mx-moth
commented
1 year ago Accidentally made this in the wrong repository, moving this to greenpau/caddy-security#213
Closed mx-moth closed 1 year ago
mx-moth
commented
1 year ago Accidentally made this in the wrong repository, moving this to greenpau/caddy-security#213
I am writing a collection of services backed by caddy and caddy-security. These services allow authenticated users to generate datasets via an API. Once the datasets are produced, users can choose to make them publicly accessible.
Using a combination of forward_auth and reverse proxy, I can write a private endpoint in my API that authorizes users before serving datasets to them. This works great for authenticated users, and allows me to only serve users the datasets they should be able to see (public datasets and their own private datasets).
However, I am unable to serve the public datasets to anonymous / unauthenticated users using the same service. As soon as a route has
authorize with my-policyall requests require that the request be made by an authenticated user.I would like a way to specify in either an
authentication portalor aauthorization policythat anonymous users are allowed, but still allow users to authenticate themselves with the portal (via the portal UI or via the portal API endpoints). The API itself would deal with only showing users the content they are authorized to see, including handling anonymous users.Requests from anonymous users could be passed on to the API with either no
X-Token-User-Email/X-Token-User-Rolesetc headers, or the presence of aX-Token-User-Anonymous, or some other indication. My preference is for anonymous users to be indicated by no headers being present.Anonymous requests to the
/whoamiendpoint in the auth portal could change to respond with a HTTP 401 with payload{"message": "No token provided"}or similar, to distinguish from supplying an invalid or expired token. Currently all requests which do not successfully authenticate for any reason respond with a HTTP 401 with payload{"message": "Access denied"}This change would be strictly opt-in to keep backwards compatibility for existing configurations which do not want anonymous access.