Authentication Portal based on Caddy Security.
authcrunch / authcrunch.github.io Goto Github PK
View Code? Open in Web Editor NEWDocumentation for Caddy v2 Auth Portal and Authorize Plugins.
Documentation for Caddy v2 Auth Portal and Authorize Plugins.
Authentication Portal based on Caddy Security.
I tried out running this with a modified caddyfile:
{
http_port 8080
admin off
debug
}
*:8080 {
@localhost host localhost
handle @localhost {
route /auth* {
authp {
crypto default token lifetime 3600
crypto key sign-verify 0e2fdcf8-6868-41a7-884b-7308795fc286
backends {
local_backend {
method local
path users.json
realm local
}
}
ui {
theme basic
}
}
}
route /* {
authorize
respond "auth"
}
route {
redir http://{hostport}/auth 302
}
}
}
I downloaded caddy from the official homepage with your two plugins enabled (and with lego-deprecated, if that is important), and ran it.
When loading http://localhost:8080/auth in a browser, I get a login screen. But when loading http://localhost:8080, I get a panic: exception.txt
I need that different caddyfile structure because I want to use wildcard certificates.
Is there something I'm doing wrong or is this a bug in authp?
The cookie strip domain
would strip domain from the cookie issued by the portal. It is useful for "all-in-one" websites.
In the Caddyfile example at https://github.com/authp/authp.github.io/blob/main/assets/conf/oauth/authproxy/Caddyfile, you have the line crypto key sign-verify {env.JWT_SHARED_KEY}
in both the authentication portal block and the authorization portal block.
If I'm reading the docs at https://authp.github.io/docs/authenticate/auth-cookie correctly, shouldn't that be sign-verify
as written in the authentication portal block, but just verify
in the authorization policy?
After submitting my username, I got an "Unauthorized" page, without be able to ever type my password.
In the log, I can see this line:
caddy | {"level":"debug","ts":1711108495.9933956,"logger":"security","msg":"failed sandbox request","session_id":"d3XyHZGxXv08oWHOsRv2OWvkcPFYGUkVnt32lbGtP3U5D","request_id":"34a7cc42-7cfe-4e9f-a7ef-31cb28da1d84","error":"sandbox secret not found"}
I'm working with Docker-compose.
The Dockerfile I used to build Caddy:
FROM my_xcaddy AS builder
RUN xcaddy build \
--with github.com/greenpau/caddy-security \
--with github.com/infogulch/xtemplate-caddy
FROM caddy:alpine
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
My docker-compose.yml file:
version: "3.7"
services:
caddy:
build: ./dockers/caddy
container_name: caddy
restart: unless-stopped
ports:
- "443:443"
volumes:
- type: bind
source: './Caddyfile'
target: /etc/caddy/Caddyfile
read_only: true
- ./site:/usr/share/caddy
- ./data:/data
maildev:
image: maildev/maildev
container_name: maildev
And, finally, my Caddyfile (strongly inspired from https://github.com/authcrunch/authcrunch.github.io/blob/main/assets/conf/local/Caddyfile):
{
debug
order authenticate before respond
order authorize before basicauth
security {
local identity store localdb {
realm local
path /data/caddy/users.json
}
authentication portal myportal {
crypto default token lifetime 3600
enable identity store localdb
cookie domain localhost
ui {
links {
"My Website" https://test.localhost/ icon "las la-star"
"Guests" https://test.localhost/guests icon "las la-star"
"Users" https://test.localhost/users icon "las la-star"
"Admins" https://test.localhost/admins icon "las la-star"
"My Identity" "/whoami" icon "las la-user"
}
}
transform user {
match origin local
action add role authp/user
ui link "Portal Settings" /settings icon "las la-cog"
}
}
authorization policy guests_policy {
set auth url https://auth.localhost/
allow roles authp/admin authp/user
acl rule {
comment allow guests only
match role guest authp/guest
allow stop log info
}
acl rule {
comment default deny
match any
deny log warn
}
}
authorization policy users_policy {
set auth url https://auth.localhost/
allow roles authp/admin authp/user
acl rule {
comment allow users
match role authp/user
allow stop log info
}
acl rule {
comment default deny
match any
deny log warn
}
}
authorization policy admins_policy {
set auth url https://auth.localhost/
allow roles authp/admin authp/user
acl rule {
comment allow users
match role authp/user
allow stop log info
}
acl rule {
comment default deny
match any
deny log warn
}
}
}
}
auth.localhost {
tls internal
route {
authenticate with myportal
}
}
test.localhost {
tls internal
route /guests* {
authorize with guests_policy
respond * "test - guests only" 200
}
route /users* {
authorize with users_policy
respond * "test - users" 200
}
route /admins* {
authorize with admins_policy
respond * "test - admins" 200
}
route {
respond "test is running"
}
}
What's wrong with this ?
