Closed MrOzean closed 8 months ago
@MrOzean , first, use container from https://github.com/authcrunch/authcrunch/pkgs/container/authcrunch
Next, add enable debug and add trace. See here https://github.com/authcrunch/authcrunch.github.io/blob/8df7a112fbf2f8c34e5a69a1be33bbeb42d4af62/assets/solutions/A00001/Caddyfile#L96
Post the request trace here. It should contain X headers.
Additionally, watch the video related to X-Headers: https://youtu.be/mDRFLX14zTk?si=uC3OZDVJ1quwSzUG
Your goal is to get X headers propagated to your proxied application.
As for the automated redirect, it is done with JS. I will add a video in how to do it.
@MrOzean , the javascript directive that can include JS code that redirects users to their own dashboards can be found here: https://docs.authcrunch.com/docs/authenticate/ui-features#javascript
@MrOzean , review the section again: https://docs.authcrunch.com/docs/authenticate/ui-features#javascript
I added Caddyfile
and custom.js
for your reference. None of it requires X headers. Pure JS solution. You will have to prune JavaScript a bit, because I was trying to be more explicit for code readability purposes.
I will soon publish a video about this use case www.youtube.com/@AuthCrunch
Hello, thanks for fast reply
Link https://github.com/authcrunch/authcrunch/pkgs/container/authcrunch follow 404 error, tried to use ghcr.io/authcrunch/authcrunch:v1.0.7
got authorization error
At current version added trace to route caddyfile part
# dashboards
dash.example.com {
tls /certs/dash.example.com/fullchain.cer /certs/dash.example.com/dash.example.com.key
route {
authenticate with auth_portal
trace tag="tshoot"
respond "{http.request.host}
time: {time.now.common_log}
id: {http.auth.user.id}
roles: {http.auth.user.roles}"
}
@has_andrey_email_header {
header "Remote-Email" "andrey@example.com"
}
rewrite @has_andrey_email_header andrey.dash.example.com
}
andrey.dash.example.com {
route {
authorize with pass_andrey_keksik
trace tag="tshoot"
respond "{http.request.host}
time: {time.now.common_log}
id: {http.auth.user.id}
roles: {http.auth.user.roles}"
}
reverse_proxy /* localhost:7032
}
Navigate to dash.example.com -> push login button -> push whoami button result
{"level":"info","ts":1710303417.3243668,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"warn","ts":1710303417.3301847,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
{"level":"info","ts":1710303417.33275,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1710303417.333198,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000cfb800"}
{"level":"debug","ts":1710303417.3369842,"logger":"events","msg":"event","name":"cached_unmanaged_cert","id":"9c199cf2-da99-441c-865a-ea37df615dcb","origin":"tls","data":{"sans":["matrixserver.example.com"]}}
{"level":"debug","ts":1710303417.3371625,"logger":"tls.cache","msg":"added certificate to cache","subjects":["matrixserver.example.com"],"expiration":1717395165,"managed":false,"issuer_key":"","hash":"36368a6c045b0c420ad8a2a469ecebfa8207af66c7e7be7ad0e6e4307428fe85","cache_size":1,"cache_capacity":10000}
{"level":"debug","ts":1710303417.337424,"logger":"events","msg":"event","name":"cached_unmanaged_cert","id":"3bf1df3f-97ee-4b40-8e01-07059c705f8f","origin":"tls","data":{"sans":["streamwatch.example.com"]}}
{"level":"debug","ts":1710303417.3375294,"logger":"tls.cache","msg":"added certificate to cache","subjects":["streamwatch.example.com"],"expiration":1717400762,"managed":false,"issuer_key":"","hash":"0fadaec95186494e5286fb59c465acb9156da02222c82c56ad8724c9e700fe17","cache_size":2,"cache_capacity":10000}
{"level":"debug","ts":1710303417.337739,"logger":"events","msg":"event","name":"cached_unmanaged_cert","id":"440a87d8-5a29-4686-a370-675823c12423","origin":"tls","data":{"sans":["linkwarden.example.com"]}}
{"level":"debug","ts":1710303417.3378325,"logger":"tls.cache","msg":"added certificate to cache","subjects":["linkwarden.example.com"],"expiration":1717394893,"managed":false,"issuer_key":"","hash":"de2ecfd361f96d1da21fb8f4cd10905172cafadaa52d0b7c98bf7d6a308812cf","cache_size":3,"cache_capacity":10000}
{"level":"debug","ts":1710303417.338038,"logger":"events","msg":"event","name":"cached_unmanaged_cert","id":"65bedc44-4c9e-454b-bfe6-d45be5f540b3","origin":"tls","data":{"sans":["collabora.example.com"]}}
{"level":"debug","ts":1710303417.338062,"logger":"tls.cache","msg":"added certificate to cache","subjects":["collabora.example.com"],"expiration":1717398248,"managed":false,"issuer_key":"","hash":"e65fd2ba1f1c3b94794ae34ce5443d53077884c211dbe1f9436000cbfb5456af","cache_size":4,"cache_capacity":10000}
{"level":"debug","ts":1710303417.338199,"logger":"events","msg":"event","name":"cached_unmanaged_cert","id":"a5fc05f1-ccfb-4e6d-92bb-6e3374a9db4d","origin":"tls","data":{"sans":["streamer.example.com"]}}
