greenpau / caddy-security

🔐 Authentication, Authorization, and Accounting (AAA) App and Plugin for Caddy v2. 💎 Implements Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0 (Github, Google, Facebook, Okta, etc.), SAML Authentication. MFA/2FA with App Authenticators and Yubico. 💎 Authorization with JWT/PASETO tokens. 🔐
https://authcrunch.com/
Apache License 2.0
1.49k stars 73 forks source link

question: inject headers not presented #325

Closed MrOzean closed 8 months ago

MrOzean commented 8 months ago

Hello, I have a bunch of dashboard and want to make auto redirect based on user email

My setup is Authentik 2024.2.2 as "Generic OIDC provider" at "sso.example.com" Caddy in docker from ghcr.io/authp/authp:v1.0.5 Auth portal at "dash.example.com" Users dashboards at "USER_NICKNAME.dash.example.com" baked by reverse_proxy directive

My caddyfile

{
  order authenticate before respond
  order authorize before basicauth

  security {
    oauth identity provider generic {
      realm dash
      driver generic
      client_id <ID>
      client_secret <secret>
      scopes openid email profile
      base_auth_url https://sso.example.com/
      metadata_url https://sso.example.com/application/o/dash/.well-known/openid-configuration
    }

    authentication portal auth_portal {
      crypto default token lifetime 3600
      enable identity provider generic

      ui {
        links {
          "My Identity" "/whoami" icon "las la-user"
        }
      }

      cookie domain example.com

       transform user {
        match groups andrey-keksik
        action add role authp/andrey_keksik
      }

      transform user {
        match email andrey@example.com
        action add role authp/dash_admin
      }
    }

    authorization policy pass_andrey_keksik {
      set auth url https://dash.example.com
      inject header "Remote-Email" from email # no header was provided
      inject headers with claims # no header was provided
      allow roles authp/andrey_keksik
    }

    authorization policy pass_dash_admin {
      set auth url https://dash.example.com
      inject header "Remote-Email" from email # no header was provided
      inject headers with claims # no header was provided
      allow roles authp/admin
    }
  }
}

dash.example.com {
  tls /certs/dash.example.com/fullchain.cer  /certs/dash.example.com/dash.example.com.key
  authenticate with auth_portal

  @has_andrey_email_header { # not work, header empty
     header "Remote-Email" "andrey@example.com"
  }

  rewrite @has_andrey_email_header andrey.dash.example.com  # no redirect
}

andrey.dash.example.com {
  authorize with pass_andrey_keksik
  reverse_proxy /* localhost:7032 
}
andrey-edit.dash.example.com {
  authorize with pass_andrey_keksik
  reverse_proxy /* localhost:7031
}

username.dash.example.com {
  ...
}

...

Login works correctly, but no one headers from JWT was provided

caddy log

{"level":"info","ts":1710233469.6411192,"logger":"security","msg":"Successful login","session_id":"uSklJaMPGLBZ0rhEX1yR53ILZXp7yWfknGqc","request_id":"6444ff37-757c-4cad-b75e-8f5cf6e953ac","auth_method":"oauth2","auth_realm":"dash","user":{"email":"andrey@example.com","exp":1710233768,"given_name":"Андрей","groups":["home-torrent","prometheus-user","andrey-syncthing","andrey-keksik"],"iat":1710233468,"iss":"https://sso.example.com/application/o/dash/","name":"Андрей","sub":"a85507ae5c060df964f05f72f54f009d2c7af7f60f2b7399fbb849019c0c456a"}}
{"level":"info","ts":1710233469.6427104,"logger":"security","msg":"Successful login","session_id":"uSklJaMPGLBZ0rhEX1yR53ILZXp7yWfknGqc","request_id":"6444ff37-757c-4cad-b75e-8f5cf6e953ac","backend":{"name":"generic","realm":"dash","method":"oauth"},"user":{"addr":"192.168.101.1","email":"andrey@example.com","exp":1710237069,"given_name":"Андрей","iat":1710233469,"iss":"https://dash.example.com/oauth2/dash/","jti":"uSklJaMPGLBZ0rhEX1yR53ILZXp7yWfknGqc","name":"Андрей","nbf":1710233409000,"origin":"dash","realm":"dash","roles":["home-torrent","prometheus-user","andrey-syncthing","andrey-keksik","authp/andrey_keksik","authp/dash_admin","authp/guest"],"sub":"a85507ae5c060df964f05f72f54f009d2c7af7f60f2b7399fbb849019c0c456a"}}

/whoami ouput

{
  "addr": "192.168.101.1",
  "authenticated": true,
  "email": "andrey@example.com",
  "exp": 1710237069,
  "expires_at_utc": "Tue Mar 12 09:51:09 UTC 2024",
  "given_name": "Андрей",
  "iat": 1710233469,
  "iss": "https://dash.example.com/oauth2/dash/",
  "issued_at_utc": "Tue Mar 12 08:51:09 UTC 2024",
  "jti": "uSklJaMPGLBZ0rhEX1yR53ILZXp7yWfknGqc",
  "name": "Андрей",
  "nbf": 1710233409,
  "not_before_utc": "Tue Mar 12 08:50:09 UTC 2024",
  "origin": "dash",
  "realm": "dash",
  "roles": [
    "home-torrent",
    "prometheus-user",
    "andrey-syncthing",
    "andrey-keksik",
    "authp/andrey_keksik",
    "authp/dash_admin",
    "authp/guest"
  ],
  "sub": "a85507ae5c060df964f05f72f54f009d2c7af7f60f2b7399fbb849019c0c456a"
}

Chrome devtools also has not show extra headers

greenpau commented 8 months ago

@MrOzean , first, use container from https://github.com/authcrunch/authcrunch/pkgs/container/authcrunch

Next, add enable debug and add trace. See here https://github.com/authcrunch/authcrunch.github.io/blob/8df7a112fbf2f8c34e5a69a1be33bbeb42d4af62/assets/solutions/A00001/Caddyfile#L96

Post the request trace here. It should contain X headers.

Additionally, watch the video related to X-Headers: https://youtu.be/mDRFLX14zTk?si=uC3OZDVJ1quwSzUG

Your goal is to get X headers propagated to your proxied application.

As for the automated redirect, it is done with JS. I will add a video in how to do it.

greenpau commented 8 months ago

@MrOzean , the javascript directive that can include JS code that redirects users to their own dashboards can be found here: https://docs.authcrunch.com/docs/authenticate/ui-features#javascript

greenpau commented 8 months ago

@MrOzean , review the section again: https://docs.authcrunch.com/docs/authenticate/ui-features#javascript

I added Caddyfile and custom.js for your reference. None of it requires X headers. Pure JS solution. You will have to prune JavaScript a bit, because I was trying to be more explicit for code readability purposes.

I will soon publish a video about this use case www.youtube.com/@AuthCrunch

MrOzean commented 8 months ago

Hello, thanks for fast reply Link https://github.com/authcrunch/authcrunch/pkgs/container/authcrunch follow 404 error, tried to use ghcr.io/authcrunch/authcrunch:v1.0.7 got authorization error

MrOzean commented 8 months ago

At current version added trace to route caddyfile part

# dashboards
dash.example.com {
  tls /certs/dash.example.com/fullchain.cer /certs/dash.example.com/dash.example.com.key

  route {
    authenticate with auth_portal
    trace tag="tshoot"
    respond "{http.request.host}
        time: {time.now.common_log}
        id: {http.auth.user.id}
        roles: {http.auth.user.roles}"
  }