Using localdb, I am unable to create a new user.
I don't have a smtp server and I don't one either.
How do I register users without using email smtp?
messaging email provider localhost-smtp-server {
address 127.0.0.1:1025
protocol smtp
passwordless
sender root@localhost "My Auth Portal"
# credentials root@localhost
bcc greenpau@localhost
}
user registration localdbRegistry {
dropbox /caddy/localtest/registrations.json
title "User Registration"
code "GRITT4Life"
require accept terms
#require domain mx
admin email admin@localhost
email provider localhost-smtp-server
identity store localdb
}
The error message is
WARN security Failed to send notification {"session_id": "qeu3ododd3wnyepY8SFNvk6FT4mJFspgxkk5b", "request_id": "986862ab-5b6a-46dd-a9de-a08dfe7fa60e", "registration_id": "JARaZJLRxxwfUpW6D1hVbv7KsTRJgrdmCMiRh2WujzqCRLLgDNrX75LGjifH5RildDAKKvgp3UbrJqGBkckj1tF6N", "registration_type": "registration_confirmation", "error": "notification request via \"localhost-smtp-server\" email provider failed: dial tcp 127.0.0.1:1025: connect: connection refused"}
WARN security failed registration {"session_id": "qeu3ododd3wnyepY8SFvk6FT4mJFspgxkk5b", "request_id": "986862ab-5b6a-46dd-a9de-a08dfe7fa60e", "src_ip": "127.0.0.1", "src_conn_ip": "127.0.0.1", "error": "Internal registration messaging error"}
Note: I did try commenting out the email provider...
but that resulted in a run error
Document the following behavior.
The user
directive would force the creation or verification of a user at the initialization of a local identity store.
This configuration applies only to local
identity stores. If a user already exists, no action would be taken, unless it is a password overwrite
.
local identity store localdb {
realm local
path {$HOME}/.local/caddy/localdb/users.json
user webadmin {
name Webmaster
email [email protected]
password "bcrypt:10:$2a$10$WiU7BR1vqCNnzP5rZltJ5Ow5RspiIgnenCCFGSeMPrFFUhHRpkIhe" overwrite
roles authp/admin authp/user
}
user jsmith {
name John Smith
email [email protected]
password "My@Password123"
roles authp/user
}
}
This is related to https://authp.github.io/docs/authenticate/local/local
The following directive disables sections of the "Settings" page:
authentication portal myportal {
ui {
disable settings [gpgkeys|sshkeys|apikeys|connected|mfa|password|general]
}
}
By default all sections of the "Settings" page are enabled. If disabled, then the section will not be visible in the UI.
After approximately 15 minutes the cookie creating by a successful login is rejected and you need to reconnect on next page reload.
This behavior is not related with cookie lifetime
in Caddyfile.
After a reload, logs are showing messages on why it has been rejected.