{"level":"debug","ts":1710303417.3382108,"logger":"tls.cache","msg":"added certificate to cache","subjects":["streamer.example.com"],"expiration":1717403938,"managed":false,"issuer_key":"","hash":"87733a2900b70904abebe10f0ab77c919b1e42174afe5cba9a63bd3903dfdc84","cache_size":5,"cache_capacity":10000}
{"level":"debug","ts":1710303417.3383439,"logger":"events","msg":"event","name":"cached_unmanaged_cert","id":"7adea089-2df6-44a0-83bd-9da9bf4fb144","origin":"tls","data":{"sans":["dash.example.com","*.dash.example.com"]}}
{"level":"debug","ts":1710303417.3383563,"logger":"tls.cache","msg":"added certificate to cache","subjects":["dash.example.com","*.dash.example.com"],"expiration":1717468977,"managed":false,"issuer_key":"","hash":"6dfd280453a6e86d5552589f75172f4fcb17b474738a18dc3f9e51945d15747d","cache_size":6,"cache_capacity":10000}
{"level":"debug","ts":1710303417.3384943,"logger":"events","msg":"event","name":"cached_unmanaged_cert","id":"e3162a4d-25e4-48d9-beb4-2b1faf749532","origin":"tls","data":{"sans":["git.example.com"]}}
{"level":"debug","ts":1710303417.3385057,"logger":"tls.cache","msg":"added certificate to cache","subjects":["git.example.com"],"expiration":1717387896,"managed":false,"issuer_key":"","hash":"81076d5dd4c10e65337113512e24d21218c508f43229dc20d6335b2edaf4cdd5","cache_size":7,"cache_capacity":10000}
{"level":"info","ts":1710303417.3386366,"logger":"http.auto_https","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"collabora.example.com","server_name":"srv0"}
{"level":"info","ts":1710303417.3386455,"logger":"http.auto_https","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"streamer.example.com","server_name":"srv0"}
{"level":"info","ts":1710303417.338653,"logger":"http.auto_https","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"git.example.com","server_name":"srv0"}
{"level":"info","ts":1710303417.3386614,"logger":"http.auto_https","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"keksik-edit.dash.example.com","server_name":"srv0"}
{"level":"info","ts":1710303417.3386683,"logger":"http.auto_https","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"matrixserver.example.com","server_name":"srv0"}
{"level":"info","ts":1710303417.3386838,"logger":"http.auto_https","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"andrey.dash.example.com","server_name":"srv0"}
{"level":"info","ts":1710303417.3386905,"logger":"http.auto_https","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"linkwarden.example.com","server_name":"srv0"}
{"level":"info","ts":1710303417.3386977,"logger":"http.auto_https","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"andrey-edit.dash.example.com","server_name":"srv0"}
{"level":"info","ts":1710303417.338704,"logger":"http.auto_https","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"streamwatch.example.com","server_name":"srv0"}
{"level":"info","ts":1710303417.3387113,"logger":"http.auto_https","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"keksik.dash.example.com","server_name":"srv0"}
{"level":"info","ts":1710303417.3387167,"logger":"http.auto_https","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"dash.example.com","server_name":"srv0"}
{"level":"info","ts":1710303417.3387206,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"debug","ts":1710303417.33878,"logger":"http.auto_https","msg":"adjusted config","tls":{"automation":{"policies":[{"subjects":["andrey-edit.dash.example.com","keksik-edit.dash.example.com","matrixserver.example.com","streamwatch.example.com","andrey.dash.example.com","keksik.dash.example.com","linkwarden.example.com","collabora.example.com","streamer.example.com","dash.example.com","git.example.com"]},{"subjects":["nextcloud.hs.lan"]},{}]}},"http":{"servers":{"remaining_auto_https_redirects":{"listen":[":80"],"routes":[{},{}]},"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"authentication","providers":{"authorizer":{"gatekeeper_name":"pass_andrey_keksik","route_matcher":"*"}}}]},{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:7031"}]}],"match":[{"path":["/*"]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"authentication","providers":{"authorizer":{"gatekeeper_name":"pass_andrey_keksik","route_matcher":"*"}}}]},{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:7033"}]}],"match":[{"path":["/*"]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:8088"}]}],"match":[{"path":["/*"]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"file_server","hide":["/etc/caddy/Caddyfile"],"index_names":["index.html"],"precompressed":{"br":{},"gzip":{},"zstd":{}},"precompressed_order":["zstd","br","gzip"],"root":"/srv/streamwatch"}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"authentication","providers":{"authorizer":{"gatekeeper_name":"pass_andrey_keksik","route_matcher":"*"}}},{"handler":"trace","tag":"tshoot"},{"body":"{http.request.host}\n\t\ttime: {time.now.common_log}\n\t\tid: {http.auth.user.id}\n\t\troles: {http.auth.user.roles}","handler":"static_response"}]}]}]},{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:7032"}]}],"match":[{"path":["/*"]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"authentication","providers":{"authorizer":{"gatekeeper_name":"pass_andrey_keksik","route_matcher":"*"}}}]},{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:7034"}]}],"match":[{"path":["/*"]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:8016"}]}],"match":[{"path":["/*"]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:9980"}]}],"match":[{"path":["/*"]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:8023"}]}],"match":[{"path":["/*"]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:8085"}]}],"match":[{"path":["/*"]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"group":"group12","handle":[{"handler":"rewrite","uri":"andrey.dash.example.com"}],"match":[{"header":{"Remote-Email":["andrey@example.com"]}}]},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"authenticator","portal_name":"auth_portal","route_matcher":"*"}]}]}],"match":[{"path":["*"]}]},{"handle":[{"handler":"trace","tag":"tshoot"},{"body":"{http.request.host}\n\t\ttime: {time.now.common_log}\n\t\tid: {http.auth.user.id}\n\t\troles: {http.auth.user.roles}","handler":"static_response"}]}]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:8087"}]}],"match":[{"path":["/*"]}]}]}],"terminal":true}],"tls_connection_policies":[{"match":{"sni":["matrixserver.example.com"]},"certificate_selection":{"any_tag":["cert2"]}},{"match":{"sni":["streamwatch.example.com"]},"certificate_selection":{"any_tag":["cert4"]}},{"match":{"sni":["linkwarden.example.com"]},"certificate_selection":{"any_tag":["cert1"]}},{"match":{"sni":["collabora.example.com"]},"certificate_selection":{"any_tag":["cert3"]}},{"match":{"sni":["streamer.example.com"]},"certificate_selection":{"any_tag":["cert5"]}},{"match":{"sni":["dash.example.com"]},"certificate_selection":{"any_tag":["cert6"]}},{"match":{"sni":["git.example.com"]},"certificate_selection":{"any_tag":["cert0"]}},{}],"automatic_https":{}}}}}
{"level":"info","ts":1710303417.3390932,"logger":"security","msg":"provisioning app instance","app":"security"}
{"level":"debug","ts":1710303418.0699155,"logger":"security","msg":"fetchMetadataURL succeeded","identity_provider_name":"generic","metadata":{"acr_values_supported":["goauthentik.io/providers/oauth2/default"],"authorization_endpoint":"https://sso.example.com/application/o/authorize/","claims_parameter_supported":false,"claims_supported":["sub","iss","aud","exp","iat","auth_time","acr","amr","nonce","email","email_verified","name","given_name","preferred_username","nickname","groups"],"code_challenge_methods_supported":["plain","S256"],"device_authorization_endpoint":"https://sso.example.com/application/o/device/","end_session_endpoint":"https://sso.example.com/application/o/dash/end-session/","grant_types_supported":["authorization_code","refresh_token","implicit","client_credentials","password","urn:ietf:params:oauth:grant-type:device_code"],"id_token_signing_alg_values_supported":["RS256"],"introspection_endpoint":"https://sso.example.com/application/o/introspect/","issuer":"https://sso.example.com/application/o/dash/","jwks_uri":"https://sso.example.com/application/o/dash/jwks/","request_parameter_supported":false,"response_modes_supported":["query","fragment","form_post"],"response_types_supported":["code","id_token","id_token token","code token","code id_token","code id_token token"],"revocation_endpoint":"https://sso.example.com/application/o/revoke/","scopes_supported":["offline_access","openid","email","profile"],"subject_types_supported":["public"],"token_endpoint":"https://sso.example.com/application/o/token/","token_endpoint_auth_methods_supported":["client_secret_post","client_secret_basic"],"userinfo_endpoint":"https://sso.example.com/application/o/userinfo/"},"userinfo_endpoint":"https://sso.example.com/application/o/userinfo/"}
{"level":"info","ts":1710303418.7669978,"logger":"security","msg":"successfully configured OAuth 2.0 identity provider","provider":"generic","client_id":"GHpQxIyC6BMlXry4Q7KhFpE2HRBXRG50W1FvigGH","server_id":"","domain_name":"","metadata":{"acr_values_supported":["goauthentik.io/providers/oauth2/default"],"authorization_endpoint":"https://sso.example.com/application/o/authorize/","claims_parameter_supported":false,"claims_supported":["sub","iss","aud","exp","iat","auth_time","acr","amr","nonce","email","email_verified","name","given_name","preferred_username","nickname","groups"],"code_challenge_methods_supported":["plain","S256"],"device_authorization_endpoint":"https://sso.example.com/application/o/device/","end_session_endpoint":"https://sso.example.com/application/o/dash/end-session/","grant_types_supported":["authorization_code","refresh_token","implicit","client_credentials","password","urn:ietf:params:oauth:grant-type:device_code"],"id_token_signing_alg_values_supported":["RS256"],"introspection_endpoint":"https://sso.example.com/application/o/introspect/","issuer":"https://sso.example.com/application/o/dash/","jwks_uri":"https://sso.example.com/application/o/dash/jwks/","request_parameter_supported":false,"response_modes_supported":["query","fragment","form_post"],"response_types_supported":["code","id_token","id_token