Closed rucciva closed 2 years ago
@rucciva , that’s easy. Please share your current config and I will explain based on it.
Hi @greenpau , actually i havent tried to deploy it yet, but what i'm trying to achieve is something like this
Note that the OIDC provider is a generic one.
Thanks
Yes, it would work.
@rucciva , here are the various oauth config examples https://github.com/authp/authp.github.io/tree/main/assets/conf/oauth
Thanks for the link @greenpau .
So i suppose i should start with https://github.com/authp/authp.github.io/blob/main/assets/conf/oauth/generic/Caddyfile right? What are the the lines to be added/modified if i want to avoid showing the ui and redirect to oidc provier's login page instead?
@rucciva , yes.
generally speaking if you want to go directly to a specific oauth provider, you would go to “/oauth2/<provider_name/“ or “/auth/oauth2/<provider_name/“ when serving the portal from “/auth” path.
additionally you could inject js snippet to do the same in a users’ browser.
hi @greenpau , i've tried the config but i was faced with error due to the oidc provider is also behind the same caddy instance
run: loading initial config: loading new config: loading http app module: provision http: server srv0: setting up route handlers: route 4: loading handler modules: position 0: loading module 'subroute': provision http.handlers.subroute: setting up subroutes: route 0: loading handler modules: position 0: loading module 'authentication': provision http.handlers.authentication: loading authentication providers: module name 'authorizer': provision http.authentication.providers.authorizer: loading security app module: provision security: server initialization failed: failed configuring identity provider: failed to fetch metadata for OAuth 2.0 authorization server: Get "https://censored/.well-known/openid-configuration": dial tcp 172.16.137.9:443: connect: connection refused
172.16.137.9:443
is where caddy is listening
@rucciva , you have connectivity issues. dial tcp 172.16.137.9:443: connect: connection refused
yes, thats because caddy won't start because the caddy-security is not yet starting because it cannot contact the oauth2 provider that is behind caddy. so it's chicken-egg problem i guess?
@rucciva , there is a fix for that.it is called delayed start. Please try it out https://authp.github.io/docs/authenticate/oauth/backend-oauth2-endpoint
Hi @greenpau , it's working now, thanks.
but i keep getting forbidden error
caddy-caddy-1 | {"level":"error","ts":1661929993.5077934,"logger":"http.handlers.authentication","msg":"auth provider returned error","provider":"authorizer","error":"user authorization failed: src_ip=<redacted>, src_conn_ip=<redacted>, jti=M3hZVAdPUCUaXEP6vgdaOYjQ8KtmPa6YnNKn, sub=0158ee285e3d26744a65b47d133d5f9848d976aacbfe8997430ae054f046e8e3, email=<redacted>, name=<redacted>, reason: user role is valid, but not allowed by access list"}
my config is like this
{
order authenticate before respond
order authorize before basicauth
security {
oauth identity provider generic {
realm generic
driver generic
client_id <redacted>
client_secret <redacted>
scopes openid email profile
base_auth_url <redacted>
metadata_url <redacted>
delay_start 15
}
authentication portal authentik {
crypto default token lifetime 3600
crypto key sign-verify <redacted>
enable identity provider generic
cookie domain <redacted>
}
authorization policy authentik {
set auth url <redacted>
crypto key verify <redacted>
validate bearer header
acl default allow
inject headers with claims
}
}
}
The error tells you that your role (probably guest) is not enough to access protected content. Please read docs on “User Transforms” and RBAC.
So what does acl default allow
do?
I was under the expression that this will allow any logged-in user to access the protected endpoint
It does what it says here: https://authp.github.io/docs/authorize/acl-rbac#default-allow-acl
however, it allows user and admin. It is likely you are guest.
however, it allows user and admin. It is likely you are guest.
Ah, i didn't get this one from the doc. So it should be okay if i add user
(or authp/user
?) roles to all users right? If i'm not mistaken, the current roles given includes "authp/guest"
Exactly
Hi @greenpau , i still cant get acl default allow
to work
here is the cookies
{
"addr": "redacted",
"email": "redacted",
"exp": 1662005884,
"family_name": "",
"given_name": "I Putu Ariyasa",
"iat": 1662002284,
"iss": "redacted,
"jti": "f1U721kijukCe5YZMC5lwDBjAxzn31X7msDlHqTIX7",
"name": "I Putu Ariyasa",
"nbf": 1662002224,
"origin": "generic",
"realm": "generic",
"roles": [
"user",
"authp/user"
],
"sub": "0158ee285e3d26744a65b47d133d5f9848d976aacbfe8997430ae054f046e8e3"
}
and here is the config
{
order authenticate before respond
order authorize before basicauth
security {
oauth identity provider generic {
realm generic
driver generic
client_id redacted
client_secret redacted
scopes openid email profile
base_auth_url redacted
metadata_url redacted
delay_start 15
}
authentication portal authentik {
crypto default token lifetime 3600
crypto key sign-verify redacted
enable identity provider generic
cookie domain redacted
transform user {
exact match realm generic
action add role user
action add role authp/user
}
}
authorization policy authentik {
set auth url redacted
crypto key verify redacted
validate bearer header
acl default allow
}
}
but i can get it work with allow roles authp/user
instead of acl default allow
@rucciva, remove “action add role user”, “ acl default allow”. Add “ allow roles authp/user authp/admin”
noted @greenpau , that is what my current config looks like. Just wondering why acl default allow
didn't work at all. Thank you very much.
btw, what do you think of this. instead of using delay_start x
, why not make the plugin ignore error when requesting metadata_url
at load time and let the authenticate and authorization fail while keep retrying to contact the metadata_url
?.
I mean in a scenario where we need to run caddy at the first time with a lot of certificate to be generated, we usually don't have clue when will the certificate generation is finished, hence we usually don't know how much time it takes for the oauth2 provider behind caddy to be ready.
hi @greenpau , sorry for another question. is it possible to remove the httponly
attribute from the cookie generated by the authenticate plugin?
@rucciva , please checkcookie insecure on
directive
@rucciva , I am looking to add testimonial sections to https://authcrunch.com. Could you please write one and send it to me at greenpau@outlook.com?
Hi, can we configure the plugin to skip the UI portal and directly redirect the unauthenticated user to OIDC provider login page?
Thanks