cookie samesite
to lax/strict/none (none of them fix this problem){
order authenticate before respond
order authorize before basicauth
security {
ldap identity store main_ldap {
realm "LDAP server"
servers {
ldaps://xxx ignore_cert_errors
}
attributes {
name givenName
surname sn
username uid
member_of gidNumber
email mail
}
username "cn=xxx,dc=xxx"
password "xxx"
search_base_dn "ou=xxx,dc=xxx"
search_filter "(uid=%s)"
groups {
"500" admin
}
}
authentication portal xxx_portal {
enable identity store main_ldap
cookie domain xxx.net
crypto default token lifetime 86400
cookie lifetime 86400
cookie samesite lax
}
authorization policy xxx_admin {
set auth url https://auth.xxx.net
allow roles admin
}
}
}
auth.xxx.net {
authenticate with xxx_portal
}
After successfully getting a login from an OAuth2 authentication server, the security plugin is immediately issuing a redirect back to login. This prevents the user from ever seeing pages despite having a valid AUTHP_SESSION_ID
caddy-1 | {"level":"debug","ts":1706948842.724188,"logger":"security","msg":"decoded claims from OAuth 2.0 authorization server access token","request_id":"cd00a88e-52c4-4cde-80b4-dc27028ffe32","claims":{"email":"[email protected]","exp":1706948902,"iat":1706948842,"iss":"https://keycloak.localhost/realms/master","jti":"3fd3becd-e86d-4f4c-9715-771f7178704e","sub":"5dec20e6-fd69-4e85-bb8a-7d5e84897fc6"}}
caddy-1 | {"level":"info","ts":1706948842.724215,"logger":"security","msg":"Successful login","session_id":"svxpPgaTQRaqpQE4c2qcBU1EXmusMmR2wbIs","request_id":"cd00a88e-52c4-4cde-80b4-dc27028ffe32","auth_method":"oauth2","auth_realm":"keycloak","user":{"email":"[email protected]","exp":1706948902,"iat":1706948842,"iss":"https://keycloak.localhost/realms/master","jti":"3fd3becd-e86d-4f4c-9715-771f7178704e","sub":"5dec20e6-fd69-4e85-bb8a-7d5e84897fc6"}}
caddy-1 | {"level":"debug","ts":1706948842.724238,"logger":"security","msg":"user transformation ended","session_id":"svxpPgaTQRaqpQE4c2qcBU1EXmusMmR2wbIs","request_id":"cd00a88e-52c4-4cde-80b4-dc27028ffe32","user":{"addr":"172.18.0.1","email":"[email protected]","exp":1706952442,"iat":1706948842,"iss":"https://auth.localhost/oauth2/keycloak/","jti":"svxpPgaTQRaqpQE4c2qcBU1EXmusMmR2wbIs","nbf":1706948782000,"origin":"keycloak","realm":"keycloak","roles":["authp/user"],"sub":"5dec20e6-fd69-4e85-bb8a-7d5e84897fc6"}}
caddy-1 | {"level":"info","ts":1706948842.7243025,"logger":"security","msg":"Successful login","session_id":"svxpPgaTQRaqpQE4c2qcBU1EXmusMmR2wbIs","request_id":"cd00a88e-52c4-4cde-80b4-dc27028ffe32","backend":{"name":"keycloak","realm":"keycloak","method":"oauth"},"user":{"addr":"172.18.0.1","email":"[email protected]","exp":1706952442,"iat":1706948842,"iss":"https://auth.localhost/oauth2/keycloak/","jti":"svxpPgaTQRaqpQE4c2qcBU1EXmusMmR2wbIs","nbf":1706948782000,"origin":"keycloak","realm":"keycloak","roles":["authp/user"],"sub":"5dec20e6-fd69-4e85-bb8a-7d5e84897fc6"}}
caddy-1 | {"level":"debug","ts":1706948842.7278128,"logger":"security","msg":"Redirect served","session_id":"xotKDNpvd5QpjsnGgkylffEt3oY3ADNJarnhebO","request_id":"b8be8999-7b36-4436-bc90-d9b5152ca198","redirect_url":"https://auth.localhost/login","status_code":302}
{
debug
order authenticate before respond
order authorize before basicauth
security {
oauth identity provider keycloak {
driver generic
realm keycloak
client_id caddy
client_secret 0ke2N2HmGSyaXCBHQErO1SqKHHY7b6fR
scopes openid profile email
metadata_url http://keycloak:8080/realms/master/.well-known/openid-configuration
delay_start 2
}
authentication portal myportal {
crypto default token lifetime 3600
crypto key sign-verify secretsecret
enable identity provider keycloak
cookie domain localhost
ui {
links {
"My Identity" "/whoami" icon "las la-user"
}
}
transform user {
match origin keycloak
action add role authp/user
}
}
authorization policy mypolicy {
set auth url https://auth.localhost/
allow roles authp/admin authp/user
crypto key verify secretsecret
}
}
}
keycloak.localhost {
reverse_proxy http://keycloak:8080
}
auth.localhost {
authenticate with myportal
