search

authcrunch / authcrunch.github.io

Documentation for Caddy v2 Auth Portal and Authorize Plugins.
81 stars 34 forks source link

Successful Oauth Login Immediately Redirects #56

Open nullmonk opened 8 months ago

nullmonk commented 8 months ago

After successfully getting a login from an OAuth2 authentication server, the security plugin is immediately issuing a redirect back to login. This prevents the user from ever seeing pages despite having a valid AUTHP_SESSION_ID

caddy-1  | {"level":"debug","ts":1706948842.724188,"logger":"security","msg":"decoded claims from OAuth 2.0 authorization server access token","request_id":"cd00a88e-52c4-4cde-80b4-dc27028ffe32","claims":{"email":"admin@aa.aaa","exp":1706948902,"iat":1706948842,"iss":"https://keycloak.localhost/realms/master","jti":"3fd3becd-e86d-4f4c-9715-771f7178704e","sub":"5dec20e6-fd69-4e85-bb8a-7d5e84897fc6"}}
caddy-1  | {"level":"info","ts":1706948842.724215,"logger":"security","msg":"Successful login","session_id":"svxpPgaTQRaqpQE4c2qcBU1EXmusMmR2wbIs","request_id":"cd00a88e-52c4-4cde-80b4-dc27028ffe32","auth_method":"oauth2","auth_realm":"keycloak","user":{"email":"admin@aa.aaa","exp":1706948902,"iat":1706948842,"iss":"https://keycloak.localhost/realms/master","jti":"3fd3becd-e86d-4f4c-9715-771f7178704e","sub":"5dec20e6-fd69-4e85-bb8a-7d5e84897fc6"}}
caddy-1  | {"level":"debug","ts":1706948842.724238,"logger":"security","msg":"user transformation ended","session_id":"svxpPgaTQRaqpQE4c2qcBU1EXmusMmR2wbIs","request_id":"cd00a88e-52c4-4cde-80b4-dc27028ffe32","user":{"addr":"172.18.0.1","email":"admin@aa.aaa","exp":1706952442,"iat":1706948842,"iss":"https://auth.localhost/oauth2/keycloak/","jti":"svxpPgaTQRaqpQE4c2qcBU1EXmusMmR2wbIs","nbf":1706948782000,"origin":"keycloak","realm":"keycloak","roles":["authp/user"],"sub":"5dec20e6-fd69-4e85-bb8a-7d5e84897fc6"}}
caddy-1  | {"level":"info","ts":1706948842.7243025,"logger":"security","msg":"Successful login","session_id":"svxpPgaTQRaqpQE4c2qcBU1EXmusMmR2wbIs","request_id":"cd00a88e-52c4-4cde-80b4-dc27028ffe32","backend":{"name":"keycloak","realm":"keycloak","method":"oauth"},"user":{"addr":"172.18.0.1","email":"admin@aa.aaa","exp":1706952442,"iat":1706948842,"iss":"https://auth.localhost/oauth2/keycloak/","jti":"svxpPgaTQRaqpQE4c2qcBU1EXmusMmR2wbIs","nbf":1706948782000,"origin":"keycloak","realm":"keycloak","roles":["authp/user"],"sub":"5dec20e6-fd69-4e85-bb8a-7d5e84897fc6"}}
caddy-1  | {"level":"debug","ts":1706948842.7278128,"logger":"security","msg":"Redirect served","session_id":"xotKDNpvd5QpjsnGgkylffEt3oY3ADNJarnhebO","request_id":"b8be8999-7b36-4436-bc90-d9b5152ca198","redirect_url":"https://auth.localhost/login","status_code":302}
{
    debug
    order authenticate before respond
    order authorize before basicauth
    security {
        oauth identity provider keycloak {
            driver generic
            realm keycloak
            client_id caddy
            client_secret 0ke2N2HmGSyaXCBHQErO1SqKHHY7b6fR
            scopes openid profile email
            metadata_url http://keycloak:8080/realms/master/.well-known/openid-configuration
            delay_start 2
        }

        authentication portal myportal {
            crypto default token lifetime 3600
            crypto key sign-verify secretsecret
            enable identity provider keycloak
            cookie domain localhost
            ui {
                links {
                    "My Identity" "/whoami" icon "las la-user"
                }
            }
            transform user {
                match origin keycloak
                action add role authp/user
            }
        }

        authorization policy mypolicy {
            set auth url https://auth.localhost/
            allow roles authp/admin authp/user
            crypto key verify secretsecret
        }
    }
}

keycloak.localhost {
    reverse_proxy http://keycloak:8080
}

auth.localhost {
    authenticate with myportal
}

localhost {
    authorize with mypolicy
    respond "Hello World"
}
version: "3"
services:
  keycloak:
    ports:
      - 8080:8080
    environment:
      - KEYCLOAK_ADMIN=admin
      - KEYCLOAK_ADMIN_PASSWORD=admin
      - PROXY_ADDRESS_FORWARDING=true
      - KC_PROXY=edge
      - KC_HOSTNAME_URL=https://keycloak.localhost/
    image: quay.io/keycloak/keycloak:23.0.6
    command: start-dev
  caddy:
    image: ghcr.io/authp/authp:beta
    ports:
      - 443:443
    volumes:
      - ./caddy/:/etc/caddy/
greenpau commented 8 months ago

@micahjmartin , that may happen when you use http.

greenpau commented 8 months ago

Also, read up on delayed start in the docs. You may want to add that directive.

greenpau commented 8 months ago

If you do use http, please see cookie insecure directive.

nullmonk commented 8 months ago

@micahjmartin , that may happen when you use http.

There shouldnt be any http requests, setting KC_HOSTNAME_URL overrides all the URLs in openid-configuration to be HTTPS, which are then passed to the browser. I can confirm too that the browser is using HTTPS when it is hitting both keycloak and caddy. The only reason metadata_url is hitting the private route is because the certificates are self-signed by caddy and the client used to collect the metadata_url does not trust the caddy certificate.

image

Also, read up on delayed start in the docs. You may want to add that directive.

I have a delay_start 2 in my Caddyfile above, sorry the indentation was messed up