token","code token","code id_token","code id_token token"],"revocation_endpoint":"https://sso.example.com/application/o/revoke/","scopes_supported":["offline_access","openid","email","profile"],"subject_types_supported":["public"],"token_endpoint":"https://sso.example.com/application/o/token/","token_endpoint_auth_methods_supported":["client_secret_post","client_secret_basic"],"userinfo_endpoint":"https://sso.example.com/application/o/userinfo/"},"jwks_keys":{"ab222aa0a4b7125003fbe272c07cc120":{"alg":"RS256","e":"AQAB","kid":"ab222aa0a4b7125003fbe272c07cc120","kty":"RSA","n":"mdiuojVVRujhT6UsOMtw4Oc27lNYd7k5bWUQlUVmfwXWQ_M1jZzTzLXF2Ltk3fa3Q6fNBz6krtnV17mMHvEkxb7GrsOoBnM8aMu1b2B3KGbeAh2wY5stwtWPWAnQsEi12BlJP5vpGKvS9VOrZ6Towi70ZiTD0IuvU4kZyw7KwO6M9THm_8KJkEblR1mCvzrBfvVSo4eFBrblnvldVpL5wEn43cvmA13ajt4hYf81c9pDbK2IjMt_F73yRS1J-U0CjT49x_a6vZYHm-UnotAWGakDAKb-X7DCuGQMwKFHqZu6tGadU7lIkyVlggvv7_VExBs-07guT78LKXUt9Mq64RaQLVq1KBJ1EQpa_cBi9E3NVkGGqNfnSiFR4RfLZycxAxGI7mje2a8PD6W2Pan7hlRW4xWrz6hkstnhQfweu5COLoSwMbrCxhSUE9UYy_nURDB5hFulv-4a3b5stkCSaSdy8minsj-518DPv59u2IabRtBfBkDBJ8-R1HjNhhh07pmE4zZ_CrB_PBzSsEbE21iSA2H0OsgqwJ8x9AEUNXU-3bGuS1keznEFFk7-JN9au8TYDNVy-s0jQUCFoWxP5k3krN-ALn4vCVeBieLE8pMcQtt0lfHfEZ0LBgFe3ZnNms3v2nidmCBytZoxwz9kovvwfGQfTjQeyVPeSHaslBc=","use":"sig"}},"required_token_fields":["access_token","id_token"],"delayed_by":0,"retry_attempts":0,"retry_interval":0,"scopes":["openid","email","profile"],"login_icon":{"class_name":"lab la-codepen la-2x","color":"white","background_color":"#324960","text_color":"#37474f"}}
{"level":"debug","ts":1710303418.7671072,"logger":"security","msg":"Configuring caching","portal_name":"auth_portal","portal_id":"2982f558-f551-406b-ab86-6dc775983a73"}
{"level":"debug","ts":1710303418.7671359,"logger":"security","msg":"Configuring cookie parameters","portal_name":"auth_portal"}
{"level":"debug","ts":1710303418.7671452,"logger":"security","msg":"Configuring authentication ACL","portal_name":"auth_portal","portal_id":"2982f558-f551-406b-ab86-6dc775983a73","access_list_configs":[{"conditions":["match roles authp/admin authp/user authp/guest superuser superadmin"],"action":"allow stop"}]}
{"level":"debug","ts":1710303418.783529,"logger":"security","msg":"Configured validator ACL","portal_name":"auth_portal","portal_id":"2982f558-f551-406b-ab86-6dc775983a73","token_validator_options":{"validate_bearer_header":true},"token_grantor_options":{}}
{"level":"debug","ts":1710303418.7835689,"logger":"security","msg":"Configuring identity provider login options","portal_name":"auth_portal","portal_id":"2982f558-f551-406b-ab86-6dc775983a73","identity_provider_count":1}
{"level":"debug","ts":1710303418.7836108,"logger":"security","msg":"Provisioned login options","portal_name":"auth_portal","portal_id":"2982f558-f551-406b-ab86-6dc775983a73","options":{"authenticators":[{"background_color":"#324960","class_name":"lab la-codepen la-2x","color":"white","endpoint":"oauth2/dash","realm":"dash","text":"DASH","text_color":"#37474f"}],"authenticators_required":"yes","default_realm":"dash","form_required":"no","hide_contact_support_link":"yes","hide_forgot_username_link":"yes","hide_links":"yes","hide_register_link":"yes","identity_required":"no","realm_dropdown_required":"no"},"identity_store_count":0,"identity_provider_count":1}
{"level":"debug","ts":1710303418.7836578,"logger":"security","msg":"Configuring user interface","portal_name":"auth_portal","portal_id":"2982f558-f551-406b-ab86-6dc775983a73"}
{"level":"debug","ts":1710303418.7836657,"logger":"security","msg":"Configuring default authentication user interface templates","portal_name":"auth_portal","template_theme":"basic","template_name":"register"}
{"level":"debug","ts":1710303418.783948,"logger":"security","msg":"Configuring default authentication user interface templates","portal_name":"auth_portal","template_theme":"basic","template_name":"generic"}
{"level":"debug","ts":1710303418.7840557,"logger":"security","msg":"Configuring default authentication user interface templates","portal_name":"auth_portal","template_theme":"basic","template_name":"apps_sso"}
{"level":"debug","ts":1710303418.7842166,"logger":"security","msg":"Configuring default authentication user interface templates","portal_name":"auth_portal","template_theme":"basic","template_name":"apps_mobile_access"}
{"level":"debug","ts":1710303418.7843316,"logger":"security","msg":"Configuring default authentication user interface templates","portal_name":"auth_portal","template_theme":"basic","template_name":"login"}
{"level":"debug","ts":1710303418.7846692,"logger":"security","msg":"Configuring default authentication user interface templates","portal_name":"auth_portal","template_theme":"basic","template_name":"portal"}
