGET_USER} \
  --region us-east-1

aws cognito-idp admin-set-user-password \
  --user-pool-id ${TARGET_POOL} --username ${TARGET_USER} --password "${TARGET_USER_SECRET}" \
  --permanent --region us-east-1

aws cognito-idp admin-update-user-attributes --user-pool-id ${TARGET_POOL} --username ${TARGET_USER} \
  --user-attributes Name="email",Value="${TARGET_EMAIL}" \
  --region us-east-1

aws cognito-idp admin-update-user-attributes --user-pool-id ${TARGET_POOL} --username ${TARGET_USER} \
  --user-attributes Name="custom:roles",Value="${TARGET_USER_ROLES}" \
  --region us-east-1

aws cognito-idp admin-update-user-attributes --user-pool-id ${TARGET_POOL} --username ${TARGET_USER} \
  --user-attributes Name="name",Value="${TARGET_USER_NAME}" \
  --region us-east-1

aws cognito-idp admin-update-user-attributes --user-pool-id ${TARGET_POOL} --username ${TARGET_USER} \
  --user-attributes Name="email_verified",Value=true \
  --region us-east-1

aws cognito-idp admin-update-user-attributes --user-pool-id ${TARGET_POOL} --username ${TARGET_USER} \
  --user-attributes Name="zoneinfo",Value="${TARGET_TIMEZONE}" \
  --region us-east-1

aws cognito-idp admin-get-user --user-pool-id ${TARGET_POOL} --username ${TARGET_USER} \
  --region us-east-1

oauth userinfo groups and roles

If userinfo contains field that ends either with groups or roles, then extract the values to roles.

  "roles": [
    "authp/admin",
    "authp/user"
  ],
  "sub": "00ua6qak3pEYegVb24x6",
  "userinfo": {
    "name": "Paul Greenberg",
    "zoneinfo": "America/Los_Angeles"
  }
}

Build fails with Docker and xcaddy

I want to build a docker image with the caddy-security plugin, the build fails, here is the output:

My Dockerfile:

FROM caddy:2.6.2-builder AS builder
RUN xcaddy build \
    --with github.com/greenpau/[email protected]
FROM caddy:2.6.2
COPY --from=builder /usr/bin/caddy /usr/bin/caddy

It seems that some 'github.com/crewjam/[email protected]' package is causing the issue? Any ideas?

authcrunch / authcrunch.github.io Goto Github PK

authcrunch.github.io's Introduction

authcrunch

authcrunch.github.io's People

Contributors

Stargazers

Watchers

Forkers

authcrunch.github.io's Issues

Problem

What I've tried

My caddyfile

Recommend Projects

Recommend Topics

Recommend Org

Jobs