search

greenpau / caddy-security

šŸ” Authentication, Authorization, and Accounting (AAA) App and Plugin for Caddy v2. šŸ’Ž Implements Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0 (Github, Google, Facebook, Okta, etc.), SAML Authentication. MFA/2FA with App Authenticators and Yubico. šŸ’Ž Authorization with JWT/PASETO tokens. šŸ”
https://authcrunch.com/
Apache License 2.0
1.32k stars 69 forks source link

authenticating with azure #276

Closed larsr closed 8 months ago

larsr commented 9 months ago

Describe the issue

Im trying to authenticate with azure, but the request needs to send the client_id, scope and a few more as http GET arguments, but it is not sending any arguments, so the login page at microsoft complains.

It is probably due to a misconfiguration on my part. I would be grateful for any help about how to configure this correctly.

I have not found any directly working documentation, as the syntax both for caddy and caddy-security has changed and made many online examples out of date. If I get this to work I could try to add a config example to the documentation to the benefit of others. (here is one that seems out of date https://www.youtube.com/watch?v=Mxbjfv47YiQ)

Thanks for a very useful plugin!

Configuration

{
    http_port 4440
    log DEBUG
    debug
    order authenticate before respond
    order authorize before basicauth

    security {
        oauth identity provider azure {
            realm azure
            driver azure
            client_id {$AZURE_CLIENT_ID}
            tenant_id {$AZURE_TENANT_ID}
            client_secret {$AZURE_CLIENT_SECRET}
            scopes openid email profile
        }

        authentication portal dev {
            enable identity provider azure
            crypto default token name AUTHP_TOKEN
            crypto default token lifetime 864000
            crypto key sign-verify {$AZURE_JWT_SHARED_KEY}
            cookie domain https://myserver.com
            cookie lifetime 2592000 # 30 days

            transform user {
                match realm azure
                action add role authp/user
            }
        }

        authorization policy devpolicy {
            set auth url https://login.microsoftonline.com/{$AZURE_TENANT_ID}/oauth2/v2.0/authorize
            crypto key sign-verify {$AZURE_JWT_SHARED_KEY}
            allow roles authp/user
            validate bearer header
            inject headers with claims
        }
    }
}

127.0.0.1:4440 localhost:4440 {
    route / {
        authenticate with dev
        authorize with devpolicy
        respond * "Hello says Caddy!" 200
    }
}

Version Information

Provide output of caddy list-modules -versions | grep git below:

$ ./caddy version
v2.7.4 h1:J8nisjdOxnYHXlorUKXY75Gr6iBfudfoGhrJ8t7/flI=

$ caddy list-modules --versions

[...]

http.authentication.providers.authorizer v1.1.20
http.handlers.authenticator v1.1.20
security v1.1.20

  Non-standard modules: 3

Expected behavior

I expect the authenticator to forward the client to the auth url and add the ?client_id=... parameter and more. Now it forwards to the url without any parameters.

Additional context

Background: I want to set up a "wall" that protects many web apps with a single caddy instance that does all the authentication and authorization, and puts user identity (sub, ...) in http header fields.

isker commented 8 months ago

I was in a similar situation as you today, and found something that works by searching all code on GitHub. Small consolation a month later, I'm sure.

https://github.com/RecuencoJones/caddy-azure-proxy/blob/23a1a4307420affa1c85050f9b12cff47a716a8b/Caddyfile

The key is to not actually configure the login.microsoftonline.com URL; you don't set that anywhere, caddy-security calculates it from the tenant ID. You instead set a local, relative URL that goes through the caddy-security authentication portal's azure handler.