  @has_andrey_email_header {
    header "Remote-Email" "andrey@example.com"
  }

  rewrite @has_andrey_email_header andrey.dash.example.com
}

andrey.dash.example.com {
  route {
    authorize with pass_andrey_keksik
    trace tag="tshoot"
    respond "{http.request.host}
        time: {time.now.common_log}
        id: {http.auth.user.id}
        roles: {http.auth.user.roles}"
  }

  reverse_proxy /* localhost:7032
}

Navigate to dash.example.com -> push login button -> push whoami button result

{"level":"info","ts":1710303417.3243668,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"warn","ts":1710303417.3301847,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
{"level":"info","ts":1710303417.33275,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1710303417.333198,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000cfb800"}
{"level":"debug","ts":1710303417.3369842,"logger":"events","msg":"event","name":"cached_unmanaged_cert","id":"9c199cf2-da99-441c-865a-ea37df615dcb","origin":"tls","data":{"sans":["matrixserver.example.com"]}}
{"level":"debug","ts":1710303417.3371625,"logger":"tls.cache","msg":"added certificate to cache","subjects":["matrixserver.example.com"],"expiration":1717395165,"managed":false,"issuer_key":"","hash":"36368a6c045b0c420ad8a2a469ecebfa8207af66c7e7be7ad0e6e4307428fe85","cache_size":1,"cache_capacity":10000}
{"level":"debug","ts":1710303417.337424,"logger":"events","msg":"event","name":"cached_unmanaged_cert","id":"3bf1df3f-97ee-4b40-8e01-07059c705f8f","origin":"tls","data":{"sans":["streamwatch.example.com"]}}
{"level":"debug","ts":1710303417.3375294,"logger":"tls.cache","msg":"added certificate to cache","subjects":["streamwatch.example.com"],"expiration":1717400762,"managed":false,"issuer_key":"","hash":"0fadaec95186494e5286fb59c465acb9156da02222c82c56ad8724c9e700fe17","cache_size":2,"cache_capacity":10000}
{"level":"debug","ts":1710303417.337739,"logger":"events","msg":"event","name":"cached_unmanaged_cert","id":"440a87d8-5a29-4686-a370-675823c12423","origin":"tls","data":{"sans":["linkwarden.example.com"]}}
{"level":"debug","ts":1710303417.3378325,"logger":"tls.cache","msg":"added certificate to cache","subjects":["linkwarden.example.com"],"expiration":1717394893,"managed":false,"issuer_key":"","hash":"de2ecfd361f96d1da21fb8f4cd10905172cafadaa52d0b7c98bf7d6a308812cf","cache_size":3,"cache_capacity":10000}
{"level":"debug","ts":1710303417.338038,"logger":"events","msg":"event","name":"cached_unmanaged_cert","id":"65bedc44-4c9e-454b-bfe6-d45be5f540b3","origin":"tls","data":{"sans":["collabora.example.com"]}}
{"level":"debug","ts":1710303417.338062,"logger":"tls.cache","msg":"added certificate to cache","subjects":["collabora.example.com"],"expiration":1717398248,"managed":false,"issuer_key":"","hash":"e65fd2ba1f1c3b94794ae34ce5443d53077884c211dbe1f9436000cbfb5456af","cache_size":4,"cache_capacity":10000}
{"level":"debug","ts":1710303417.338199,"logger":"events","msg":"event","name":"cached_unmanaged_cert","id":"a5fc05f1-ccfb-4e6d-92bb-6e3374a9db4d","origin":"tls","data":{"sans":["streamer.example.com"]}}
{"level":"debug","ts":1710303417.3382108,"logger":"tls.cache","msg":"added certificate to cache","subjects":["streamer.example.com"],"expiration":1717403938,"managed":false,"issuer_key":"","hash":"87733a2900b70904abebe10f0ab77c919b1e42174afe5cba9a63bd3903dfdc84","cache_size":5,"cache_capacity":10000}
{"level":"debug","ts":1710303417.3383439,"logger":"events","msg":"event","name":"cached_unmanaged_cert","id":"7adea089-2df6-44a0-83bd-9da9bf4fb144","origin":"tls","data":{"sans":["dash.example.com","*.dash.example.com"]}}
{"level":"debug","ts":1710303417.3383563,"logger":"tls.cache","msg":"added certificate to cache","subjects":["dash.example.com","*.dash.example.com"],"expiration":1717468977,"managed":false,"issuer_key":"","hash":"6dfd280453a6e86d5552589f75172f4fcb17b474738a18dc3f9e51945d15747d","cache_size":6,"cache_capacity":10000}
{"level":"debug","ts":1710303417.3384943,"logger":"events","msg":"event","name":"cached_unmanaged_cert","id":"e3162a4d-25e4-48d9-beb4-2b1faf749532","origin":"tls","data":{"sans":["git.example.com"]}}
{"level":"debug","ts":1710303417.3385057,"logger":"tls.cache","msg":"added certificate to cache","subjects":["git.example.com"],"expiration":1717387896,"managed":false,"issuer_key":"","hash":"81076d5dd4c10e65337113512e24d21218c508f43229dc20d6335b2edaf4cdd5","cache_size":7,"cache_capacity":10000}
{"level":"info","ts":1710303417.3386366,"logger":"http.auto_https","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"collabora.example.com","server_name":"srv0"}
{"level":"info","ts":1710303417.3386455,"logger":"http.auto_https","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"streamer.example.com","server_name":"srv0"}
{"level":"info","ts":1710303417.338653,"logger":"http.auto_https","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"git.example.com","server_name":"srv0"}
{"level":"info","ts":1710303417.3386614,"logger":"http.auto_https","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"keksik-edit.dash.example.com","server_name":"srv0"}
{"level":"info","ts":1710303417.3386683,"logger":"http.auto_https","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"matrixserver.example.com","server_name":"srv0"}
{"level":"info","ts":1710303417.3386838,"logger":"http.auto_https","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"andrey.dash.example.com","server_name":"srv0"}
{"level":"info","ts":1710303417.3386905,"logger":"http.auto_https","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"linkwarden.example.com","server_name":"srv0"}
{"level":"info","ts":1710303417.3386977,"logger":"http.auto_https","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"andrey-edit.dash.example.com","server_name":"srv0"}
{"level":"info","ts":1710303417.338704,"logger":"http.auto_https","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"streamwatch.example.com","server_name":"srv0"}
{"level":"info","ts":1710303417.3387113,"logger":"http.auto_https","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"keksik.dash.example.com","server_name":"srv0"}
{"level":"info","ts":1710303417.3387167,"logger":"http.auto_https","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"dash.example.com","server_name":"srv0"}
