search

authcrunch / authcrunch.github.io

Documentation for Caddy v2 Auth Portal and Authorize Plugins.
79 stars 32 forks source link

authorize: document basic auth and API key auth #6

Closed greenpau closed 2 years ago

greenpau commented 2 years ago 
security {
  authorization policy mypolicy {
    with basic auth portal myportal realm local
    with api key auth portal myportal realm local
  }
}
hansaliyad1 commented 2 years ago

@greenpau

I am not able to authenticate with API keys. I am doing something wrong but I am not sure what. When I try to use API key, I get token error {"session_id": "VU4UbkviHDBkDUVXBzLFy2AqaNsyZbGv7ohhgfKpuDV", "request_id": "c14909b4-0350-493a-9635-b13a30f66471", "error": "keystore: failed to parse token"} and Access denied {"session_id": "VU4UbkviHDBkDUVXBzLFy2AqaNsyZbGv7ohhgfKpuDV", "request_id": "c14909b4-0350-493a-9635-b13a30f66471", "error": "Unauthorized"}. When I try to use access_token, I get Access denied {"session_id": "mzKB76P2roifPaclzL7FSxCfDJ9WJNlMYxXpX71usCkW3", "request_id": "81c16515-9e28-4b69-8262-1d96973d15fc", "error": "Forbidden"}. Below is my authentication and authorization policies. I will really appreciate if you can provide me any assistance.

 authentication portal myportal {
      crypto default token lifetime 3600
      crypto key sign-verify <SHARED_SECRET>
      enable identity store localdb
}

authorization policy mypolicy {
      allow roles authp/admin authp/user
      crypto key verify <SHARED_SECRET>
      acl default allow
 }
greenpau commented 2 years ago

Did you add “ with api key auth portal myportal realm local”?

hansaliyad1 commented 2 years ago

Yes, I did add with api key auth portal myportal realm local but results were same. These policies are used by

api.domain_name.com {
  route * {
    authenticate with myportal
    authorize with mypolicy
    reverse_proxy http://private_ip:<port>
  } 
}
greenpau commented 2 years ago

@hansaliyad1 , what header are you sending with the API key?

greenpau commented 2 years ago

@hansaliyad1 , please see https://github.com/greenpau/caddy-security/issues/116#issuecomment-1138686438 about X-Api-Key

hansaliyad1 commented 2 years ago

@hansaliyad1 , what header are you sending with the API key?

I was using Authorization: Bearer.

greenpau commented 2 years ago

I was using Authorization: Bearer.

@hansaliyad1 , thank you for raising this. You should be using X-Api-Key

hansaliyad1 commented 2 years ago

@hansaliyad1 , please see greenpau/caddy-security#116 (comment) about X-Api-Key

I tried X-Api-Key but results are same. 

    authentication portal myportal {
      crypto default token lifetime 3600
      crypto key sign-verify <SHARED_KEY>
      enable identity store localdb
    }

    authorization policy mypolicy {
      with api key auth portal myportal realm local
      allow roles authp/admin authp/user
      crypto key verify <SHARED_KEY>
      acl default allow
    }
hansaliyad1 commented 2 years ago

@hansaliyad1 , please see greenpau/caddy-security#116 (comment) about X-Api-Key

I tried X-Api-Key but results are same.

    authentication portal myportal {
      crypto default token lifetime 3600
      crypto key sign-verify <SHARED_KEY>
      enable identity store localdb
    }

    authorization policy mypolicy {
      with api key auth portal myportal realm local
      allow roles authp/admin authp/user
      crypto key verify <SHARED_KEY>
      acl default allow
    }

My curl command is curl -H "X-Api-Key: <API_KEY>" -v https://api.domain.com/api/GetGRTrack1

greenpau commented 2 years ago

@hansaliyad1 , I think the plugins are not chained properly. This is incorrect.

  route * {
    authenticate with myportal
    authorize with mypolicy
    reverse_proxy http://private_ip:<port>
  }

It should be:

  route /auth* {
    authenticate with myportal
  }
  route {
    authorize with mypolicy
    reverse_proxy http://private_ip:<port>
  }
hansaliyad1 commented 2 years ago

That worked! Thank you so much!!