Closed michael94ellis closed 10 months ago
Should I be using the discord auth app's CLIENTSECRET for the crypto key verify-sign values in the policy?
@michael94ellis , no. The crypto key verify-sign
related to the token issues by the plugin.
Is this infinite redirect loop for clicking "Authorize" on the discord auth page because of incorrect config? How can I make sure the token can be found and resolve the error?
Fix your authorization.
Does my Caddyfile look correct? I tried my best to compare to google/github/gitlab/generic
It does not.
https://second.domain.com {
tls mydomainemail@email.com
authenticate with discordportal
authorize with secondpolicy
reverse_proxy 192.168.1.133:1234
}
I think you misunderstood how caddy routing works.
See configs here: https://github.com/authp/authp.github.io/tree/main/assets/conf/oauth
You probably need something like this:
https://second.domain.com {
tls mydomainemail@email.com
route /auth/* {
authenticate with discordportal
}
route {
authorize with secondpolicy
reverse_proxy 192.168.1.133:1234
}
}
This one is wrong too.
authorization policy firstpolicy {
set auth url https://discord.com/api/oauth2/authorize?client_id=CLIENTID&redirect_uri=https%3A%2F%2Ffirst.domain.com&response_type=code&scope=identify%20guilds
crypto key verify CLIENTSECRET
allow roles authp/admin authp/superuser authp/poweruser authp/user
validate bearer header
inject headers with claims
}
The URL here refers to the plugin's authentication URL.
authorization policy firstpolicy {
set auth url https://second.domain.com/auth/
crypto key verify CLIENTSECRET
allow roles authp/admin authp/superuser authp/poweruser authp/user
validate bearer header
inject headers with claims
}
Thank you very much, those corrections were very helpful! I've progressed to a new error which I have been fiddling with for the past few hours. I've pasted in the result of incorporating your feedback below for reference.
Unfortunately I am unable to retrieve the roles and properly transform the user as per the Discord Guild/Server roles. I tried using the string value of the role and the id as well. I also attempted to intercept and decode the JWT where I found no role information.
I then returned to investigating in the docs. I tried adding the scope guilds.members.read
according to Discord Oauth2 Docs. I then looked further into where the request is made from caddy-security and noticed that there seems to be a url difference from caddy security's request url "discord.com/%s/members", guildID compared to the path in the Discord Oauth2 docs /users/@me/guilds/{guild.id}/member
To be honest, I'm in over my head. Do you think my user transform is wrong?
{
email 'mydomainemail@email.com'
order authenticate before respond
order authorize before basicauth
security {
oauth identity provider discord {
realm discord
driver discord
client_id {$DISCORDCLIENTID}
client_secret {$DISCORDSECRET}
scopes identify guilds
user_group_filters {$MYGUILDID}
}
authentication portal discordportal {
crypto default token lifetime 3600
crypto key sign-verify {env.JWT_SHARED_KEY}
enable identity provider discord
cookie domain *.domain.com
transform user {
match realm discord
match role discord.com/{$MYGUILDID}/{$ADMINROLEID}
action add role authp/admin
}
transform user {
match sub discord.com/{$MYGUILDID}/{$MEMBERROLEID}
action add role authp/user
}
}
authorization policy firstpolicy {
set auth url https://first.domain.com/auth/
crypto key verify {env.JWT_SHARED_KEY}
allow roles authp/admin authp/user
validate bearer header
inject headers with claims
}
}
}
https://first.domain.com {
tls mydomainemail@email.com
route /auth/* {
authenticate with discordportal
}
route {
authorize with firstpolicy
respond "Hello World"
}
}
@michael94ellis , what happens when you have only the below transform? Do you get authenticated? Can you browse to the portal?
transform user {
match realm discord
action add role authp/user
}
Also, remove the following:
user_group_filters {$MYGUILDID}
Please connect to me over the linkedin. Let's schedule google meet and troubleshoot together.
I did attempt using the following transform alongside 1 or 3 of the other transforms I want to use. This did work, and I believe I could verify the users guild and user id as well.
transform user {
match realm discord
action add role authp/user
}
I also tried a few combinations for matching roles. I think the debug logs included an unsigned copy of my JWT in some response which when decoded had no roles, but it did have the appropriate list of guilds.
As for scheduling a debug session, that would be awesome. I will do that
For any future readers, I made 2 MRs to add Guild Role based auth to extend the current caddy-security Discord offering
Documentation - https://github.com/authp/authp.github.io/pull/53 Auth Code - https://github.com/greenpau/go-authcrunch/pull/50
@michael94ellis, I am looking to add testimonial sections to https://authcrunch.com. Could you please write one and send it to me at greenpau@outlook.com?
I read over this page and many others in the docs several times before attempting this. I was excited to see the correct discord app appear.
My Problem - When I login and click authorize it just endlessly redirects me to the discord auth page. On caddy I see the following error without debug mode on:
I also just added debug mode to my Caddyfile and retrieved these extra assoicated logs
Here is my Caddyfile. I plan to have multiple authorization policies
My primary questions are:
crypto key verify-sign
values in the policy?Also
Thanks in advance!