{"level":"info","ts":1710303417.3387206,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"debug","ts":1710303417.33878,"logger":"http.auto_https","msg":"adjusted config","tls":{"automation":{"policies":[{"subjects":["andrey-edit.dash.example.com","keksik-edit.dash.example.com","matrixserver.example.com","streamwatch.example.com","andrey.dash.example.com","keksik.dash.example.com","linkwarden.example.com","collabora.example.com","streamer.example.com","dash.example.com","git.example.com"]},{"subjects":["nextcloud.hs.lan"]},{}]}},"http":{"servers":{"remaining_auto_https_redirects":{"listen":[":80"],"routes":[{},{}]},"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"authentication","providers":{"authorizer":{"gatekeeper_name":"pass_andrey_keksik","route_matcher":"*"}}}]},{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:7031"}]}],"match":[{"path":["/*"]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"authentication","providers":{"authorizer":{"gatekeeper_name":"pass_andrey_keksik","route_matcher":"*"}}}]},{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:7033"}]}],"match":[{"path":["/*"]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:8088"}]}],"match":[{"path":["/*"]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"file_server","hide":["/etc/caddy/Caddyfile"],"index_names":["index.html"],"precompressed":{"br":{},"gzip":{},"zstd":{}},"precompressed_order":["zstd","br","gzip"],"root":"/srv/streamwatch"}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"authentication","providers":{"authorizer":{"gatekeeper_name":"pass_andrey_keksik","route_matcher":"*"}}},{"handler":"trace","tag":"tshoot"},{"body":"{http.request.host}\n\t\ttime: {time.now.common_log}\n\t\tid: {http.auth.user.id}\n\t\troles: {http.auth.user.roles}","handler":"static_response"}]}]}]},{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:7032"}]}],"match":[{"path":["/*"]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"authentication","providers":{"authorizer":{"gatekeeper_name":"pass_andrey_keksik","route_matcher":"*"}}}]},{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:7034"}]}],"match":[{"path":["/*"]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:8016"}]}],"match":[{"path":["/*"]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:9980"}]}],"match":[{"path":["/*"]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:8023"}]}],"match":[{"path":["/*"]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:8085"}]}],"match":[{"path":["/*"]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"group":"group12","handle":[{"handler":"rewrite","uri":"andrey.dash.example.com"}],"match":[{"header":{"Remote-Email":["andrey@example.com"]}}]},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"authenticator","portal_name":"auth_portal","route_matcher":"*"}]}]}],"match":[{"path":["*"]}]},{"handle":[{"handler":"trace","tag":"tshoot"},{"body":"{http.request.host}\n\t\ttime: {time.now.common_log}\n\t\tid: {http.auth.user.id}\n\t\troles: {http.auth.user.roles}","handler":"static_response"}]}]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:8087"}]}],"match":[{"path":["/*"]}]}]}],"terminal":true}],"tls_connection_policies":[{"match":{"sni":["matrixserver.example.com"]},"certificate_selection":{"any_tag":["cert2"]}},{"match":{"sni":["streamwatch.example.com"]},"certificate_selection":{"any_tag":["cert4"]}},{"match":{"sni":["linkwarden.example.com"]},"certificate_selection":{"any_tag":["cert1"]}},{"match":{"sni":["collabora.example.com"]},"certificate_selection":{"any_tag":["cert3"]}},{"match":{"sni":["streamer.example.com"]},"certificate_selection":{"any_tag":["cert5"]}},{"match":{"sni":["dash.example.com"]},"certificate_selection":{"any_tag":["cert6"]}},{"match":{"sni":["git.example.com"]},"certificate_selection":{"any_tag":["cert0"]}},{}],"automatic_https":{}}}}}
{"level":"info","ts":1710303417.3390932,"logger":"security","msg":"provisioning app instance","app":"security"}
{"level":"debug","ts":1710303418.0699155,"logger":"security","msg":"fetchMetadataURL succeeded","identity_provider_name":"generic","metadata":{"acr_values_supported":["goauthentik.io/providers/oauth2/default"],"authorization_endpoint":"https://sso.example.com/application/o/authorize/","claims_parameter_supported":false,"claims_supported":["sub","iss","aud","exp","iat","auth_time","acr","amr","nonce","email","email_verified","name","given_name","preferred_username","nickname","groups"],"code_challenge_methods_supported":["plain","S256"],"device_authorization_endpoint":"https://sso.example.com/application/o/device/","end_session_endpoint":"https://sso.example.com/application/o/dash/end-session/","grant_types_supported":["authorization_code","refresh_token","implicit","client_credentials","password","urn:ietf:params:oauth:grant-type:device_code"],"id_token_signing_alg_values_supported":["RS256"],"introspection_endpoint":"https://sso.example.com/application/o/introspect/","issuer":"https://sso.example.com/application/o/dash/","jwks_uri":"https://sso.example.com/application/o/dash/jwks/","request_parameter_supported":false,"response_modes_supported":["query","fragment","form_post"],"response_types_supported":["code","id_token","id_token token","code token","code id_token","code id_token token"],"revocation_endpoint":"https://sso.example.com/application/o/revoke/","scopes_supported":["offline_access","openid","email","profile"],"subject_types_supported":["public"],"token_endpoint":"https://sso.example.com/application/o/token/","token_endpoint_auth_methods_supported":["client_secret_post","client_secret_basic"],"userinfo_endpoint":"https://sso.example.com/application/o/userinfo/"},"userinfo_endpoint":"https://sso.example.com/application/o/userinfo/"}
{"level":"info","ts":1710303418.7669978,"logger":"security","msg":"successfully configured OAuth 2.0 identity provider","provider":"generic","client_id":"GHpQxIyC6BMlXry4Q7KhFpE2HRBXRG50W1FvigGH","server_id":"","domain_name":"","metadata":{"acr_values_supported":["goauthentik.io/providers/oauth2/default"],"authorization_endpoint":"https://sso.example.com/application/o/authorize/","claims_parameter_supported":false,"claims_supported":["sub","iss","aud","exp","iat","auth_time","acr","amr","nonce","email","email_verified","name","given_name","preferred_username","nickname","groups"],"code_challenge_methods_supported":["plain","S256"],"device_authorization_endpoint":"https://sso.example.com/application/o/device/","end_session_endpoint":"https://sso.example.com/application/o/dash/end-session/","grant_types_supported":["authorization_code","refresh_token","implicit","client_credentials","password","urn:ietf:params:oauth:grant-type:device_code"],"id_token_signing_alg_values_supported":["RS256"],"introspection_endpoint":"https://sso.example.com/application/o/introspect/","issuer":"https://sso.example.com/application/o/dash/","jwks_uri":"https://sso.example.com/application/o/dash/jwks/","request_parameter_supported":false,"response_modes_supported":["query","fragment","form_post"],"response_types_supported":["code","id_token","id_token token","code token","code id_token","code id_token