}
localhost {
authorize with mypolicy
respond "Hello World"
}
version: "3"
services:
keycloak:
ports:
- 8080:8080
environment:
- KEYCLOAK_ADMIN=admin
- KEYCLOAK_ADMIN_PASSWORD=admin
- PROXY_ADDRESS_FORWARDING=true
- KC_PROXY=edge
- KC_HOSTNAME_URL=https://keycloak.localhost/
image: quay.io/keycloak/keycloak:23.0.6
command: start-dev
caddy:
image: ghcr.io/authp/authp:beta
ports:
- 443:443
volumes:
- ./caddy/:/etc/caddy/
Hello
Using the latest version of keycloak 20.x
my jwt token looks like :
{ "exp": 1670518964, "iat": 1670518904, "auth_time": 1670518904, "jti": "5ec29444-3409-4d6a-8999-c442a1942e0b", "iss": "https://#######/realms/master", "sub": "131d20a2-79d4-40ec-9e65-e4baaa488145", "typ": "Bearer", "azp": "test-caddy", "nonce": "N2giK5dZPbxpgivEMMvE50l0afvGUK00", "session_state": "e755a31c-12bd-4bb6-829a-9afe4cad4772", "scope": "profile email", "sid": "e755a31c-12bd-4bb6-829a-9afe4cad4772", "email_verified": true, "name": "Omar Omari", "groups": [ "authp/admin", "default-roles-master", "authp/user", "authp/guest", "offline_access", "uma_authorization" ], "preferred_username": "oomari", "given_name": "Omar", "family_name": "Omari", "email": "########" }
I have this error
{"level":"debug","ts":1670518426.718966,"logger":"security","msg":"failed fetching OAuth 2.0 access token from the authorization server","session_id":"L4qZa6GSvpwfxej0lrPgQ0AshlmISYR20O2dm86l","request_id":"e0a6d25f-b162-4ce0-a175-483db6900fdb","error":"authorization server response has no \"id_token\" field"}
Is it possible to send extra query params when doing oauth with google?
https://developers.google.com/identity/openid-connect/openid-connect#authenticationuriparameters
I would like to send "prompt=select_account" to let users choose which google account they want to use.
Thanks you!
The following ui
directives allow overwriting the defaults:
ui {
meta title "Auth Portal"
meta description "Authenticates users"
meta author "John Smith"
}
If not set, then the following is being displayed:
<title>Authentication Portal - {{ .Title }}</title>
<meta name="description" content="Performs user authentication." />
<meta name="author" content="Paul Greenberg github.com/greenpau" />
If a user authenticated successfully, but the group match failed, the following log messages (specifically LDAP authentication failed: no matched groups
) gets generates:
2022/06/11 18:20:17.408 DEBUG security LDAP search succeeded {"server": "ldap://ldap.forumsys.com", "entry_count": 1, "search_base_dn": "DC=EXAMPLE,DC=COM", "search_user_filter": "(&(|(uid=riemann)(mail=riemann))(objectClass=inetOrgPerson))", "users": [{"DN":"uid=riemann,dc=example,dc=com","Attributes":[{"Name":"cn","Values":["Bernhard Riemann"],"ByteValues":["QmVybmhhcmQgUmllbWFubg=="]},{"Name":"uid","Values":["riemann"],"ByteValues":["cmllbWFubg=="]},{"Name":"mail","Values":["[email protected]"],"ByteValues":["cmllbWFubkBsZGFwLmZvcnVtc3lzLmNvbQ=="]}]}]}
2022/06/11 18:20:17.418 WARN security Bad Request {"session_id": "1UOKHLTUlBiAD1DCziSd015yDi2tTO5yzzFlE", "request_id": "fd841467-c8be-4e09-b1eb-d534c2745a76", "error": "LDAP authentication failed: no matched groups", "source_address": "10.0.2.2"}
I will be adding a new directive - fallback role <role_name> [<role_name>]
ldap identity store example.com {
groups {
"ou=scientists,dc=example,dc=com" authp/user
}
fallback role authp/user
}
This way, if no matched groups
appears, the user will be assigned one or more roles specified via fallback role
directive.
Hi,
I'm trying to replicate https://github.com/authp/authp.github.io/blob/main/assets/conf/local/Caddyfile but I keep getting server timeouts on all authentication domains. The minimally reproducible example is something like:
{
security {
authentication portal myportal {
cookie domain agucova.dev
backend local {env.HOME}/.local/caddy/users.json local
}
}
}
lepton.agucova.dev {
route {
authenticate with myportal
}
tls {
dns cloudflare REDACTED
}
}
But all I get is constant timeouts from the server. This is caddy latest built from the page with caddy-security under Linux ARM64.