{"level":"debug","ts":1710303418.7848182,"logger":"security","msg":"Configuring default authentication user interface templates","portal_name":"auth_portal","template_theme":"basic","template_name":"whoami"}
{"level":"debug","ts":1710303418.7849538,"logger":"security","msg":"Configuring default authentication user interface templates","portal_name":"auth_portal","template_theme":"basic","template_name":"settings"}
{"level":"debug","ts":1710303418.786262,"logger":"security","msg":"Configuring default authentication user interface templates","portal_name":"auth_portal","template_theme":"basic","template_name":"sandbox"}
{"level":"debug","ts":1710303418.7868485,"logger":"security","msg":"Configured user interface","portal_name":"auth_portal","portal_id":"2982f558-f551-406b-ab86-6dc775983a73","title":"Sign In","logo_url":"/assets/images/logo.svg","logo_description":"Authentication Portal","action_endpoint":"","private_links":[{"link":"/whoami","title":"My Identity","icon_name":"las la-user","icon_enabled":true}],"realms":[],"theme":"basic"}
{"level":"debug","ts":1710303418.7868643,"logger":"security","msg":"Configuring user transforms","portal_name":"auth_portal","portal_id":"2982f558-f551-406b-ab86-6dc775983a73"}
{"level":"debug","ts":1710303418.788027,"logger":"security","msg":"Configured user transforms","portal_name":"auth_portal","portal_id":"2982f558-f551-406b-ab86-6dc775983a73","transforms":[{"matchers":["exact match groups andrey-keksik"],"actions":["action add role authp/andrey_keksik"]},{"matchers":["exact match email andrey@example.com"],"actions":["action add role authp/dash_admin"]}]}
{"level":"debug","ts":1710303418.7936773,"logger":"security","msg":"Configured gatekeeper","gatekeeper_name":"pass_andrey_keksik","gatekeeper_id":"ca54ef9f-21c8-40e4-9aab-12ce9a0d934b","auth_url_path":"https://dash.example.com","token_sources":"cookie header query","token_validator_options":{},"access_list_rules":[{"conditions":["match roles authp/andrey_keksik"],"action":"allow log debug"}],"forbidden_path":""}
{"level":"debug","ts":1710303418.7983153,"logger":"security","msg":"Configured gatekeeper","gatekeeper_name":"pass_dash_admin","gatekeeper_id":"5a26beb9-23c7-4ca8-b913-0358144e1146","auth_url_path":"https://dash.example.com","token_sources":"cookie header query","token_validator_options":{},"access_list_rules":[{"conditions":["match roles authp/admin"],"action":"allow log debug"}],"forbidden_path":""}
{"level":"info","ts":1710303418.7983365,"logger":"security","msg":"provisioned app instance","app":"security"}
{"level":"debug","ts":1710303418.8001373,"logger":"security","msg":"started app instance","app":"security"}
{"level":"info","ts":1710303418.8002813,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
{"level":"info","ts":1710303418.8003743,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}
{"level":"debug","ts":1710303418.8005111,"logger":"http","msg":"starting server loop","address":"[::]:443","tls":true,"http3":true}
{"level":"info","ts":1710303418.800524,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"debug","ts":1710303418.800572,"logger":"http","msg":"starting server loop","address":"[::]:80","tls":false,"http3":false}
{"level":"info","ts":1710303418.8005793,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1710303418.800585,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["nextcloud.hs.lan"]}
{"level":"warn","ts":1710303418.8010666,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [nextcloud.hs.lan]: no OCSP server specified in certificate","identifiers":["nextcloud.hs.lan"]}
{"level":"debug","ts":1710303418.8010836,"logger":"tls.cache","msg":"added certificate to cache","subjects":["nextcloud.hs.lan"],"expiration":1710323465,"managed":true,"issuer_key":"local","hash":"6114c26d8a7f0dddb22944a6e79aa0867fdd993483e6280832697c71ef90bfd7","cache_size":8,"cache_capacity":10000}
{"level":"debug","ts":1710303418.8011024,"logger":"events","msg":"event","name":"cached_managed_cert","id":"9241435a-4b07-4f9c-9f0c-f725c3fcf418","origin":"tls","data":{"sans":["nextcloud.hs.lan"]}}
{"level":"info","ts":1710303418.8011463,"logger":"pki.ca.local","msg":"root certificate is already trusted by system","path":"storage:pki/authorities/local/root.crt"}
{"level":"info","ts":1710303418.8012555,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
{"level":"info","ts":1710303418.8012936,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1710303418.8014657,"msg":"serving initial configuration"}
{"level":"info","ts":1710303418.8027291,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"debug","ts":1710303425.951998,"logger":"events","msg":"event","name":"tls_get_certificate","id":"63024391-e1cc-4dff-a449-d4c123dab065","origin":"tls","data":{"client_hello":{"CipherSuites":[23130,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"dash.example.com","SupportedCurves":[6682,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[27242,772,771],"Conn":{}}}}