token"],"revocation_endpoint":"https://sso.example.com/application/o/revoke/","scopes_supported":["offline_access","openid","email","profile"],"subject_types_supported":["public"],"token_endpoint":"https://sso.example.com/application/o/token/","token_endpoint_auth_methods_supported":["client_secret_post","client_secret_basic"],"userinfo_endpoint":"https://sso.example.com/application/o/userinfo/"},"jwks_keys":{"ab222aa0a4b7125003fbe272c07cc120":{"alg":"RS256","e":"AQAB","kid":"ab222aa0a4b7125003fbe272c07cc120","kty":"RSA","n":"mdiuojVVRujhT6UsOMtw4Oc27lNYd7k5bWUQlUVmfwXWQ_M1jZzTzLXF2Ltk3fa3Q6fNBz6krtnV17mMHvEkxb7GrsOoBnM8aMu1b2B3KGbeAh2wY5stwtWPWAnQsEi12BlJP5vpGKvS9VOrZ6Towi70ZiTD0IuvU4kZyw7KwO6M9THm_8KJkEblR1mCvzrBfvVSo4eFBrblnvldVpL5wEn43cvmA13ajt4hYf81c9pDbK2IjMt_F73yRS1J-U0CjT49x_a6vZYHm-UnotAWGakDAKb-X7DCuGQMwKFHqZu6tGadU7lIkyVlggvv7_VExBs-07guT78LKXUt9Mq64RaQLVq1KBJ1EQpa_cBi9E3NVkGGqNfnSiFR4RfLZycxAxGI7mje2a8PD6W2Pan7hlRW4xWrz6hkstnhQfweu5COLoSwMbrCxhSUE9UYy_nURDB5hFulv-4a3b5stkCSaSdy8minsj-518DPv59u2IabRtBfBkDBJ8-R1HjNhhh07pmE4zZ_CrB_PBzSsEbE21iSA2H0OsgqwJ8x9AEUNXU-3bGuS1keznEFFk7-JN9au8TYDNVy-s0jQUCFoWxP5k3krN-ALn4vCVeBieLE8pMcQtt0lfHfEZ0LBgFe3ZnNms3v2nidmCBytZoxwz9kovvwfGQfTjQeyVPeSHaslBc=","use":"sig"}},"required_token_fields":["access_token","id_token"],"delayed_by":0,"retry_attempts":0,"retry_interval":0,"scopes":["openid","email","profile"],"login_icon":{"class_name":"lab la-codepen la-2x","color":"white","background_color":"#324960","text_color":"#37474f"}}
{"level":"debug","ts":1710303418.7671072,"logger":"security","msg":"Configuring caching","portal_name":"auth_portal","portal_id":"2982f558-f551-406b-ab86-6dc775983a73"}
{"level":"debug","ts":1710303418.7671359,"logger":"security","msg":"Configuring cookie parameters","portal_name":"auth_portal"}
{"level":"debug","ts":1710303418.7671452,"logger":"security","msg":"Configuring authentication ACL","portal_name":"auth_portal","portal_id":"2982f558-f551-406b-ab86-6dc775983a73","access_list_configs":[{"conditions":["match roles authp/admin authp/user authp/guest superuser superadmin"],"action":"allow stop"}]}
{"level":"debug","ts":1710303418.783529,"logger":"security","msg":"Configured validator ACL","portal_name":"auth_portal","portal_id":"2982f558-f551-406b-ab86-6dc775983a73","token_validator_options":{"validate_bearer_header":true},"token_grantor_options":{}}
{"level":"debug","ts":1710303418.7835689,"logger":"security","msg":"Configuring identity provider login options","portal_name":"auth_portal","portal_id":"2982f558-f551-406b-ab86-6dc775983a73","identity_provider_count":1}
{"level":"debug","ts":1710303418.7836108,"logger":"security","msg":"Provisioned login options","portal_name":"auth_portal","portal_id":"2982f558-f551-406b-ab86-6dc775983a73","options":{"authenticators":[{"background_color":"#324960","class_name":"lab la-codepen la-2x","color":"white","endpoint":"oauth2/dash","realm":"dash","text":"DASH","text_color":"#37474f"}],"authenticators_required":"yes","default_realm":"dash","form_required":"no","hide_contact_support_link":"yes","hide_forgot_username_link":"yes","hide_links":"yes","hide_register_link":"yes","identity_required":"no","realm_dropdown_required":"no"},"identity_store_count":0,"identity_provider_count":1}
{"level":"debug","ts":1710303418.7836578,"logger":"security","msg":"Configuring user interface","portal_name":"auth_portal","portal_id":"2982f558-f551-406b-ab86-6dc775983a73"}
{"level":"debug","ts":1710303418.7836657,"logger":"security","msg":"Configuring default authentication user interface templates","portal_name":"auth_portal","template_theme":"basic","template_name":"register"}
{"level":"debug","ts":1710303418.783948,"logger":"security","msg":"Configuring default authentication user interface templates","portal_name":"auth_portal","template_theme":"basic","template_name":"generic"}
{"level":"debug","ts":1710303418.7840557,"logger":"security","msg":"Configuring default authentication user interface templates","portal_name":"auth_portal","template_theme":"basic","template_name":"apps_sso"}
{"level":"debug","ts":1710303418.7842166,"logger":"security","msg":"Configuring default authentication user interface templates","portal_name":"auth_portal","template_theme":"basic","template_name":"apps_mobile_access"}
{"level":"debug","ts":1710303418.7843316,"logger":"security","msg":"Configuring default authentication user interface templates","portal_name":"auth_portal","template_theme":"basic","template_name":"login"}
{"level":"debug","ts":1710303418.7846692,"logger":"security","msg":"Configuring default authentication user interface templates","portal_name":"auth_portal","template_theme":"basic","template_name":"portal"}
{"level":"debug","ts":1710303418.7848182,"logger":"security","msg":"Configuring default authentication user interface templates","portal_name":"auth_portal","template_theme":"basic","template_name":"whoami"}
{"level":"debug","ts":1710303418.7849538,"logger":"security","msg":"Configuring default authentication user interface templates","portal_name":"auth_portal","template_theme":"basic","template_name":"settings"}
{"level":"debug","ts":1710303418.786262,"logger":"security","msg":"Configuring default authentication user interface templates","portal_name":"auth_portal","template_theme":"basic","template_name":"sandbox"}
{"level":"debug","ts":1710303418.7868485,"logger":"security","msg":"Configured user interface","portal_name":"auth_portal","portal_id":"2982f558-f551-406b-ab86-6dc775983a73","title":"Sign In","logo_url":"/assets/images/logo.svg","logo_description":"Authentication Portal","action_endpoint":"","private_links":[{"link":"/whoami","title":"My Identity","icon_name":"las la-user","icon_enabled":true}],"realms":[],"theme":"basic"}
{"level":"debug","ts":1710303418.7868643,"logger":"security","msg":"Configuring user transforms","portal_name":"auth_portal","portal_id":"2982f558-f551-406b-ab86-6dc775983a73"}
{"level":"debug","ts":1710303418.788027,"logger":"security","msg":"Configured user transforms","portal_name":"auth_portal","portal_id":"2982f558-f551-406b-ab86-6dc775983a73","transforms":[{"matchers":["exact match groups andrey-keksik"],"actions":["action add role authp/andrey_keksik"]},{"matchers":["exact match email andrey@example.com"],"actions":["action add role authp/dash_admin"]}]}
{"level":"debug","ts":1710303418.7936773,"logger":"security","msg":"Configured gatekeeper","gatekeeper_name":"pass_andrey_keksik","gatekeeper_id":"ca54ef9f-21c8-40e4-9aab-12ce9a0d934b","auth_url_path":"https://dash.example.com","token_sources":"cookie header query","token_validator_options":{},"access_list_rules":[{"conditions":["match roles authp/andrey_keksik"],"action":"allow log debug"}],"forbidden_path":""}