The logs themselves aren't really helpful, and seem completely normal.
My objective is to have an authentication domain (lepton.agucova.dev
) and use it to authorize access to internal apps on other subdomains.
Directives:
icon priority 200
icon "Gitlab" "lab la-gitlab la-2x" "white" "#fc6d26" priority 100
Allowed Colors:
#03a9f4
#0d47a1
#1e88e5
#24292f
#324960
#37474f
#455a64
#e53935
#f6f8fa
#fb8c00
When new database gets initialized, the admin username, password and email may be derived from env vars. If not set, then the defaults apply.
req := &requests.Request{
User: requests.User{
Username: os.Getenv("AUTHP_ADMIN_USER"),
Password: os.Getenv("AUTHP_ADMIN_SECRET"),
Email: os.Getenv("AUTHP_ADMIN_EMAIL"),
Roles: []string{"authp/admin"},
},
}
if req.User.Username == "" {
req.User.Username "webadmin"
}
if req.User.Password == "" {
req.User.Password = uuid.NewV4().String()
}
if req.User.Email == "" {
req.User.Email = "[email protected]"
}
Thankyou for taking the time to explain. I'm approaching this as a user rather than a developer. My use case is to put a simple auth layer in front of Kibana, and was looking for the simplest configuration to enable that. I was reading the doco and seeing snippets of config and trying to piece these together. I now see you have provided complete Caddyfiles in the Git repo. For me, these are the most useful starting point. I will return to the doco for further explanation.
A suggestion for improvement would be to update the 'Get started' page with some very simple step by step instructions for creating a basic auth scenario. At the moment the user is taken to an 'Introduction' page which talks about the project but not clear what the next step is.
Per https://github.com/greenpau/caddy-authorize/issues/89#issuecomment-966649742, add the above.
document enable logout
directive.
Hi Team,
Is it possible to have on the same Caddyfile the keycloak service and other services to secure with the cadd-security ?
the metadata_url try to check if keycloak is up before running the caddy ...
Document custom claim injection:
transform user {
match origin local
action add _couchdb.roles _admin as string list
}
The page at https://authp.github.io/docs/authenticate/local/user-registration needs to be updated to reflect the changes described in greenpau/caddy-security#85.
Login template customization with custom logo and custom css.
authentication portal myportal {
ui {
template login /path/to/login.template
logo url /assets/custom/logo.svg
static_asset "assets/custom/logo.svg" "image/svg+xml" /path/to/logo.svg
static_asset "assets/css/login.css" "text/css" /path/to/login.css
static_asset "assets/js/login.js" "text/javascript" /path/to/login.js
}
I am trying to register a new user via the portal, and when I verify I get an error stating the file system is read only.
I have given full perms to the users.json, registrations.json along with the auth and local dirs however no luck.
In my config, its local auth, with the dir being /etc/caddy/auth/local (env.home did not work at all, didnt validate when i ran caddy adapt)
The following directive enabled the adding of id_token
token via a cookie. The cookie_name
, e.g. `X-ID-Token", is optional.
oauth identity provider <name> {
enable id_token cookie [<cookie_name>]
}
The cookie value could be retrieved together with the regular whoami
payload by adding id_token=true
URL param.
https://<auth_portal>/whoami?format=json&id_token=true
I just started using authp and it is absolutely terrific - easiest way to put a SSO authenticating proxy in front of other services that may not be so secure.
I had one question: I use automatic certificates ("tls " style). I understand that there are .well-known urls that LE will eventually want to ping when caddy tries to renew the certificate.
Would authp block these acme challenge requests? Or does caddy handle them before authp kicks in?
I can't find any thing related to these in the Caddy or Authp docs.
I'm trying to use the localhost-smtp-server
for local registration, but it fails with Unrecognized authentication type
for some reason.