{"level":"debug","ts":1710303425.9521568,"logger":"tls.handshake","msg":"choosing certificate","identifier":"dash.example.com","num_choices":1}
{"level":"debug","ts":1710303425.9521744,"logger":"tls.handshake","msg":"custom certificate selection results","identifier":"dash.example.com","subjects":["dash.example.com","*.dash.example.com"],"managed":false,"issuer_key":"","hash":"6dfd280453a6e86d5552589f75172f4fcb17b474738a18dc3f9e51945d15747d"}
{"level":"debug","ts":1710303425.9521823,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"192.168.101.1","remote_port":"59994","subjects":["dash.example.com","*.dash.example.com"],"managed":false,"expiration":1717468977,"hash":"6dfd280453a6e86d5552589f75172f4fcb17b474738a18dc3f9e51945d15747d"}
{"level":"debug","ts":1710303429.386395,"logger":"security","msg":"External login requested","session_id":"mmEAk2RYV3Gs3TH9sNFVdWjAL2ggIwQ97Mz7fdXOJJ4","request_id":"dd5cffc0-0869-4737-af75-cda4ffc060c6","base_url":"https://dash.example.com","base_path":"/","auth_method":"oauth2","auth_realm":"dash","request_path":"/oauth2/dash"}
{"level":"debug","ts":1710303429.386442,"logger":"security","msg":"redirecting to OAuth 2.0 endpoint","request_id":"dd5cffc0-0869-4737-af75-cda4ffc060c6","redirect_url":"https://sso.example.com/application/o/authorize/?client_id=GHpQxIyC6BMlXry4Q7KhFpE2HRBXRG50W1FvigGH&nonce=AYRhIJvogfGcroiM8f5ibxRg1X5IDtFb&redirect_uri=https%3A%2F%2Fdash.example.com%2Foauth2%2Fdash%2Fauthorization-code-callback&response_type=code&scope=openid+email+profile&state=9025553f-91f4-41aa-a266-59316884d554"}
{"level":"debug","ts":1710303429.3864496,"logger":"security","msg":"Redirect to authorization server","session_id":"mmEAk2RYV3Gs3TH9sNFVdWjAL2ggIwQ97Mz7fdXOJJ4","request_id":"dd5cffc0-0869-4737-af75-cda4ffc060c6","url":"https://sso.example.com/application/o/authorize/?client_id=GHpQxIyC6BMlXry4Q7KhFpE2HRBXRG50W1FvigGH&nonce=AYRhIJvogfGcroiM8f5ibxRg1X5IDtFb&redirect_uri=https%3A%2F%2Fdash.example.com%2Foauth2%2Fdash%2Fauthorization-code-callback&response_type=code&scope=openid+email+profile&state=9025553f-91f4-41aa-a266-59316884d554"}
{"level":"debug","ts":1710303430.175213,"logger":"security","msg":"External login requested","session_id":"mmEAk2RYV3Gs3TH9sNFVdWjAL2ggIwQ97Mz7fdXOJJ4","request_id":"5e0a997d-fe18-4c88-bc14-0889427adcb5","base_url":"https://dash.example.com","base_path":"/","auth_method":"oauth2","auth_realm":"dash","request_path":"/oauth2/dash/authorization-code-callback"}
{"level":"debug","ts":1710303430.1752443,"logger":"security","msg":"received OAuth 2.0 response","session_id":"mmEAk2RYV3Gs3TH9sNFVdWjAL2ggIwQ97Mz7fdXOJJ4","request_id":"5e0a997d-fe18-4c88-bc14-0889427adcb5","params":{"code":["23ee5898bcac4bc8b291f8386ccf4fb3"],"state":["9025553f-91f4-41aa-a266-59316884d554"]}}
{"level":"debug","ts":1710303430.1752715,"logger":"security","msg":"received OAuth 2.0 code and state from the authorization server","session_id":"mmEAk2RYV3Gs3TH9sNFVdWjAL2ggIwQ97Mz7fdXOJJ4","request_id":"5e0a997d-fe18-4c88-bc14-0889427adcb5","state":"9025553f-91f4-41aa-a266-59316884d554","code":"23ee5898bcac4bc8b291f8386ccf4fb3"}
{"level":"debug","ts":1710303431.043035,"logger":"security","msg":"OAuth 2.0 access token response received","body":"eyJhY2Nlc3NfdG9rZW4iOiAiZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNkltRmlNakl5WVdFd1lUUmlOekV5TlRBd00yWmlaVEkzTW1Nd04yTmpNVEl3SWl3aWRIbHdJam9pU2xkVUluMC5leUpwYzNNaU9pSm9kSFJ3Y3pvdkwzTnpieTR3ZW1WaExtTnZiUzloY0hCc2FXTmhkR2x2Ymk5dkwyUmhjMmd2SWl3aWMzVmlJam9pWVRnMU5UQTNZV1UxWXpBMk1HUm1PVFkwWmpBMVpqY3laalUwWmpBd09XUXlZemRoWmpkbU5qQm1NbUkzTXprNVptSmlPRFE1TURFNVl6QmpORFUyWVNJc0ltRjFaQ0k2SWtkSWNGRjRTWGxETmtKTmJGaHllVFJSTjB0b1JuQkZNa2hTUWxoU1J6VXdWekZHZG1sblIwZ2lMQ0psZUhBaU9qRTNNVEF6TURNM016QXNJbWxoZENJNk1UY3hNRE13TXpRek1Dd2lZWFYwYUY5MGFXMWxJam94TnpFd01qazNPREl3TENKaFkzSWlPaUpuYjJGMWRHaGxiblJwYXk1cGJ5OXdjbTkyYVdSbGNuTXZiMkYxZEdneUwyUmxabUYxYkhRaUxDSnViMjVqWlNJNklrRlpVbWhKU25adloyWkhZM0p2YVUwNFpqVnBZbmhTWnpGWU5VbEVkRVppSWl3aVpXMWhhV3dpT2lKaGJtUnlaWGxBTUhwbFlTNWpiMjBpTENKbGJXRnBiRjkyWlhKcFptbGxaQ0k2ZEhKMVpTd2libUZ0WlNJNklseDFNRFF4TUZ4MU1EUXpaRngxTURRek5GeDFNRFEwTUZ4MU1EUXpOVngxTURRek9TSXNJbWRwZG1WdVgyNWhiV1VpT2lKY2RUQTBNVEJjZFRBME0yUmNkVEEwTXpSY2RUQTBOREJjZFRBME16VmNkVEEwTXpraUxDSndjbVZtWlhKeVpXUmZkWE5sY201aGJXVWlPaUpoYm1SeVpYa2lMQ0p1YVdOcmJtRnRaU0k2SW1GdVpISmxlU0lzSW1keWIzVndjeUk2V3lKb2IyMWxMWFJ2Y25KbGJuUWlMQ0p3Y205dFpYUm9aWFZ6TFhWelpYSWlMQ0poYm1SeVpYa3RjM2x1WTNSb2FXNW5JaXdpWVc1a2NtVjVMV3RsYTNOcGF5SmRMQ0poZW5BaU9pSkhTSEJSZUVsNVF6WkNUV3hZY25rMFVUZExhRVp3UlRKSVVrSllVa2MxTUZjeFJuWnBaMGRJSWl3aWRXbGtJam9pTjNKQlJuSmxTbGhRY0ZwSVVtTmlRVkl6VFhWWlZVa3lhekZrTWxGM01XUmxTbmd5VFRJek55SjkuZjNKREpqa2lyV1M0TV9OYjRtSk51cVJnQVFSZl96VTRBTjVmUE5VQzQ3cmxmV25tanpKQ0xfSzhaeUFDaXRnTDR4X3NWR3JSTllMZEl3MzMwWll0VGttYWpRNmJ2Vkh3UnB6UHVCQTVCMGc5ZTlMVXRfal9ZYXpYNVhfN2ZMSE1kUnpodUZwYnVqdVE0SFFIeEpMNHNlN3luc00waDhBYVM4WGNLcFFGNXNNWkFqaHVUdHRzbEFzRnBpSVpZTTJPOXAta