{"level":"debug","ts":1710303418.7983153,"logger":"security","msg":"Configured gatekeeper","gatekeeper_name":"pass_dash_admin","gatekeeper_id":"5a26beb9-23c7-4ca8-b913-0358144e1146","auth_url_path":"https://dash.example.com","token_sources":"cookie header query","token_validator_options":{},"access_list_rules":[{"conditions":["match roles authp/admin"],"action":"allow log debug"}],"forbidden_path":""}
{"level":"info","ts":1710303418.7983365,"logger":"security","msg":"provisioned app instance","app":"security"}
{"level":"debug","ts":1710303418.8001373,"logger":"security","msg":"started app instance","app":"security"}
{"level":"info","ts":1710303418.8002813,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
{"level":"info","ts":1710303418.8003743,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}
{"level":"debug","ts":1710303418.8005111,"logger":"http","msg":"starting server loop","address":"[::]:443","tls":true,"http3":true}
{"level":"info","ts":1710303418.800524,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"debug","ts":1710303418.800572,"logger":"http","msg":"starting server loop","address":"[::]:80","tls":false,"http3":false}
{"level":"info","ts":1710303418.8005793,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1710303418.800585,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["nextcloud.hs.lan"]}
{"level":"warn","ts":1710303418.8010666,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [nextcloud.hs.lan]: no OCSP server specified in certificate","identifiers":["nextcloud.hs.lan"]}
{"level":"debug","ts":1710303418.8010836,"logger":"tls.cache","msg":"added certificate to cache","subjects":["nextcloud.hs.lan"],"expiration":1710323465,"managed":true,"issuer_key":"local","hash":"6114c26d8a7f0dddb22944a6e79aa0867fdd993483e6280832697c71ef90bfd7","cache_size":8,"cache_capacity":10000}
{"level":"debug","ts":1710303418.8011024,"logger":"events","msg":"event","name":"cached_managed_cert","id":"9241435a-4b07-4f9c-9f0c-f725c3fcf418","origin":"tls","data":{"sans":["nextcloud.hs.lan"]}}
{"level":"info","ts":1710303418.8011463,"logger":"pki.ca.local","msg":"root certificate is already trusted by system","path":"storage:pki/authorities/local/root.crt"}
{"level":"info","ts":1710303418.8012555,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
{"level":"info","ts":1710303418.8012936,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1710303418.8014657,"msg":"serving initial configuration"}
{"level":"info","ts":1710303418.8027291,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"debug","ts":1710303425.951998,"logger":"events","msg":"event","name":"tls_get_certificate","id":"63024391-e1cc-4dff-a449-d4c123dab065","origin":"tls","data":{"client_hello":{"CipherSuites":[23130,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"dash.example.com","SupportedCurves":[6682,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[27242,772,771],"Conn":{}}}}
{"level":"debug","ts":1710303425.9521568,"logger":"tls.handshake","msg":"choosing certificate","identifier":"dash.example.com","num_choices":1}
{"level":"debug","ts":1710303425.9521744,"logger":"tls.handshake","msg":"custom certificate selection results","identifier":"dash.example.com","subjects":["dash.example.com","*.dash.example.com"],"managed":false,"issuer_key":"","hash":"6dfd280453a6e86d5552589f75172f4fcb17b474738a18dc3f9e51945d15747d"}
{"level":"debug","ts":1710303425.9521823,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"192.168.101.1","remote_port":"59994","subjects":["dash.example.com","*.dash.example.com"],"managed":false,"expiration":1717468977,"hash":"6dfd280453a6e86d5552589f75172f4fcb17b474738a18dc3f9e51945d15747d"}
{"level":"debug","ts":1710303429.386395,"logger":"security","msg":"External login requested","session_id":"mmEAk2RYV3Gs3TH9sNFVdWjAL2ggIwQ97Mz7fdXOJJ4","request_id":"dd5cffc0-0869-4737-af75-cda4ffc060c6","base_url":"https://dash.example.com","base_path":"/","auth_method":"oauth2","auth_realm":"dash","request_path":"/oauth2/dash"}
{"level":"debug","ts":1710303429.386442,"logger":"security","msg":"redirecting to OAuth 2.0 endpoint","request_id":"dd5cffc0-0869-4737-af75-cda4ffc060c6","redirect_url":"https://sso.example.com/application/o/authorize/?client_id=GHpQxIyC6BMlXry4Q7KhFpE2HRBXRG50W1FvigGH&nonce=AYRhIJvogfGcroiM8f5ibxRg1X5IDtFb&redirect_uri=https%3A%2F%2Fdash.example.com%2Foauth2%2Fdash%2Fauthorization-code-callback&response_type=code&scope=openid+email+profile&state=9025553f-91f4-41aa-a266-59316884d554"}
{"level":"debug","ts":1710303429.3864496,"logger":"security","msg":"Redirect to authorization server","session_id":"mmEAk2RYV3Gs3TH9sNFVdWjAL2ggIwQ97Mz7fdXOJJ4","request_id":"dd5cffc0-0869-4737-af75-cda4ffc060c6","url":"https://sso.example.com/application/o/authorize/?client_id=GHpQxIyC6BMlXry4Q7KhFpE2HRBXRG50W1FvigGH&nonce=AYRhIJvogfGcroiM8f5ibxRg1X5IDtFb&redirect_uri=https%3A%2F%2Fdash.example.com%2Foauth2%2Fdash%2Fauthorization-code-callback&response_type=code&scope=openid+email+profile&state=9025553f-91f4-41aa-a266-59316884d554"}
{"level":"debug","ts":1710303430.175213,"logger":"security","msg":"External login requested","session_id":"mmEAk2RYV3Gs3TH9sNFVdWjAL2ggIwQ97Mz7fdXOJJ4","request_id":"5e0a997d-fe18-4c88-bc14-0889427adcb5","base_url":"https://dash.example.com","base_path":"/","auth_method":"oauth2","auth_realm":"dash","request_path":"/oauth2/dash/authorization-code-callback"}
{"level":"debug","ts":1710303430.1752443,"logger":"security","msg":"received OAuth 2.0 response","session_id":"mmEAk2RYV3Gs3TH9sNFVdWjAL2ggIwQ97Mz7fdXOJJ4","request_id":"5e0a997d-fe18-4c88-bc14-0889427adcb5","params":{"code":["23ee5898bcac4bc8b291f8386ccf4fb3"],"state":["9025553f-91f4-41aa-a266-59316884d554"]}}
{"level":"debug","ts":1710303430.1752715,"logger":"security","msg":"received OAuth 2.0 code and state from the authorization server","session_id":"mmEAk2RYV3Gs3TH9sNFVdWjAL2ggIwQ97Mz7fdXOJJ4","request_id":"5e0a997d-fe18-4c88-bc14-0889427adcb5","state":"9025553f-91f4-41aa-a266-59316884d554","code":"23ee5898bcac4bc8b291f8386ccf4fb3"}
