question: how to skip the ui an go straight to OIDC provider login page

[rucciva]

A clear and concise description of what you want to accomplish.

Hi, can we configure the plugin to skip the UI portal and directly redirect the unauthenticated user to OIDC provider login page?

Thanks

[greenpau]

@rucciva , that’s easy. Please share your current config and I will explain based on it.

[rucciva]

Hi @greenpau , actually i havent tried to deploy it yet, but what i'm trying to achieve is something like this

1. Check incoming request.
2. If not from certain IP, assert jwt from certain cookies
3. If JWT is valid, continue processing the request to the next handler and ignore next step.
4. If JWT is invalid, redirect to oidc provider authorization url.
5. Upon succesful login with oidc and after being redirected back to caddy, set certain cookies with oidc access token (JWT)
6. Redirect back to url visited in step 1

Note that the OIDC provider is a generic one.

Thanks

[greenpau]

Yes, it would work.

[greenpau]

@rucciva , here are the various oauth config examples https://github.com/authp/authp.github.io/tree/main/assets/conf/oauth

[rucciva]

Thanks for the link @greenpau .

So i suppose i should start with https://github.com/authp/authp.github.io/blob/main/assets/conf/oauth/generic/Caddyfile right? What are the the lines to be added/modified if i want to avoid showing the ui and redirect to oidc provier's login page instead?

[greenpau]

@rucciva , yes.

generally speaking if you want to go directly to a specific oauth provider, you would go to “/oauth2/<provider_name/“ or “/auth/oauth2/<provider_name/“ when serving the portal from “/auth” path.

additionally you could inject js snippet to do the same in a users’ browser.

[rucciva]

hi @greenpau , i've tried the config but i was faced with error due to the oidc provider is also behind the same caddy instance

run: loading initial config: loading new config: loading http app module: provision http: server srv0: setting up route handlers: route 4: loading handler modules: position 0: loading module 'subroute': provision http.handlers.subroute: setting up subroutes: route 0: loading handler modules: position 0: loading module 'authentication': provision http.handlers.authentication: loading authentication providers: module name 'authorizer': provision http.authentication.providers.authorizer: loading security app module: provision security: server initialization failed: failed configuring identity provider: failed to fetch metadata for OAuth 2.0 authorization server: Get "https://censored/.well-known/openid-configuration": dial tcp 172.16.137.9:443: connect: connection refused

172.16.137.9:443 is where caddy is listening

[greenpau]

@rucciva , you have connectivity issues. dial tcp 172.16.137.9:443: connect: connection refused

[rucciva]

yes, thats because caddy won't start because the caddy-security is not yet starting because it cannot contact the oauth2 provider that is behind caddy. so it's chicken-egg problem i guess?

[greenpau]

@rucciva , there is a fix for that.it is called delayed start. Please try it out https://authp.github.io/docs/authenticate/oauth/backend-oauth2-endpoint

[rucciva]

Hi @greenpau , it's working now, thanks.

but i keep getting forbidden error

caddy-caddy-1  | {"level":"error","ts":1661929993.5077934,"logger":"http.handlers.authentication","msg":"auth provider returned error","provider":"authorizer","error":"user authorization failed: src_ip=<redacted>, src_conn_ip=<redacted>, jti=M3hZVAdPUCUaXEP6vgdaOYjQ8KtmPa6YnNKn, sub=0158ee285e3d26744a65b47d133d5f9848d976aacbfe8997430ae054f046e8e3, email=<redacted>, name=<redacted>, reason: user role is valid, but not allowed by access list"}

my config is like this

{
order authenticate before respond
    order authorize before basicauth

   security {
        oauth identity provider generic {
            realm generic
            driver generic
            client_id <redacted>
            client_secret <redacted>
            scopes openid email profile
            base_auth_url <redacted>
            metadata_url <redacted>
         delay_start 15
        }

        authentication portal authentik {
            crypto default token lifetime 3600
            crypto key sign-verify <redacted>
            enable identity provider generic
            cookie domain <redacted>
        }

        authorization policy authentik {
            set auth url <redacted>
            crypto key verify <redacted>
            validate bearer header
         acl default allow
         inject headers with claims
        }
    }
}

[greenpau]

The error tells you that your role (probably guest) is not enough to access protected content. Please read docs on “User Transforms” and RBAC.

https://authp.github.io/docs/authenticate/user-transforms

https://authp.github.io/docs/authorize/acl-rbac

[rucciva]

So what does acl default allow do? I was under the expression that this will allow any logged-in user to access the protected endpoint

[greenpau]

It does what it says here: https://authp.github.io/docs/authorize/acl-rbac#default-allow-acl

however, it allows user and admin. It is likely you are guest.

[rucciva]

however, it allows user and admin. It is likely you are guest.

Ah, i didn't get this one from the doc. So it should be okay if i add user (or authp/user?) roles to all users right? If i'm not mistaken, the current roles given includes "authp/guest"

[greenpau]

Exactly

[rucciva]

Hi @greenpau , i still cant get acl default allow to work

here is the cookies

{
  "addr": "redacted",
  "email": "redacted",
  "exp": 1662005884,
  "family_name": "",
  "given_name": "I Putu Ariyasa",
  "iat": 1662002284,
  "iss": "redacted,
  "jti": "f1U721kijukCe5YZMC5lwDBjAxzn31X7msDlHqTIX7",
  "name": "I Putu Ariyasa",
  "nbf": 1662002224,
  "origin": "generic",
  "realm": "generic",
  "roles": [
    "user",
    "authp/user"
  ],
  "sub": "0158ee285e3d26744a65b47d133d5f9848d976aacbfe8997430ae054f046e8e3"
}

and here is the config

{
   order authenticate before respond
   order authorize before basicauth

   security {
      oauth identity provider generic {
    realm generic
         driver generic
         client_id redacted
         client_secret redacted
         scopes openid email profile
         base_auth_url redacted
         metadata_url redacted
         delay_start 15 
      }

      authentication portal authentik {
         crypto default token lifetime 3600
         crypto key sign-verify redacted
         enable identity provider generic
         cookie domain redacted
         transform user {
            exact match realm generic
            action add role user
            action add role authp/user
         }
      }

      authorization policy authentik {
         set auth url redacted
         crypto key verify redacted
         validate bearer header
         acl default allow
      }
   }

but i can get it work with allow roles authp/user instead of acl default allow

[greenpau]

@rucciva, remove “action add role user”, “ acl default allow”. Add “ allow roles authp/user authp/admin”

[rucciva]

noted @greenpau , that is what my current config looks like. Just wondering why acl default allow didn't work at all. Thank you very much.

btw, what do you think of this. instead of using delay_start x, why not make the plugin ignore error when requesting metadata_url at load time and let the authenticate and authorization fail while keep retrying to contact the metadata_url?. I mean in a scenario where we need to run caddy at the first time with a lot of certificate to be generated, we usually don't have clue when will the certificate generation is finished, hence we usually don't know how much time it takes for the oauth2 provider behind caddy to be ready.

[rucciva]

hi @greenpau , sorry for another question. is it possible to remove the httponly attribute from the cookie generated by the authenticate plugin?

[greenpau]

@rucciva , please checkcookie insecure on directive

[greenpau]

@rucciva , I am looking to add testimonial sections to https://authcrunch.com. Could you please write one and send it to me at greenpau@outlook.com?