Any pointers in how to set this up with outlook.com accounts?
credentials info@mail {
username {$SMTP_USERNAME}
password {$SMTP_PASSWORD}
}
messaging email provider localhost-smtp-server {
address smtp-mail.outlook.com:587
protocol smtp
credentials info@mail
sender {$SMTP_USERNAME} "User Registration for server.{$DOMAIN}"
}
"notification request via \"localhost-smtp-server\" email provider failed: Unrecognized authentication type [DUZPR01CA0102.eurprd01.prod.exchangelabs.com 2023-04-04T09:52:09.922Z 08DB316C8DF17388]"
I don't understand the user-group-role mapping right now.
The only config where I can change role user mappings is the Caddyfile?
"roles": [
"authp/user"
],
I thought I can add them in keycloak and the roles are updated when I authenticate again.
We have users with different roles (based on permissions) but I can't see them in the json after the login.
The only mapping that is applied is:
transform user {
match origin keycloak
action add role authp/user
}
So everybody that login with keycloac gets the authp/user role.
Did I miss a mapping from the keycloak roles?
If you need the keycloak instance again I still got it offline =)
I read here:
An administrator must manually move entries from registrations.json to users.json file.
Well, in case we want to run a public app open to registration, it can became a pain to handle new users this way. IMO, you should provide an option to enable automatic user activation.
Update non-compliant configurations for configs referencing authp {
:
docs/authorize/acl-rbac.md
docs/authenticate/oauth/81-backend-oauth2-0000-generic.md
docs/authenticate/oauth/81-backend-oauth2-0001-okta.md
docs/authenticate/oauth/81-backend-oauth2-0002-google.md
docs/authenticate/oauth/81-backend-oauth2-0008-facebook.md
docs/authenticate/oauth/81-backend-oauth2-0009-gitlab.md
docs/authenticate/oauth/81-backend-oauth2-0007-github.md
docs/authenticate/ldap/10-ldap.md
docs/authenticate/local/40-user-registration.md
docs/authenticate/local/10-local.md
docs/authenticate/11-mfa.md
docs/authenticate/55-ui-features.md
docs/authenticate/90-misc.md
docs/authenticate/45-usage-examples.md
Storing users in a local file is great, but it should be great also if you provide the ability to store them in a database like PostgreSQL. It should be even easier to handle automatic user activation in this case.
https://auth.myfiosgateway.com:8443/beacon?format=json
https://auth.myfiosgateway.com:8443/whoami?format=json&id_token=true
Just to let you know the docs here still has the deprecated user subdirective.
Source: https://github.com/greenpau/caddy-auth-portal/issues/196#issuecomment-966406883
I am writing a collection of services backed by caddy and caddy-security. These services allow authenticated users to generate datasets via an API. Once the datasets are produced, users can choose to make them publicly accessible.
Using a combination of forward_auth and reverse proxy, I can write a private endpoint in my API that authorizes users before serving datasets to them. This works great for authenticated users, and allows me to only serve users the datasets they should be able to see (public datasets and their own private datasets).
However, I am unable to serve the public datasets to anonymous / unauthenticated users using the same service. As soon as a route has authorize with my-policy
all requests require that the request be made by an authenticated user.
I would like a way to specify in either an authentication portal
or a authorization policy
that anonymous users are allowed, but still allow users to authenticate themselves with the portal (via the portal UI or via the portal API endpoints). The API itself would deal with only showing users the content they are authorized to see, including handling anonymous users.
Requests from anonymous users could be passed on to the API with either no X-Token-User-Email
/ X-Token-User-Roles
etc headers, or the presence of a X-Token-User-Anonymous
, or some other indication. My preference is for anonymous users to be indicated by no headers being present.
Anonymous requests to the /whoami
endpoint in the auth portal could change to respond with a HTTP 401 with payload {"message": "No token provided"}
or similar, to distinguish from supplying an invalid or expired token. Currently all requests which do not successfully authenticate for any reason respond with a HTTP 401 with payload {"message": "Access denied"}
This change would be strictly opt-in to keep backwards compatibility for existing configurations which do not want anonymous access.
security {
authorization policy mypolicy {
with basic auth portal myportal realm local
with api key auth portal myportal realm local
}
}
Instead of emailing, the file provider
stores emails in a directory, e.g. {$HOME}/.local/caddy/localdb/registry
messaging file provider localhost-file-server {
rootdir {$HOME}/.local/caddy/localdb/registry
}
user registration localdbRegistry {
#disabled
dropbox {$HOME}/.local/caddy/localdb/registrations.json
title "User Registration"
code "NY2020"
require accept terms
require domain mx
admin email [email protected] [email protected]
email provider localhost-file-server
identity store localdb
}
Document the directives:
local identity store localdb {
enable password recovery
enable username recovery
enable contact support
support link /help
support email [email protected]
}
Remove references to password_recovery_enabled
under UI.
