search

greenpau / caddy-security

🔐 Authentication, Authorization, and Accounting (AAA) App and Plugin for Caddy v2. 💎 Implements Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0 (Github, Google, Facebook, Okta, etc.), SAML Authentication. MFA/2FA with App Authenticators and Yubico. 💎 Authorization with JWT/PASETO tokens. 🔐
https://authcrunch.com/
Apache License 2.0
1.42k stars 70 forks source link

Use OIDC/SAML backwards to pass valid jwt token/roles/user to other Oauth/SAML compatible apps protected by Caddy reverse proxy #323

Open TedSheckler2021 opened 6 months ago

TedSheckler2021 commented 6 months ago

Hi there

I know you can do OIDC/SAML as a forward auth provider, but I was wondering if caddy sec can pass a session backwards via OIDC/SAML

Im trying to avoid multple logins, just use the fantastic Caddy/Caddy Security login once (I know that's a Keycloak thing) .. I just like caddy because it's one stop shopping

It might be possible, I've successfully passed custom headers from the JWT token to automatically login certain compatible tools like cloudbeaver

https://github.com/dbeaver/cloudbeaver/wiki/Reverse-proxy-header-authentication

but most apps support OIDC/SAML .. and you can't just pass headers like that for a SSO.. ish behaviour without OIDC/SAML inbound as a forward_auth

Example apps, Superset/PGAdmin etc

I usually just disable the app accounts, and have users share one account, but ideally, id like to segregate them by caddy sec role, without the overhead of external Identity Provider (IdP) like Okta, Auth0

thanks in advance

greenpau commented 6 months ago

@TedSheckler2021 , please reach out to me on LinkedIn and let's have Google Meet to discuss it.