{"level":"debug","ts":1710303431.043035,"logger":"security","msg":"OAuth 2.0 access token response received","body":"eyJhY2Nlc3NfdG9rZW4iOiAiZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNkltRmlNakl5WVdFd1lUUmlOekV5TlRBd00yWmlaVEkzTW1Nd04yTmpNVEl3SWl3aWRIbHdJam9pU2xkVUluMC5leUpwYzNNaU9pSm9kSFJ3Y3pvdkwzTnpieTR3ZW1WaExtTnZiUzloY0hCc2FXTmhkR2x2Ymk5dkwyUmhjMmd2SWl3aWMzVmlJam9pWVRnMU5UQTNZV1UxWXpBMk1HUm1PVFkwWmpBMVpqY3laalUwWmpBd09XUXlZemRoWmpkbU5qQm1NbUkzTXprNVptSmlPRFE1TURFNVl6QmpORFUyWVNJc0ltRjFaQ0k2SWtkSWNGRjRTWGxETmtKTmJGaHllVFJSTjB0b1JuQkZNa2hTUWxoU1J6VXdWekZHZG1sblIwZ2lMQ0psZUhBaU9qRTNNVEF6TURNM016QXNJbWxoZENJNk1UY3hNRE13TXpRek1Dd2lZWFYwYUY5MGFXMWxJam94TnpFd01qazNPREl3TENKaFkzSWlPaUpuYjJGMWRHaGxiblJwYXk1cGJ5OXdjbTkyYVdSbGNuTXZiMkYxZEdneUwyUmxabUYxYkhRaUxDSnViMjVqWlNJNklrRlpVbWhKU25adloyWkhZM0p2YVUwNFpqVnBZbmhTWnpGWU5VbEVkRVppSWl3aVpXMWhhV3dpT2lKaGJtUnlaWGxBTUhwbFlTNWpiMjBpTENKbGJXRnBiRjkyWlhKcFptbGxaQ0k2ZEhKMVpTd2libUZ0WlNJNklseDFNRFF4TUZ4MU1EUXpaRngxTURRek5GeDFNRFEwTUZ4MU1EUXpOVngxTURRek9TSXNJbWRwZG1WdVgyNWhiV1VpT2lKY2RUQTBNVEJjZFRBME0yUmNkVEEwTXpSY2RUQTBOREJjZFRBME16VmNkVEEwTXpraUxDSndjbVZtWlhKeVpXUmZkWE5sY201aGJXVWlPaUpoYm1SeVpYa2lMQ0p1YVdOcmJtRnRaU0k2SW1GdVpISmxlU0lzSW1keWIzVndjeUk2V3lKb2IyMWxMWFJ2Y25KbGJuUWlMQ0p3Y205dFpYUm9aWFZ6TFhWelpYSWlMQ0poYm1SeVpYa3RjM2x1WTNSb2FXNW5JaXdpWVc1a2NtVjVMV3RsYTNOcGF5SmRMQ0poZW5BaU9pSkhTSEJSZUVsNVF6WkNUV3hZY25rMFVUZExhRVp3UlRKSVVrSllVa2MxTUZjeFJuWnBaMGRJSWl3aWRXbGtJam9pTjNKQlJuSmxTbGhRY0ZwSVVtTmlRVkl6VFhWWlZVa3lhekZrTWxGM01XUmxTbmd5VFRJek55SjkuZjNKREpqa2lyV1M0TV9OYjRtSk51cVJnQVFSZl96VTRBTjVmUE5VQzQ3cmxmV25tanpKQ0xfSzhaeUFDaXRnTDR4X3NWR3JSTllMZEl3MzMwWll0VGttYWpRNmJ2Vkh3UnB6UHVCQTVCMGc5ZTlMVXRfal9ZYXpYNVhfN2ZMSE1kUnpodUZwYnVqdVE0SFFIeEpMNHNlN3luc00waDhBYVM4WGNLcFFGNXNNWkFqaHVUdHRzbEFzRnBpSVpZTTJPOXAta2VLOHZEU0tEdWpOT1VnZTVNbmIzdzdodURPVml2cjhSa3kxdmNzRkd4YVUwcnVRX2R5UE9Pb2ZBVDl0NlgzMEtzV1ZOMEJpcENjQWVPQTVsTWhHY1FlRDVzS3BmSVM3TDU5dm10cDBuX0J1RHphSDNqb1hBczJ1VVVLWHNIS09RZS03SlVHREFrN1lxQ1g2dWZzOGRSSUVOODBXWld4eVVwbm9hNF9UUlk5czc5T3AxVG5tQUdqWVdEbXlXN0xyWXRMemN4ZUFlT0dpdjQ2T0V5QnNJVjFSa3JTbWtLaW9ERFlqY2Z2eHB0b0lWVDlGSnlmRHpRcWFRaVRVc3E2RjBlajZ2ZGVTQ0EwYnRaazl1RHlGNkdZSGJCWjVlUElvY0lWYm9XaWh5SWVkRGFvdzNOSDNKZHVQMk95NUlLSDlJZnVlakVkZHIxU1dPRFVNYWJ0cHRnaXptenkzTGpQa2Rqd3RfR2cxQXZKT283NFRWRFNXbkNVNk03TlA4OHdOSjBzdVZKMktBazg3TENZbVRlbVEwUDRRTmlYaHc2LS1ibWhGRmVyYlVKQlYxQUtJMDQyTE5SVTBXdlhVcF9yd0lBdENhbVkyeVBJcWE3aFZ3djFMQU8xWlNBTlk5RERWTFRpOGFjaG8iLCAidG9rZW5fdHlwZSI6ICJCZWFyZXIiLCAiZXhwaXJlc19pbiI6IDMwMCwgImlkX3Rva2VuIjogImV5SmhiR2NpT2lKU1V6STFOaUlzSW10cFpDSTZJbUZpTWpJeVlXRXdZVFJpTnpFeU5UQXdNMlppWlRJM01tTXdOMk5qTVRJd0lpd2lkSGx3SWpvaVNsZFVJbjAuZXlKcGMzTWlPaUpvZEhSd2N6b3ZMM056Ynk0d2VtVmhMbU52YlM5aGNIQnNhV05oZEdsdmJpOXZMMlJoYzJndklpd2ljM1ZpSWpvaVlUZzFOVEEzWVdVMVl6QTJNR1JtT1RZMFpqQTFaamN5WmpVMFpqQXdPV1F5WXpkaFpqZG1OakJtTW1JM016azVabUppT0RRNU1ERTVZekJqTkRVMllTSXNJbUYxWkNJNklrZEljRkY0U1hsRE5rSk5iRmh5ZVRSUk4wdG9SbkJGTWtoU1FsaFNSelV3VnpGR2RtbG5SMGdpTENKbGVIQWlPakUzTVRBek1ETTNNekFzSW1saGRDSTZNVGN4TURNd016UXpNQ3dpWVhWMGFGOTBhVzFsSWpveE56RXdNamszT0RJd0xDSmhZM0lpT2lKbmIyRjFkR2hsYm5ScGF5NXBieTl3Y205MmFXUmxjbk12YjJGMWRHZ3lMMlJsWm1GMWJIUWlMQ0p1YjI1alpTSTZJa0ZaVW1oSlNuWnZaMlpIWTNKdmFVMDRaalZwWW5oU1p6RllOVWxFZEVaaUlpd2laVzFoYVd3aU9pSmhibVJ5WlhsQU1IcGxZUzVqYjIwaUxDSmxiV0ZwYkY5MlpYSnBabWxsWkNJNmRISjFaU3dpYm1GdFpTSTZJbHgxTURReE1GeDFNRFF6WkZ4MU1EUXpORngxTURRME1GeDFNRFF6TlZ4MU1EUXpPU0lzSW1kcGRtVnVYMjVoYldVaU9pSmNkVEEwTVRCY2RUQTBNMlJjZFRBME16UmNkVEEwTkRCY2RUQTBNelZjZFRBME16a2lMQ0p3Y21WbVpYSnlaV1JmZFhObGNtNWhiV1VpT2lKaGJtUnlaWGtpTENKdWFXTnJibUZ0WlNJNkltRnVaSEpsZVNJc0ltZHliM1Z3Y3lJNld5Sm9iMjFsTFhSdmNuSmxiblFpTENKd2NtOXRaWFJvWlhWekxYVnpaWElpTENKaGJtUnlaWGt0YzNsdVkzUm9hVzVuSWl3aVlXNWtjbVY1TFd0bGEzTnBheUpkZlEuWTRHRko2endlMGFQdzl1RnpKQzctdkpkektkcC1PS0pNZFhVd0Y1RnNwSlR1OXI5Z1FGbWFUNmpjZ1BuTU9DdWNjR3V4U3BXMmp5SnF4cW5TR091UWFfdTFzUXVmQS1yYTg1NkExV003bkRoT3hocjUtWmlqdEp3dG1SV1ZldllpX3RHWjFVSHBYN2hwY3Z6WXREdUdFd1dPYWV3MVhjNTZnWFY5SmtzbVZ6bHQ0TnhJU25KalR3OWdwbjluM1VIb1c3TDJWQjB3c3A4Sy0wa0RxbGZWT3psTUc3ZjdHU0xzUzdGTkxwYXRWTFdrNVJ3cXB6Y2lfNy1fOE1CVGM3RmxTbmlXRFppeW9PcUdHUmoxWDdURU5HcnhpQ3VNMEstUEQ1b0loS3d4cGFJZ09DOWJfODNzVWFncHVoZEhnaUNmOVFMYkpZVXIwMmt3UzRZcUNNZFB1bTRzODZPQ2VPcjk5aEtobjJ2akxPNDl1WkpaTWF5R21WcDdic3NoYTlUbDZZaXMwTTdQM0RpbFlwQmNXRFUzcGhwWlFKTHlybUNrNW5xTy1fT2RDRDNoUktIa3dGckNCQjlGS3ptY01nS3A4N1o5UjZpaFVfUVlaTXhoWVN6SjZlOUNRRG5fTjlpUVcwdmhETnFNbFY4Rnh6WEx2TjJZdVZnM01pcUlkaFVidXVvR3pfZ0pnTmNMT042UGw0RUhhNldHTzlHYmRHNWVlQ2NyNzJ4T19aSjFtNi1jRFlTU1pGOGFoWm9fNkEtNkg4TkFfSVBjRENzano2MURyNTZQY1EtSFhsSXlveFpEdHhudHJkZ2x6bmx4WkNxR2J3X1l3akRzTzNmRjVjTWp3WXlfMFhhQ2puLWRIMVkxdFM0Ry1kckN6VXZRbDk3VlR3RUEtWGd3clkifQ==","redirect_uri":"https://dash.example.com/oauth2/dash/authorization-code-callback"}
{"level":"debug","ts":1710303431.0431418,"logger":"security","msg":"OAuth 2.0 access token response decoded","body":{"access_token":"eyJhbGciOiJSUzI1NiIsImtpZCI6ImFiMjIyYWEwYTRiNzEyNTAwM2ZiZTI3MmMwN2NjMTIwIiwidHlwIjoiSldUIn0.eyJpc3MiOiJodHRwczovL3Nzby4wemVhLmNvbS9hcHBsaWNhdGlvbi9vL2Rhc2gvIiwic3ViIjoiYTg1NTA3YWU1YzA2MGRmOTY0ZjA1ZjcyZjU0ZjAwOWQyYzdhZjdmNjBmMmI3Mzk5ZmJiODQ5MDE5YzBjNDU2YSIsImF1ZCI6IkdIcFF4SXlDNkJNbFhyeTRRN0toRnBFMkhSQlhSRzUwVzFGdmlnR0giLCJleHAiOjE3MTAzMDM3MzAsImlhdCI6MTcxMDMwMzQzMCwiYXV0aF90aW1lIjoxNzEwMjk3ODIwLCJhY3IiOiJnb2F1dGhlbnRpay5pby9wcm92aWRlcnMvb2F1dGgyL2RlZmF1bHQiLCJub25jZSI6IkFZUmhJSnZvZ2ZHY3JvaU04ZjVpYnhSZzFYNUlEdEZiIiwiZW1haWwiOiJhbmRyZXlAMHplYS5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwibmFtZSI6Ilx1MDQxMFx1MDQzZFx1MDQzNFx1MDQ0MFx1MDQzNVx1MDQzOSIsImdpdmVuX25hbWUiOiJcdTA0MTBcdTA0M2RcdTA0MzRcdTA0NDBcdTA0MzVcdTA0MzkiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhbmRyZXkiLCJuaWNrbmFtZSI6ImFuZHJleSIsImdyb3VwcyI6WyJob21lLXRvcnJlbnQiLCJwcm9tZXRoZXVzLXVzZXIiLCJhbmRyZXktc3luY3RoaW5nIiwiYW5kcmV5LWtla3NpayJdLCJhenAiOiJHSHBReEl5QzZCTWxYcnk0UTdLaEZwRTJIUkJYUkc1MFcxRnZpZ0dIIiwidWlkIjoiN3JBRnJlSlhQcFpIUmNiQVIzTXVZVUkyazFkMlF3MWRlSngyTTIzNyJ9.f3JDJjkirWS4M_Nb4mJNuqRgAQRf_zU4AN5fPNUC47rlfWnmjzJCL_K8ZyACitgL4x_sVGrRNYLdIw330ZYtTkmajQ6bvVHwRpzPuBA5B0g9e9LUt_j_YazX5X_7fLHMdRzhuFpbujuQ4HQHxJL4se7ynsM0h8AaS8XcKpQF5sMZAjhuTttslAsFpiIZYM2O9p-keK8vDSKDujNOUge5Mnb3w7huDOVivr8Rky1vcsFGxaU0ruQ_dyPOOofAT9t6X30KsWVN0BipCcAeOA5lMhGcQeD5sKpfIS7L59vmtp0n_BuDzaH3joXAs2uUUKXsHKOQe-7JUGDAk7YqCX6ufs8dRIEN80WZWxyUpnoa4_TRY9s79Op1TnmAGjYWDmyW7LrYtLzcxeAeOGiv46OEyBsIV1RkrSmkKioDDYjcfvxptoIVT9FJyfDzQqaQiTUsq6F0ej6vdeSCA0btZk9uDyF6GYHbBZ5ePIocIVboWihyIedDaow3NH3JduP2Oy5IKH9IfuejEddr1SWODUMabtptgizmzy3LjPkdjwt_Gg1AvJOo74TVDSWnCU6M7NP88wNJ0suVJ2KAk87LCYmTemQ0P4QNiXhw6--bmhFFerbUJBV1AKI042LNRU0WvXUp_rwIAtCamY2yPIqa7hVwv1LAO1ZSANY9DDVLTi8acho","expires_in":300,"id_token":"eyJhbGciOiJSUzI1NiIsImtpZCI6ImFiMjIyYWEwYTRiNzEyNTAwM2ZiZTI3MmMwN2NjMTIwIiwidHlwIjoiSldUIn0.eyJpc3MiOiJodHRwczovL3Nzby4wemVhLmNvbS9hcHBsaWNhdGlvbi9vL2Rhc2gvIiwic3ViIjoiYTg1NTA3YWU1YzA2MGRmOTY0ZjA1ZjcyZjU0ZjAwOWQyYzdhZjdmNjBmMmI3Mzk5ZmJiODQ5MDE5YzBjNDU2YSIsImF1ZCI6IkdIcFF4SXlDNkJNbFhyeTRRN0toRnBFMkhSQlhSRzUwVzFGdmlnR0giLCJleHAiOjE3MTAzMDM3MzAsImlhdCI6MTcxMDMwMzQzMCwiYXV0aF90aW1lIjoxNzEwMjk3ODIwLCJhY3IiOiJnb2F1dGhlbnRpay5pby9wcm92aWRlcnMvb2F1dGgyL2RlZmF1bHQiLCJub25jZSI6IkFZUmhJSnZvZ2ZHY3JvaU04ZjVpYnhSZzFYNUlEdEZiIiwiZW1haWwiOiJhbmRyZXlAMHplYS5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwibmFtZSI6Ilx1MDQxMFx1MDQzZFx1MDQzNFx1MDQ0MFx1MDQzNVx1MDQzOSIsImdpdmVuX25hbWUiOiJcdTA0MTBcdTA0M2RcdTA0MzRcdTA0NDBcdTA0MzVcdTA0MzkiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhbmRyZXkiLCJuaWNrbmFtZSI6ImFuZHJleSIsImdyb3VwcyI6WyJob21lLXRvcnJlbnQiLCJwcm9tZXRoZXVzLXVzZXIiLCJhbmRyZXktc3luY3RoaW5nIiwiYW5kcmV5LWtla3NpayJdfQ.Y4GFJ6zwe0aPw9uFzJC7-vJdzKdp-OKJMdXUwF5FspJTu9r9gQFmaT6jcgPnMOCuccGuxSpW2jyJqxqnSGOuQa_u1sQufA-ra856A1WM7nDhOxhr5-ZijtJwtmRWVevYi_tGZ1UHpX7hpcvzYtDuGEwWOaew1Xc56gXV9JksmVzlt4NxISnJjTw9gpn9n3UHoW7L2VB0wsp8K-0kDqlfVOzlMG7f7GSLsS7FNLpatVLWk5Rwqpzci_7-_8MBTc7FlSniWDZiyoOqGGRj1X7TENGrxiCuM0K-PD5oIhKwxpaIgOC9b_83sUagpuhdHgiCf9QLbJYUr02kwS4YqCMdPum4s86OCeOr99hKhn2vjLO49uZJZMayGmVp7bssha9Tl6Yis0M7P3DilYpBcWDU3phpZQJLyrmCk5nqO-_OdCD3hRKHkwFrCBB9FKzmcMgKp87Z9R6ihU_QYZMxhYSzJ6e9CQDn_N9iQW0vhDNqMlV8FxzXLvN2YuVg3MiqIdhUbuuoGz_gJgNcLON6Pl4EHa6WGO9GbdG5eeCcr72xO_ZJ1m6-cDYSSZF8ahZo_6A-6H8NA_IPcDCsjz61Dr56PcQ-HXlIyoxZDtxntrdglznlxZCqGbw_YwjDsO3fF5cMjwYy_0XaCjn-dH1Y1tS4G-drCzUvQl97VTwEA-XgwrY","token_type":"Bearer"}}
