question: how to disable user interface completely // shibboleth as idp with oidc

[theexiile1305]

Thanks for the great project!

Currently, Caddy is used as a web server for static resources or as a reverse proxy. Authentication and also authentication takes place at the identity provider.

For this reason, I would like to disable all user interface pages. Is this possible?

Also, Shibboleth with OIDC is used as Identity Provider and according to OIDC specification, no attribute email is returned in id_token with scope email. The email address is only returned at the user info endpoint. How can the plugin be configured, because currently the attribute email is needed in the id_token response?

Thank you very much and if you have any questions please do not hesitate to contact me.

[greenpau]

For this reason, I would like to disable all user interface pages. Is this possible?

@theexiile1305 , please see https://github.com/authp/authp.github.io/issues/35 and let me know if this is what you are looking for.

Also, Shibboleth with OIDC is used as Identity Provider and according to OIDC specification, no attribute email is returned in id_token with scope email. The email address is only returned at the user info endpoint. How can the plugin be configured, because currently the attribute email is needed in the id_token response?

I think you can with required_token_fields access_token ... Not sure though. You would need to search for it.

[theexiile1305]

@greenpau , thank you for the quick reply!

@theexiile1305 , please see https://github.com/authp/authp.github.io/issues/35 and let me know if this is what you are looking for.

Unfortunately, the referenced issue is not what I am looking for. I would like to completely deactivate any ui such as the portal, settings, or user identity (whoami) page. From my perspective, the flow should look like this when visiting static web pages within Caddy:

1. user visits /secret.txt
2. automatic redirect via OIDC to IDP
3. authentication and authorization on the part of IDP
4. call of /secret.txt after successful authentication and authorization on the part of Caddy

In summary, the user should only see the delivered data of the static web page and nothing else. Is this possible?

I think you can with required_token_fields access_token ... Not sure though. You would need to search for it.

Okay, thanks for that hint. Do you know in more detail where I can configure the field required_token_fields access_token ?

Thanks in advance

[theexiile1305]

@greenpau

I was able to solve the second problem with disable email claim check in the context of the identity provider settings.

However, the question of disabling the entire UI pages (e.g. /portal, /whoami, etc.) still remains. Can you help me with this?

Greetings, theexiile1305

[greenpau]

However, the question of disabling the entire UI pages (e.g. /portal, /whoami, etc.) still remains. Can you help me with this?

@theexiile1305 , this could be done by using path matches with caddy. Please search caddy.community for examples. Please see this thread for examples: https://caddy.community/t/using-caddy-to-harden-wordpress/13575/

caddyrocks.com {
    # match path and serve a static response.
    authenticate with myportal
}

[theexiile1305]

@greenpau Perhaps you and I have talked past each other. I want to switch off the UI pages completely - perhaps as a global option within caddy security - so that they are no longer delivered at all. The referenced thread restricts access to the page, but the pages still exist in the background. I don't want to achieve this, I want to disable the existing UI pages altogether. Is this approach possible?

[greenpau]

I want to disable the existing UI pages altogether.

@theexiile1305, the only method of doing this at the moment is with disable settings:

    disable settings [gpgkeys|sshkeys|apikeys|connected|mfa|password|general]

Say you implemented it. What other pages do you want to restrict?

but the pages still exist in the background.

What is the issue for them to exist if the access to them is blocked?

[theexiile1305]

@greenpau Yes, exactly. I would also like to deactivate the /portal and /whoami pages. The reason for this is internal defaults because basically, caddy serves as a reverse proxy or for the delivery of static web pages. Authentication and authorization via OIDC should be implemented here.

[greenpau]

@greenpau Yes, exactly. I would also like to deactivate the /portal and /whoami pages.

@theexiile1305 , which pages from auth portal do you use, if any? If you are not using any of them, then, just don't add authenticate with ... directive.

[theexiile1305]

@greenpau I don't use any pages from auth portal. Therefore, I've removed the authenticate with ... directive and it works as expected. Many thanks!

[developStorm]

If you are not using any of them, then, just don't add authenticate with ... directive.

Ran into almost the same issue. I'm confused here - without the "authenticate with ... " directive, where should caddy redirect the user for authentication and where should the IdP callback go? Take the example below:

    security {
        oauth identity provider generic {
                    ...
        }

        authentication portal myportal {
            enable identity provider generic
            ...
        }

        authorization policy mypolicy {
            set auth url https://auth.myfiosgateway.com:8443/oauth2/generic
        }
    }

auth.myfiosgateway.com {
    authenticate with myportal
}

assetq.myfiosgateway.com {
    authorize with mypolicy
}

With authenticate with ... directive removed, auth.myfiosgateway.com will basically do nothing. Wouldn’t that break the set auth url https://auth.myfiosg...?

Thanks for any clarification.

[greenpau]

@theexiile1305 , I am looking to add testimonial sections to https://authcrunch.com. Could you please write one and send it to me at greenpau@outlook.com?

[theexiile1305]

@greenpau What exactly do you expect from me? Do you have an example or in what way should an estimonial section be displayed?

[greenpau]

@theexiile1305 , here it is https://docs.authcrunch.com/help-needed There is a sample testimonial that Matthew wrote.

[theexiile1305]

@greenpau many thanks. I'm going to send you an testimonial to your mail.