I got the the example config provided over here and modified it as following:
I changed the default http and https ports.
I removed tls_config section so that caddy itself request for certificates.
I commented out password_recovery_enabled yes because with that, authp gave me this error:
INFO using adjacent Caddyfile
Error: adapting config using caddyfile: parsing caddyfile tokens for 'security': unsupported subdirective for security.authentication.portal.ui: password_recovery_enabled, at Caddyfile:31
So my Caddyfile is like this (I've change the domains here obviously):
{
http_port 80
https_port 443
debug
order authenticate before respond
order authorize before basicauth
security {
local identity store localdb {
realm local
path /root/caddy/users.json
}
oauth identity provider github {env.GITHUB_CLIENT_ID} {env.GITHUB_CLIENT_SECRET}
authentication portal myportal {
crypto default token lifetime 3600
crypto key sign-verify {env.JWT_SHARED_KEY}
enable identity store localdb
enable identity provider github
cookie domain example.com
ui {
links {
"My Website" https://test.example.com:443/ icon "las la-star"
"Guests" https://test.example.com:443/guests icon "las la-star"
"Users" https://test.example.com:443/users icon "las la-star"
"Admins" https://test.example.com:443/admins icon "las la-star"
"My Identity" "/whoami" icon "las la-user"
}
# password_recovery_enabled yes
}
transform user {
match origin local
action add role authp/user
ui link "Portal Settings" /settings icon "las la-cog"
}
transform user {
match realm github
match sub github.com/greenpau
action add role authp/user
}
}
authorization policy guests_policy {
# disable auth redirect
set auth url https://auth.example.com:443/
allow roles authp/admin authp/user
crypto key verify {env.JWT_SHARED_KEY}
acl rule {
comment allow guests only
match role guest authp/guest
allow stop log info
}
acl rule {
comment default deny
match any
deny log warn
}
}
authorization policy users_policy {
set auth url https://auth.example.com:443/
allow roles authp/admin authp/user
crypto key verify {env.JWT_SHARED_KEY}
acl rule {
comment allow users
match role authp/user
allow stop log info
}
acl rule {
comment default deny
match any
deny log warn
}
}
authorization policy admins_policy {
set auth url https://auth.example.com:443/
allow roles authp/admin authp/user
crypto key verify {env.JWT_SHARED_KEY}
acl rule {
comment allow users
match role authp/user
allow stop log info
}
acl rule {
comment default deny
match any
deny log warn
}
}
}
}
auth.example.com {
route {
authenticate with myportal
}
}
test.example.com {
route /guests* {
authorize with guests_policy
respond * "assetq - guests only" 200
}
route /users* {
authorize with users_policy
respond * "assetq - users" 200
}
route /admins* {
authorize with admins_policy
respond * "assetq - admins" 200
}
route {
respond "assetq is running"
}
}
I can access auth.example.com and login with the initial credentials created by caddy but even if I sign out, all the routes under test.example.com are still accessible and they never get redirected to auth.example.com (even with different IPs and browsers without cached cookies)
I got the the example config provided over here and modified it as following:
http
andhttps
ports.tls_config
section so that caddy itself request for certificates.password_recovery_enabled yes
because with that,authp
gave me this error:So my Caddyfile is like this (I've change the domains here obviously):
I can access
auth.example.com
and login with the initial credentials created by caddy but even if I sign out, all the routes undertest.example.com
are still accessible and they never get redirected toauth.example.com
(even with different IPs and browsers without cached cookies)