{"level":"debug","ts":1710303431.0431826,"logger":"security","msg":"received OAuth 2.0 authorization server access token","request_id":"5e0a997d-fe18-4c88-bc14-0889427adcb5","token":{"access_token":"eyJhbGciOiJSUzI1NiIsImtpZCI6ImFiMjIyYWEwYTRiNzEyNTAwM2ZiZTI3MmMwN2NjMTIwIiwidHlwIjoiSldUIn0.eyJpc3MiOiJodHRwczovL3Nzby4wemVhLmNvbS9hcHBsaWNhdGlvbi9vL2Rhc2gvIiwic3ViIjoiYTg1NTA3YWU1YzA2MGRmOTY0ZjA1ZjcyZjU0ZjAwOWQyYzdhZjdmNjBmMmI3Mzk5ZmJiODQ5MDE5YzBjNDU2YSIsImF1ZCI6IkdIcFF4SXlDNkJNbFhyeTRRN0toRnBFMkhSQlhSRzUwVzFGdmlnR0giLCJleHAiOjE3MTAzMDM3MzAsImlhdCI6MTcxMDMwMzQzMCwiYXV0aF90aW1lIjoxNzEwMjk3ODIwLCJhY3IiOiJnb2F1dGhlbnRpay5pby9wcm92aWRlcnMvb2F1dGgyL2RlZmF1bHQiLCJub25jZSI6IkFZUmhJSnZvZ2ZHY3JvaU04ZjVpYnhSZzFYNUlEdEZiIiwiZW1haWwiOiJhbmRyZXlAMHplYS5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwibmFtZSI6Ilx1MDQxMFx1MDQzZFx1MDQzNFx1MDQ0MFx1MDQzNVx1MDQzOSIsImdpdmVuX25hbWUiOiJcdTA0MTBcdTA0M2RcdTA0MzRcdTA0NDBcdTA0MzVcdTA0MzkiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhbmRyZXkiLCJuaWNrbmFtZSI6ImFuZHJleSIsImdyb3VwcyI6WyJob21lLXRvcnJlbnQiLCJwcm9tZXRoZXVzLXVzZXIiLCJhbmRyZXktc3luY3RoaW5nIiwiYW5kcmV5LWtla3NpayJdLCJhenAiOiJHSHBReEl5QzZCTWxYcnk0UTdLaEZwRTJIUkJYUkc1MFcxRnZpZ0dIIiwidWlkIjoiN3JBRnJlSlhQcFpIUmNiQVIzTXVZVUkyazFkMlF3MWRlSngyTTIzNyJ9.f3JDJjkirWS4M_Nb4mJNuqRgAQRf_zU4AN5fPNUC47rlfWnmjzJCL_K8ZyACitgL4x_sVGrRNYLdIw330ZYtTkmajQ6bvVHwRpzPuBA5B0g9e9LUt_j_YazX5X_7fLHMdRzhuFpbujuQ4HQHxJL4se7ynsM0h8AaS8XcKpQF5sMZAjhuTttslAsFpiIZYM2O9p-keK8vDSKDujNOUge5Mnb3w7huDOVivr8Rky1vcsFGxaU0ruQ_dyPOOofAT9t6X30KsWVN0BipCcAeOA5lMhGcQeD5sKpfIS7L59vmtp0n_BuDzaH3joXAs2uUUKXsHKOQe-7JUGDAk7YqCX6ufs8dRIEN80WZWxyUpnoa4_TRY9s79Op1TnmAGjYWDmyW7LrYtLzcxeAeOGiv46OEyBsIV1RkrSmkKioDDYjcfvxptoIVT9FJyfDzQqaQiTUsq6F0ej6vdeSCA0btZk9uDyF6GYHbBZ5ePIocIVboWihyIedDaow3NH3JduP2Oy5IKH9IfuejEddr1SWODUMabtptgizmzy3LjPkdjwt_Gg1AvJOo74TVDSWnCU6M7NP88wNJ0suVJ2KAk87LCYmTemQ0P4QNiXhw6--bmhFFerbUJBV1AKI042LNRU0WvXUp_rwIAtCamY2yPIqa7hVwv1LAO1ZSANY9DDVLTi8acho","expires_in":300,"id_token":"eyJhbGciOiJSUzI1NiIsImtpZCI6ImFiMjIyYWEwYTRiNzEyNTAwM2ZiZTI3MmMwN2NjMTIwIiwidHlwIjoiSldUIn0.eyJpc3MiOiJodHRwczovL3Nzby4wemVhLmNvbS9hcHBsaWNhdGlvbi9vL2Rhc2gvIiwic3ViIjoiYTg1NTA3YWU1YzA2MGRmOTY0ZjA1ZjcyZjU0ZjAwOWQyYzdhZjdmNjBmMmI3Mzk5ZmJiODQ5MDE5YzBjNDU2YSIsImF1ZCI6IkdIcFF4SXlDNkJNbFhyeTRRN0toRnBFMkhSQlhSRzUwVzFGdmlnR0giLCJleHAiOjE3MTAzMDM3MzAsImlhdCI6MTcxMDMwMzQzMCwiYXV0aF90aW1lIjoxNzEwMjk3ODIwLCJhY3IiOiJnb2F1dGhlbnRpay5pby9wcm92aWRlcnMvb2F1dGgyL2RlZmF1bHQiLCJub25jZSI6IkFZUmhJSnZvZ2ZHY3JvaU04ZjVpYnhSZzFYNUlEdEZiIiwiZW1haWwiOiJhbmRyZXlAMHplYS5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwibmFtZSI6Ilx1MDQxMFx1MDQzZFx1MDQzNFx1MDQ0MFx1MDQzNVx1MDQzOSIsImdpdmVuX25hbWUiOiJcdTA0MTBcdTA0M2RcdTA0MzRcdTA0NDBcdTA0MzVcdTA0MzkiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhbmRyZXkiLCJuaWNrbmFtZSI6ImFuZHJleSIsImdyb3VwcyI6WyJob21lLXRvcnJlbnQiLCJwcm9tZXRoZXVzLXVzZXIiLCJhbmRyZXktc3luY3RoaW5nIiwiYW5kcmV5LWtla3NpayJdfQ.Y4GFJ6zwe0aPw9uFzJC7-vJdzKdp-OKJMdXUwF5FspJTu9r9gQFmaT6jcgPnMOCuccGuxSpW2jyJqxqnSGOuQa_u1sQufA-ra856A1WM7nDhOxhr5-ZijtJwtmRWVevYi_tGZ1UHpX7hpcvzYtDuGEwWOaew1Xc56gXV9JksmVzlt4NxISnJjTw9gpn9n3UHoW7L2VB0wsp8K-0kDqlfVOzlMG7f7GSLsS7FNLpatVLWk5Rwqpzci_7-_8MBTc7FlSniWDZiyoOqGGRj1X7TENGrxiCuM0K-PD5oIhKwxpaIgOC9b_83sUagpuhdHgiCf9QLbJYUr02kwS4YqCMdPum4s86OCeOr99hKhn2vjLO49uZJZMayGmVp7bssha9Tl6Yis0M7P3DilYpBcWDU3phpZQJLyrmCk5nqO-_OdCD3hRKHkwFrCBB9FKzmcMgKp87Z9R6ihU_QYZMxhYSzJ6e9CQDn_N9iQW0vhDNqMlV8FxzXLvN2YuVg3MiqIdhUbuuoGz_gJgNcLON6Pl4EHa6WGO9GbdG5eeCcr72xO_ZJ1m6-cDYSSZF8ahZo_6A-6H8NA_IPcDCsjz61Dr56PcQ-HXlIyoxZDtxntrdglznlxZCqGbw_YwjDsO3fF5cMjwYy_0XaCjn-dH1Y1tS4G-drCzUvQl97VTwEA-XgwrY","token_type":"Bearer"}}
{"level":"debug","ts":1710303431.045312,"logger":"security","msg":"decoded claims from OAuth 2.0 authorization server access token","request_id":"5e0a997d-fe18-4c88-bc14-0889427adcb5","claims":{"email":"andrey@example.com","exp":1710303730,"given_name":"Андрей","groups":["home-torrent","prometheus-user","andrey-syncthing","andrey-keksik"],"iat":1710303430,"iss":"https://sso.example.com/application/o/dash/","name":"Андрей","sub":"a85507ae5c060df964f05f72f54f009d2c7af7f60f2b7399fbb849019c0c456a"}}
{"level":"info","ts":1710303431.0453367,"logger":"security","msg":"Successful login","session_id":"mmEAk2RYV3Gs3TH9sNFVdWjAL2ggIwQ97Mz7fdXOJJ4","request_id":"5e0a997d-fe18-4c88-bc14-0889427adcb5","auth_method":"oauth2","auth_realm":"dash","user":{"email":"andrey@example.com","exp":1710303730,"given_name":"Андрей","groups":["home-torrent","prometheus-user","andrey-syncthing","andrey-keksik"],"iat":1710303430,"iss":"https://sso.example.com/application/o/dash/","name":"Андрей","sub":"a85507ae5c060df964f05f72f54f009d2c7af7f60f2b7399fbb849019c0c456a"}}
{"level":"debug","ts":1710303431.0453792,"logger":"security","msg":"user transformation ended","session_id":"mmEAk2RYV3Gs3TH9sNFVdWjAL2ggIwQ97Mz7fdXOJJ4","request_id":"5e0a997d-fe18-4c88-bc14-0889427adcb5","user":{"addr":"192.168.101.1","email":"andrey@example.com","exp":1710307031,"given_name":"Андрей","iat":1710303431,"iss":"https://dash.example.com/oauth2/dash/","jti":"mmEAk2RYV3Gs3TH9sNFVdWjAL2ggIwQ97Mz7fdXOJJ4","name":"Андрей","nbf":1710303371000,"origin":"dash","realm":"dash","roles":["home-torrent","prometheus-user","andrey-syncthing","andrey-keksik","authp/andrey_keksik","authp/dash_admin"],"sub":"a85507ae5c060df964f05f72f54f009d2c7af7f60f2b7399fbb849019c0c456a"}}
{"level":"info","ts":1710303431.046944,"logger":"security","msg":"Successful login","session_id":"mmEAk2RYV3Gs3TH9sNFVdWjAL2ggIwQ97Mz7fdXOJJ4","request_id":"5e0a997d-fe18-4c88-bc14-0889427adcb5","backend":{"name":"generic","realm":"dash","method":"oauth"},"user":{"addr":"192.168.101.1","email":"andrey@example.com","exp":1710307031,"given_name":"Андрей","iat":1710303431,"iss":"https://dash.example.com/oauth2/dash/","jti":"mmEAk2RYV3Gs3TH9sNFVdWjAL2ggIwQ97Mz7fdXOJJ4","name":"Андрей","nbf":1710303371000,"origin":"dash","realm":"dash","roles":["home-torrent","prometheus-user","andrey-syncthing","andrey-keksik","authp/andrey_keksik","authp/dash_admin","authp/guest"],"sub":"a85507ae5c060df964f05f72f54f009d2c7af7f60f2b7399fbb849019c0c456a"}}
greenpau commented 8 months ago

