greenpau
commented
1 year ago @alirf81 , you can have custom authorization policy with “ disable auth redirect”. More on the subject https://authp.github.io/docs/authorize/auto-redirect-url#http-redirect
Open alirf81 opened 1 year ago
greenpau
commented
1 year ago @alirf81 , you can have custom authorization policy with “ disable auth redirect”. More on the subject https://authp.github.io/docs/authorize/auto-redirect-url#http-redirect
alirf81
commented
1 year ago Yes, it's working well, just it disables all redirects but I need to disable it for API requests only. Is there any way to disable redirect only if the 'Accept' header is 'application/json'?
greenpau
commented
1 year ago @alirf81 , create a separate authorization policy and apply it conditionally based on Caddy’s (not this plugin) match directives, see handle in caddy docs
alirf81
commented
1 year ago @greenpau I've found another issue.
When I remove the Authorization header in API request, the server returns 500 Internal Server Error.
The caddy log says:
{"level":"error","ts":1662539546.8188977,"logger":"http.handlers.authentication","msg":"auth provider returned error","provider":"authorizer","error":"user authorization failed: src_ip=10.23.5.107, src_conn_ip=10.23.5.107, reason: no token found"}
If there is no token found, can we return something like "Access Forbidden"?
I am using Caddy-security with OAuth 2.0 Idp of Keycloak, which is working pretty well. The only issue is that when I make a request to API, it returns 302 responses to redirect to the login page. It's pretty good for browser users but for the API client, better to return a JSON error response of "Forbidden". Is there any way to configure Caddy-security for this?