Response after succesful login: www-authenticate header: Bearer realm="",error="invalid_token"

BTBurke / caddy-jwt

JWT middleware for the Caddy server

MIT License

115 stars 39 forks source link

Response after succesful login: www-authenticate header: Bearer realm="",error="invalid_token" #42

Closed schnatterer closed 5 years ago

schnatterer commented 5 years ago

Just downloaded a fresh Caddy v0.11.5 with

http.jwt v3.7.0
http.login v1.3.0

And then set it up with a caddyfile as described in the http.login docs:

jwt {
    path /
    allow sub bob
}

login / {
         simple bob=secret,alice=secret
}

When I log in with bob at /login I'm always redirected back to /login. The response contains the following: www-authenticate header: Bearer realm="",error="invalid_token". I can see in Caddy's log that the authentication was successful.

Any idea what went wrong? Are the Plugin versions not compatible?

BTW the same works with

http.jwt v3.3.0
http.login v1.1.0

Didn't try the versions in between.

smancke commented 5 years ago

Was the cookie set in the browser? (Make sure to use SSL or set the loginsrv parameter '-cookie-secure=false')

schnatterer commented 5 years ago

Thanks for your fast response. That could acutally be the solution because I used HTTP only locally. I'll get back when I can confim it.

schnatterer commented 5 years ago

I can cofirm 'cookie-secure false resolves my issue.

Would it make sense to update caddy-jwt's docs? Where?

If someone ever stumbles on this again and would like to know more content or examples here's my usecase - a git-based wiki behind Caddy: https://github.com/schnatterer/gollum-galore I definitely updated the docs there ;-)

BTBurke commented 5 years ago

It seems like the loginsrv readme has the information about setting cookie-secure=false for the latest version. I could add a note to the caddy-jwt readme but this has more to do with how secure cookies are handled by the browser rather than anything related to this plugin.

schnatterer commented 5 years ago

@BTBurke Right, they have a quite obvious

Attention: Since v1.3.0, pure HTTP is not supported by default

there :-) My starting point was caddyserver.com - http.login docs which didn't work out of the box. But for changing this description, I'll probably have to open an issue in the loginsrv repo, right?

magikstm commented 5 years ago

But for changing this description, I'll probably have to open an issue in the loginsrv repo, right?

@smancke I think both "attention notes" or a mention to check notes in the repo on upgrades could be added on this page https://caddyserver.com/docs/http.login. As suggested by @schnatterer.