Open mattjm opened 1 year ago
@mattjm , see this link for authorization url. https://github.com/authp/authp.github.io/blob/a44c5862c4022c4239409a5a2500d57fd5ea2197/assets/conf/local/Caddyfile#L47
Now, to bypass the selection, set the url to /auth/oauth2/
Please look for examples in the Issues.
This way “authorization” would redirect to idp directly instead of going to login/selection page.
If you want to modify how login page works, inject javascript to do the same https://authp.github.io/docs/authenticate/ui-features#javascript
Ahhh...I got it figured it out now. I was going down that path but was redirecting to the same domain I was requiring "authorize with mypolicy" on so I just got a 401. Moved things around and it works. Thanks!
I will try to get something in your docs for Auth0 configuration if I can find the time.
Just to confirm I'm thinking about this the right way:
Even if I'm using the trick above to redirect straight to a specific IdP, I will always need something that is configured with the portal to receive the authorization code callback, right? So if I don't want to use the portal for anything else I could set up a domain just for that? As an example:
callbackreceiver.example.com:443 {
authenticate with myportal
}
useexternalidp.example.com {
tls internal {
on_demand
}
reverse_proxy container1:80
authorize with mypolicy
}
This is what the login flow ends up looking like for me now. I just want to make sure there isn't a way to have one domain handle the OAuth callback and redirect directly to the upstream IdP. I tried a few different things and couldn't get it to work, but I have a pretty limited understanding of Caddy. "my server" in the diagram is a single Caddy instance.
All of the configurations I've seen so far look similar to this:
And then another directive like this:
And then
generic
is configured as a generic OAuth identity provider. This works fine...I land on the portal page, select my identity provider, get the redirect, do the OAuth flow, etc.The portal is essentially doing discovery--"what IdP do you want to use"? But if I am using a service like Auth0 or Okta--they handle (or can handle) discovery within the product, so I just want to send the user there directly, skipping the IdP selection in the caddy-security portal. Is there way to do this? (full disclosure--I work on Auth0 at Okta, but this is for a project on my home infrastructure)
Here are a couple sequence diagrams illustrating what I mean: