search

greenpau / caddy-security

🔐 Authentication, Authorization, and Accounting (AAA) App and Plugin for Caddy v2. 💎 Implements Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0 (Github, Google, Facebook, Okta, etc.), SAML Authentication. MFA/2FA with App Authenticators and Yubico. 💎 Authorization with JWT/PASETO tokens. 🔐
https://authcrunch.com/
Apache License 2.0
1.45k stars 71 forks source link

question: skipping IdP discovery in the portal #199

Open mattjm opened 1 year ago

mattjm commented 1 year ago

All of the configurations I've seen so far look similar to this:

reverse_proxy app:80
authenticate with myportal
}

And then another directive like this:

authentication portal myportal {
                        crypto default token lifetime 3600
                        crypto key sign-verify {env.JWT_SHARED_KEY}
                        enable identity provider generic
                        ...

And then generic is configured as a generic OAuth identity provider. This works fine...I land on the portal page, select my identity provider, get the redirect, do the OAuth flow, etc.

The portal is essentially doing discovery--"what IdP do you want to use"? But if I am using a service like Auth0 or Okta--they handle (or can handle) discovery within the product, so I just want to send the user there directly, skipping the IdP selection in the caddy-security portal. Is there way to do this? (full disclosure--I work on Auth0 at Okta, but this is for a project on my home infrastructure)

Here are a couple sequence diagrams illustrating what I mean:

current

desired

greenpau commented 1 year ago

@mattjm , see this link for authorization url. https://github.com/authp/authp.github.io/blob/a44c5862c4022c4239409a5a2500d57fd5ea2197/assets/conf/local/Caddyfile#L47

Now, to bypass the selection, set the url to /auth/oauth2/

Please look for examples in the Issues.

This way “authorization” would redirect to idp directly instead of going to login/selection page.

If you want to modify how login page works, inject javascript to do the same https://authp.github.io/docs/authenticate/ui-features#javascript

mattjm commented 1 year ago

Ahhh...I got it figured it out now. I was going down that path but was redirecting to the same domain I was requiring "authorize with mypolicy" on so I just got a 401. Moved things around and it works. Thanks!

I will try to get something in your docs for Auth0 configuration if I can find the time.

mattjm commented 1 year ago

Just to confirm I'm thinking about this the right way:

Even if I'm using the trick above to redirect straight to a specific IdP, I will always need something that is configured with the portal to receive the authorization code callback, right? So if I don't want to use the portal for anything else I could set up a domain just for that? As an example:

callbackreceiver.example.com:443 {
authenticate with myportal
}

useexternalidp.example.com {
  tls internal {
    on_demand
}
  reverse_proxy container1:80
  authorize with mypolicy
}
mattjm commented 1 year ago

This is what the login flow ends up looking like for me now. I just want to make sure there isn't a way to have one domain handle the OAuth callback and redirect directly to the upstream IdP. I tried a few different things and couldn't get it to work, but I have a pretty limited understanding of Caddy. "my server" in the diagram is a single Caddy instance.

Untitled