@MrOzean , where is the log when tou try going to a dashboard?

greenpau commented 8 months ago

Also, something strange. There are no traces in the log.

remove rewrite directive and the has conditional.

greenpau commented 8 months ago

@MrOzean , please reach out on whatsup (12123807343), I will try to explain over the phone.

MrOzean commented 8 months ago

First I think need to update container. As I say, link https://github.com/authcrunch/authcrunch/pkgs/container/authcrunch follow 404 error, tried to use ghcr.io/authcrunch/authcrunch:v1.0.7 got authorization error

MrOzean commented 8 months ago

About phone call, not good idea. My English speaking far from perfect + 12 hours time difference + this conversation can help anyone else

MrOzean commented 8 months ago

JS redirect works perfectly, thanks. Working solution

caddyfile

{
    order authenticate before respond
    order authorize before basicauth

    security {
        oauth identity provider generic {
            realm dash
            driver generic
            client_id <CLIENT_ID>
            client_secret <SECRET>
            scopes openid email profile
            base_auth_url https://sso.example.com/
            metadata_url https://sso.example.com/application/o/dash/.well-known/openid-configuration
        }

        authentication portal auth_portal {
            crypto default token lifetime 3600
            enable identity provider generic

            ui {
                links {
                    "My Identity" "/whoami" icon "las la-user"
                }

                custom js path /js/redirect_to_dashboard_by_email.js
            }

            cookie domain example.com

            transform user {
                match groups andrey-keksik
                action add role authp/andrey_keksik
            }

            transform user {
                match email andrey@example.com
                action add role authp/dash_admin
            }
        }

        authorization policy pass_andrey_keksik {
            set auth url https://dash.example.com
            allow roles authp/andrey_keksik
        }

        authorization policy pass_dash_admin {
            set auth url https://dash.example.com
            allow roles authp/admin
        }
    }
}

# dashboards
dash.example.com {
    tls /certs/dash.example.com/fullchain.cer /certs/dash.example.com/dash.example.com.key
        authenticate with auth_portal
}

andrey.dash.example.com {
    authorize with pass_andrey_keksik
    reverse_proxy /* localhost:7032
}
...

js file

(async () => {
  console.log("Injected JS Found");

  const whoamiEndpoint = "/whoami";
  const portalEndpoint = "/portal";
  const dashboardBaseUrl = "https://dash.example.com";

  async function fetchUserData(path) {
    try {
      const response = await fetch(path, {
        method: "GET",
        headers: {
          "Content-Type": "application/json",
          Accept: "application/json",
        },
      });
      if (response.ok) {
        const data = await response.json();
        return data;
      } else {
        console.log(path, 'fetch returns not success status', response.statusText)
      }

    } catch (error) {
      console.log("encountered error while fetching user data", error);
    }
    return null;
  }

  try {
    if (typeof window !== "undefined") {
      const currentURL = new URL(window.location.href);

      if (currentURL.href === dashboardBaseUrl + portalEndpoint) {
        console.log(currentURL);
        const userData = await fetchUserData(dashboardBaseUrl + whoamiEndpoint);

        if (userData && "email" in userData) {
          const email = userData['email'];
          const userId = email.substring(0, email.indexOf('@'))
          console.log(
            `Redirecting user ${userId} to ${dashboardBaseUrl}/${userId}`
          );
          const redirectUrl = 'https://' + userId + '.' + (new URL(dashboardBaseUrl)).hostname;
          window.location.href = redirectUrl;
        } else {
          console.log("No email found in user data", userData);
        }

      } 
    }
  } catch (error) {
    console.log("encountered error", error);
  }
})();
greenpau commented 8 months ago

About phone call, not good idea. My English speaking far from perfect + 12 hours time difference + this conversation can help anyone else

I can speak Russian.

greenpau commented 8 months ago

@MrOzean , glad this is resolved!

MrOzean commented 8 months ago

Thanks for help!

greenpau commented 7 months ago

I recorded a video about this one: https://youtu.be/DAzfxtqxD5s