I've setup a protected website for my teams internal HTML documentation using the Azure OIDC Enterprise application configuration.
Authentication works like charm however if the token expires, e.g. after you continue reading documentation after a lunch break, the http redirect to Azure OIDC provider for re-issuing a new token will always create an Azure authentication error.
I did some investigations and it seems to be that the login_hint
parameter send to Azure OIDC endpoint includes the redirect_url
parameter that is not supported by Azure. If I remove that parameter from the GET request re-authentication and redirect to Caddy security auth portal is working.
So in case of an expired token and using Azure OIDC provider your only choice currently is to set disable auth redirect query
inside the authorization policy
configuration.
This works as a workaround because now in case of an expired token you will be redirected to Caddy security authorization portal but not the referring documentation page where the token expired and you left reading the docs.
Question: Is there a way to redirect instead of Azure OIDC endpoint in case of an expired token to Caddys auth endpoint which applies the redirect_url
parameter so you will continue on the web page where you left?
Caddy security docs reads (https://authp.github.io/docs/authorize/auto-redirect-url ):
Importantly, if the plugin finds expired token, it attempts to extract the token's issuer value. Then, it checks whether the value starts with http. If it is, then the set auth url will be overwritten with the issuer's web address.
The sequence of commands in AWS Shell:
export TARGET_EMAIL="[email protected]"
export TARGET_POOL="us-east-1_Kwldk8dj"
export TARGET_USER="greenpau"
export TARGET_USER_NAME="Paul Greenberg"
export TARGET_USER_SECRET="My@Password"
export TARGET_USER_ROLES="authp/admin|authp/user"
export TARGET_TIMEZONE="America/NewYork"
aws cognito-idp admin-create-user \
--user-pool-id ${TARGET_POOL} --username ${TARGET_USER} \
--region us-east-1
aws cognito-idp admin-set-user-password \
--user-pool-id ${TARGET_POOL} --username ${TARGET_USER} --password "${TARGET_USER_SECRET}" \
--permanent --region us-east-1
aws cognito-idp admin-update-user-attributes --user-pool-id ${TARGET_POOL} --username ${TARGET_USER} \
--user-attributes Name="email",Value="${TARGET_EMAIL}" \
--region us-east-1
aws cognito-idp admin-update-user-attributes --user-pool-id ${TARGET_POOL} --username ${TARGET_USER} \
--user-attributes Name="custom:roles",Value="${TARGET_USER_ROLES}" \
--region us-east-1
aws cognito-idp admin-update-user-attributes --user-pool-id ${TARGET_POOL} --username ${TARGET_USER} \
--user-attributes Name="name",Value="${TARGET_USER_NAME}" \
--region us-east-1
aws cognito-idp admin-update-user-attributes --user-pool-id ${TARGET_POOL} --username ${TARGET_USER} \
--user-attributes Name="email_verified",Value=true \
--region us-east-1
aws cognito-idp admin-update-user-attributes --user-pool-id ${TARGET_POOL} --username ${TARGET_USER} \
--user-attributes Name="zoneinfo",Value="${TARGET_TIMEZONE}" \
--region us-east-1
aws cognito-idp admin-get-user --user-pool-id ${TARGET_POOL} --username ${TARGET_USER} \
--region us-east-1
If userinfo
contains field that ends either with groups
or roles
, then extract the values to roles
.
"roles": [
"authp/admin",
"authp/user"
],
"sub": "00ua6qak3pEYegVb24x6",
"userinfo": {
"name": "Paul Greenberg",
"zoneinfo": "America/Los_Angeles"
}
}
I want to build a docker image with the caddy-security plugin, the build fails, here is the output:
My Dockerfile:
FROM caddy:2.6.2-builder AS builder
RUN xcaddy build \
--with github.com/greenpau/[email protected]
FROM caddy:2.6.2
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
It seems that some 'github.com/crewjam/[email protected]' package is causing the issue? Any ideas?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.