2VLOHZEU0tEdWpOT1VnZTVNbmIzdzdodURPVml2cjhSa3kxdmNzRkd4YVUwcnVRX2R5UE9Pb2ZBVDl0NlgzMEtzV1ZOMEJpcENjQWVPQTVsTWhHY1FlRDVzS3BmSVM3TDU5dm10cDBuX0J1RHphSDNqb1hBczJ1VVVLWHNIS09RZS03SlVHREFrN1lxQ1g2dWZzOGRSSUVOODBXWld4eVVwbm9hNF9UUlk5czc5T3AxVG5tQUdqWVdEbXlXN0xyWXRMemN4ZUFlT0dpdjQ2T0V5QnNJVjFSa3JTbWtLaW9ERFlqY2Z2eHB0b0lWVDlGSnlmRHpRcWFRaVRVc3E2RjBlajZ2ZGVTQ0EwYnRaazl1RHlGNkdZSGJCWjVlUElvY0lWYm9XaWh5SWVkRGFvdzNOSDNKZHVQMk95NUlLSDlJZnVlakVkZHIxU1dPRFVNYWJ0cHRnaXptenkzTGpQa2Rqd3RfR2cxQXZKT283NFRWRFNXbkNVNk03TlA4OHdOSjBzdVZKMktBazg3TENZbVRlbVEwUDRRTmlYaHc2LS1ibWhGRmVyYlVKQlYxQUtJMDQyTE5SVTBXdlhVcF9yd0lBdENhbVkyeVBJcWE3aFZ3djFMQU8xWlNBTlk5RERWTFRpOGFjaG8iLCAidG9rZW5fdHlwZSI6ICJCZWFyZXIiLCAiZXhwaXJlc19pbiI6IDMwMCwgImlkX3Rva2VuIjogImV5SmhiR2NpT2lKU1V6STFOaUlzSW10cFpDSTZJbUZpTWpJeVlXRXdZVFJpTnpFeU5UQXdNMlppWlRJM01tTXdOMk5qTVRJd0lpd2lkSGx3SWpvaVNsZFVJbjAuZXlKcGMzTWlPaUpvZEhSd2N6b3ZMM056Ynk0d2VtVmhMbU52YlM5aGNIQnNhV05oZEdsdmJpOXZMMlJoYzJndklpd2ljM1ZpSWpvaVlUZzFOVEEzWVdVMVl6QTJNR1JtT1RZMFpqQTFaamN5WmpVMFpqQXdPV1F5WXpkaFpqZG1OakJtTW1JM016azVabUppT0RRNU1ERTVZekJqTkRVMllTSXNJbUYxWkNJNklrZEljRkY0U1hsRE5rSk5iRmh5ZVRSUk4wdG9SbkJGTWtoU1FsaFNSelV3VnpGR2RtbG5SMGdpTENKbGVIQWlPakUzTVRBek1ETTNNekFzSW1saGRDSTZNVGN4TURNd016UXpNQ3dpWVhWMGFGOTBhVzFsSWpveE56RXdNamszT0RJd0xDSmhZM0lpT2lKbmIyRjFkR2hsYm5ScGF5NXBieTl3Y205MmFXUmxjbk12YjJGMWRHZ3lMMlJsWm1GMWJIUWlMQ0p1YjI1alpTSTZJa0ZaVW1oSlNuWnZaMlpIWTNKdmFVMDRaalZwWW5oU1p6RllOVWxFZEVaaUlpd2laVzFoYVd3aU9pSmhibVJ5WlhsQU1IcGxZUzVqYjIwaUxDSmxiV0ZwYkY5MlpYSnBabWxsWkNJNmRISjFaU3dpYm1GdFpTSTZJbHgxTURReE1GeDFNRFF6WkZ4MU1EUXpORngxTURRME1GeDFNRFF6TlZ4MU1EUXpPU0lzSW1kcGRtVnVYMjVoYldVaU9pSmNkVEEwTVRCY2RUQTBNMlJjZFRBME16UmNkVEEwTkRCY2RUQTBNelZjZFRBME16a2lMQ0p3Y21WbVpYSnlaV1JmZFhObGNtNWhiV1VpT2lKaGJtUnlaWGtpTENKdWFXTnJibUZ0WlNJNkltRnVaSEpsZVNJc0ltZHliM1Z3Y3lJNld5Sm9iMjFsTFhSdmNuSmxiblFpTENKd2NtOXRaWFJvWlhWekxYVnpaWElpTENKaGJtUnlaWGt0YzNsdVkzUm9hVzVuSWl3aVlXNWtjbVY1TFd0bGEzTnBheUpkZlEuWTRHRko2endlMGFQdzl1RnpKQzctdkpkektkcC1PS0pNZFhVd0Y1RnNwSlR1OXI5Z1FGbWFUNmpjZ1BuTU9DdWNjR3V4U3BXMmp5SnF4cW5TR091UWFfdTFzUXVmQS1yYTg1NkExV003bkRoT3hocjUtWmlqdEp3dG1SV1ZldllpX3RHWjFVSHBYN2hwY3Z6WXREdUdFd1dPYWV3MVhjNTZnWFY5SmtzbVZ6bHQ0TnhJU25KalR3OWdwbjluM1VIb1c3TDJWQjB3c3A4Sy0wa0RxbGZWT3psTUc3ZjdHU0xzUzdGTkxwYXRWTFdrNVJ3cXB6Y2lfNy1fOE1CVGM3RmxTbmlXRFppeW9PcUdHUmoxWDdURU5HcnhpQ3VNMEstUEQ1b0loS3d4cGFJZ09DOWJfODNzVWFncHVoZEhnaUNmOVFMYkpZVXIwMmt3UzRZcUNNZFB1bTRzODZPQ2VPcjk5aEtobjJ2akxPNDl1WkpaTWF5R21WcDdic3NoYTlUbDZZaXMwTTdQM0RpbFlwQmNXRFUzcGhwWlFKTHlybUNrNW5xTy1fT2RDRDNoUktIa3dGckNCQjlGS3ptY01nS3A4N1o5UjZpaFVfUVlaTXhoWVN6SjZlOUNRRG5fTjlpUVcwdmhETnFNbFY4Rnh6WEx2TjJZdVZnM01pcUlkaFVidXVvR3pfZ0pnTmNMT042UGw0RUhhNldHTzlHYmRHNWVlQ2NyNzJ4T19aSjFtNi1jRFlTU1pGOGFoWm9fNkEtNkg4TkFfSVBjRENzano2MURyNTZQY1EtSFhsSXlveFpEdHhudHJkZ2x6bmx4WkNxR2J3X1l3akRzTzNmRjVjTWp3WXlfMFhhQ2puLWRIMVkxdFM0Ry1kckN6VXZRbDk3VlR3RUEtWGd3clkifQ==","redirect_uri":"https://dash.example.com/oauth2/dash/authorization-code-callback"}
{"level":"debug","ts":1710303431.0431418,"logger":"security","msg":"OAuth 2.0 access token response decoded","body":{"access_token":"eyJhbGciOiJSUzI1NiIsImtpZCI6ImFiMjIyYWEwYTRiNzEyNTAwM2ZiZTI3MmMwN2NjMTIwIiwidHlwIjoiSldUIn0.eyJpc3MiOiJodHRwczovL3Nzby4wemVhLmNvbS9hcHBsaWNhdGlvbi9vL2Rhc2gvIiwic3ViIjoiYTg1NTA3YWU1YzA2MGRmOTY0ZjA1ZjcyZjU0ZjAwOWQyYzdhZjdmNjBmMmI3Mzk5ZmJiODQ5MDE5YzBjNDU2YSIsImF1ZCI6IkdIcFF4SXlDNkJNbFhyeTRRN0toRnBFMkhSQlhSRzUwVzFGdmlnR0giLCJleHAiOjE3MTAzMDM3MzAsImlhdCI6MTcxMDMwMzQzMCwiYXV0aF90aW1lIjoxNzEwMjk3ODIwLCJhY3IiOiJnb2F1dGhlbnRpay5pby9wcm92aWRlcnMvb2F1dGgyL2RlZmF1bHQiLCJub25jZSI6IkFZUmhJSnZvZ2ZHY3JvaU04ZjVpYnhSZzFYNUlEdEZiIiwiZW1haWwiOiJhbmRyZXlAMHplYS5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwibmFtZSI6Ilx1MDQxMFx1MDQzZFx1MDQzNFx1MDQ0MFx1MDQzNVx1MDQzOSIsImdpdmVuX25hbWUiOiJcdTA0MTBcdTA0M2RcdTA0MzRcdTA0NDBcdTA0MzVcdTA0MzkiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhbmRyZXkiLCJuaWNrbmFtZSI6ImFuZHJleSIsImdyb3VwcyI6WyJob21lLXRvcnJlbnQiLCJwcm9tZXRoZXVzLXVzZXIiLCJhbmRyZXktc3luY3RoaW5nIiwiYW5kcmV5LWtla3NpayJdLCJhenAiOiJHSHBReEl5QzZCTWxYcnk0UTdLaEZwRTJIUkJYUkc1MFcxRnZpZ0dIIiwidWlkIjoiN3JBRnJlSlhQcFpIUmNiQVIzTXVZVUkyazFkMlF3MWRlSngyTTIzNyJ9.f3JDJjkirWS4M_Nb4mJNuqRgAQRf_zU4AN5fPNUC47rlfWnmjzJCL_K8ZyACitgL4x_sVGrRNYLdIw330ZYtTkmajQ6bvVHwRpzPuBA5B0g9e9LUt_j_YazX5X_7fLHMdRzhuFpbujuQ4HQHxJL4se7ynsM0h8AaS8XcKpQF5sMZAjhuTttslAsFpiIZYM2O9p-keK8vDSKDujNOUge5Mnb3w7huDOVivr8Rky1vcsFGxaU0ruQ_dyPOOofAT9t6X30KsWVN0BipCcAeOA5lMhGcQeD5sKpfIS7L59vmtp0n_BuDzaH3joXAs2uUUKXsHKOQe-7JUGDAk7YqCX6ufs8dRIEN80WZWxyUpnoa4_TRY9s79Op1TnmAGjYWDmyW7LrYtLzcxeAeOGiv46OEyBsIV1RkrSmkKioDDYjcfvxptoIVT9FJyfDzQqaQiTUsq6F0ej6vdeSCA0btZk9uDyF6GYHbBZ5ePIocIVboWihyIedDaow3NH3JduP2Oy5IKH9IfuejEddr1SWODUMabtptgizmzy3LjPkdjwt_Gg1AvJOo74TVDSWnCU6M7NP88wNJ0suVJ2KAk87LCYmTemQ0P4QNiXhw6--bmhFFerbUJBV1AKI042LNRU0WvXUp_rwIAtCamY2yPIqa7hVwv1LAO1ZSANY9DDVLTi8acho","expires_in":300,"id_token":"eyJhbGciOiJSUzI1NiIsImtpZCI6ImFiMjIyYWEwYTRiNzEyNTAwM2ZiZTI3MmMwN2NjMTIwIiwidHlwIjoiSldUIn0.eyJpc3MiOiJodHRwczovL3Nzby4wemVhLmNvbS9hcHBsaWNhdGlvbi9vL2Rhc2gvIiwic3ViIjoiYTg1NTA3YWU1YzA2MGRmOTY0ZjA1ZjcyZjU0ZjAwOWQyYzdhZjdmNjBmMmI3Mzk5ZmJiODQ5MDE5YzBjNDU2YSIsImF1ZCI6IkdIcFF4SXlDNkJNbFhyeTRRN0toRnBFMkhSQlhSRzUwVzFGdmlnR0giLCJleHAiOjE3MTAzMDM3MzAsImlhdCI6MTcxMDMwMzQzMCwiYXV0aF90aW1lIjoxNzEwMjk3ODIwLCJhY3IiOiJnb2F1dGhlbnRpay5pby9wcm92aWRlcnMvb2F1dGgyL2RlZmF1bHQiLCJub25jZSI6IkFZUmhJSnZvZ2ZHY3JvaU04ZjVpYnhSZzFYNUlEdEZiIiwiZW1haWwiOiJhbmRyZXlAMHplYS5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwibmFtZSI6Ilx1MDQxMFx1MDQzZFx1MDQzNFx1MDQ0MFx1MDQzNVx1MDQzOSIsImdpdmVuX25hbWUiOiJcdTA0MTBcdTA0M2RcdTA0MzRcdTA0NDBcdTA0MzVcdTA0MzkiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhbmRyZXkiLCJuaWNrbmFtZSI6ImFuZHJleSIsImdyb3VwcyI6WyJob21lLXRvcnJlbnQiLCJwcm9tZXRoZXVzLXVzZXIiLCJhbmRyZXktc3luY3RoaW5nIiwiYW5kcmV5LWtla3NpayJdfQ.Y4GFJ6zwe0aPw9uFzJC7-vJdzKdp-OKJMdXUwF5FspJTu9r9gQFmaT6jcgPnMOCuccGuxSpW2jyJqxqnSGOuQa_u1sQufA-ra856A1WM7nDhOxhr5-ZijtJwtmRWVevYi_tGZ1UHpX7hpcvzYtDuGEwWOaew1Xc56gXV9JksmVzlt4NxISnJjTw9gpn9n3UHoW7L2VB0wsp8K-0kDqlfVOzlMG7f7GSLsS7FNLpatVLWk5Rwqpzci_7-_8MBTc7FlSniWDZiyoOqGGRj1X7TENGrxiCuM0K-PD5oIhKwxpaIgOC9b_83sUagpuhdHgiCf9QLbJYUr02kwS4YqCMdPum4s86OCeOr99hKhn2vjLO49uZJZMayGmVp7bssha9Tl6Yis0M7P3DilYpBcWDU3phpZQJLyrmCk5nqO-_OdCD3hRKHkwFrCBB9FKzmcMgKp87Z9R6ihU_QYZMxhYSzJ6e9CQDn_N9iQW0vhDNqMlV8FxzXLvN2YuVg3MiqIdhUbuuoGz_gJgNcLON6Pl4EHa6WGO9GbdG5eeCcr72xO_ZJ1m6-cDYSSZF8ahZo_6A-6H8NA_IPcDCsjz61Dr56PcQ-HXlIyoxZDtxntrdglznlxZCqGbw_YwjDsO3fF5cMjwYy_0XaCjn-dH1Y1tS4G-drCzUvQl97VTwEA-XgwrY","token_type":"Bearer"}}
{"level":"debug","ts":1710303431.0431826,"logger":"security","msg":"received OAuth 2.0 authorization server access token","request_id":"5e0a997d-fe18-4c88-bc14-0889427adcb5","token":{"access_token":"eyJhbGciOiJSUzI1NiIsImtpZCI6ImFiMjIyYWEwYTRiNzEyNTAwM2ZiZTI3MmMwN2NjMTIwIiwidHlwIjoiSldUIn0.eyJpc3MiOiJodHRwczovL3Nzby4wemVhLmNvbS9hcHBsaWNhdGlvbi9vL2Rhc2gvIiwic3ViIjoiYTg1NTA3YWU1YzA2MGRmOTY0ZjA1ZjcyZjU0ZjAwOWQyYzdhZjdmNjBmMmI3Mzk5ZmJiODQ5MDE5YzBjNDU2YSIsImF1ZCI6IkdIcFF4SXlDNkJNbFhyeTRRN0toRnBFMkhSQlhSRzUwVzFGdmlnR0giLCJleHAiOjE3MTAzMDM3MzAsImlhdCI6MTcxMDMwMzQzMCwiYXV0aF90aW1lIjoxNzEwMjk3ODIwLCJhY3IiOiJnb2F1dGhlbnRpay5pby9wcm92aWRlcnMvb2F1dGgyL2RlZmF1bHQiLCJub25jZSI6IkFZUmhJSnZvZ2ZHY3JvaU04ZjVpYnhSZzFYNUlEdEZiIiwiZW1haWwiOiJhbmRyZXlAMHplYS5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwibmFtZSI6Ilx1MDQxMFx1MDQzZFx1MDQzNFx1MDQ0MFx1MDQzNVx1MDQzOSIsImdpdmVuX25hbWUiOiJcdTA0MTBcdTA0M2RcdTA0MzRcdTA0NDBcdTA0MzVcdTA0MzkiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhbmRyZXkiLCJuaWNrbmFtZSI6ImFuZHJleSIsImdyb3VwcyI6WyJob21lLXRvcnJlbnQiLCJwcm9tZXRoZXVzLXVzZXIiLCJhbmRyZXktc3luY3RoaW5nIiwiYW5kcmV5LWtla3NpayJdLCJhenAiOiJHSHBReEl5QzZCTWxYcnk0UTdLaEZwRTJIUkJYUkc1MFcxRnZpZ0dIIiwidWlkIjoiN3JBRnJlSlhQcFpIUmNiQVIzTXVZVUkyazFkMlF3MWRlSngyTTIzNyJ9.f3JDJjkirWS4M_Nb4mJNuqRgAQRf_zU4AN5fPNUC47rlfWnmjzJCL_K8ZyACitgL4x_sVGrRNYLdIw330ZYtTkmajQ6bvVHwRpzPuBA5B0g9e9LUt_j_YazX5X_7fLHMdRzhuFpbujuQ4HQHxJL4se7ynsM0h8AaS8XcKpQF5sMZAjhuTttslAsFpiIZYM2O9p-keK8vDSKDujNOUge5Mnb3w7huDOVivr8Rky1vcsFGxaU0ruQ_dyPOOofAT9t6X30KsWVN0BipCcAeOA5lMhGcQeD5sKpfIS7L59vmtp0n_BuDzaH3joXAs2uUUKXsHKOQe-7JUGDAk7YqCX6ufs8dRIEN80WZWxyUpnoa4_TRY9s79Op1TnmAGjYWDmyW7LrYtLzcxeAeOGiv46OEyBsIV1RkrSmkKioDDYjcfvxptoIVT9FJyfDzQqaQiTUsq6F0ej6vdeSCA0btZk9uDyF6GYHbBZ5ePIocIVboWihyIedDaow3NH3JduP2Oy5IKH9IfuejEddr1SWODUMabtptgizmzy3LjPkdjwt_Gg1AvJOo74TVDSWnCU6M7NP88wNJ0suVJ2KAk87LCYmTemQ0P4QNiXhw6--bmhFFerbUJBV1AKI042LNRU0WvXUp_rwIAtCamY2yPIqa7hVwv1LAO1ZSANY9DDVLTi8acho","expires_in":300,"id_token":"eyJhbGciOiJSUzI1NiIsImtpZCI6ImFiMjIyYWEwYTRiNzEyNTAwM2ZiZTI3MmMwN2NjMTIwIiwidHlwIjoiSldUIn0.eyJpc3MiOiJodHRwczovL3Nzby4wemVhLmNvbS9hcHBsaWNhdGlvbi9vL2Rhc2gvIiwic3ViIjoiYTg1NTA3YWU1YzA2MGRmOTY0ZjA1ZjcyZjU0ZjAwOWQyYzdhZjdmNjBmMmI3Mzk5ZmJiODQ5MDE5YzBjNDU2YSIsImF1ZCI6IkdIcFF4SXlDNkJNbFhyeTRRN0toRnBFMkhSQlhSRzUwVzFGdmlnR0giLCJleHAiOjE3MTAzMDM3MzAsImlhdCI6MTcxMDMwMzQzMCwiYXV0aF90aW1lIjoxNzEwMjk3ODIwLCJhY3IiOiJnb2F1dGhlbnRpay5pby9wcm92aWRlcnMvb2F1dGgyL2RlZmF1bHQiLCJub25jZSI6IkFZUmhJSnZvZ2ZHY3JvaU04ZjVpYnhSZzFYNUlEdEZiIiwiZW1haWwiOiJhbmRyZXlAMHplYS5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwibmFtZSI6Ilx1MDQxMFx1MDQzZFx1MDQzNFx1MDQ0MFx1MDQzNVx1MDQzOSIsImdpdmVuX25hbWUiOiJcdTA0MTBcdTA0M2RcdTA0MzRcdTA0NDBcdTA0MzVcdTA0MzkiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhbmRyZXkiLCJuaWNrbmFtZSI6ImFuZHJleSIsImdyb3VwcyI6WyJob21lLXRvcnJlbnQiLCJwcm9tZXRoZXVzLXVzZXIiLCJhbmRyZXktc3luY3RoaW5nIiwiYW5kcmV5LWtla3NpayJdfQ.Y4GFJ6zwe0aPw9uFzJC7-vJdzKdp-OKJMdXUwF5FspJTu9r9gQFmaT6jcgPnMOCuccGuxSpW2jyJqxqnSGOuQa_u1sQufA-ra856A1WM7nDhOxhr5-ZijtJwtmRWVevYi_tGZ1UHpX7hpcvzYtDuGEwWOaew1Xc56gXV9JksmVzlt4NxISnJjTw9gpn9n3UHoW7L2VB0wsp8K-0kDqlfVOzlMG7f7GSLsS7FNLpatVLWk5Rwqpzci_7-_8MBTc7FlSniWDZiyoOqGGRj1X7TENGrxiCuM0K-PD5oIhKwxpaIgOC9b_83sUagpuhdHgiCf9QLbJYUr02kwS4YqCMdPum4s86OCeOr99hKhn2vjLO49uZJZMayGmVp7bssha9Tl6Yis0M7P3DilYpBcWDU3phpZQJLyrmCk5nqO-_OdCD3hRKHkwFrCBB9FKzmcMgKp87Z9R6ihU_QYZMxhYSzJ6e9CQDn_N9iQW0vhDNqMlV8FxzXLvN2YuVg3MiqIdhUbuuoGz_gJgNcLON6Pl4EHa6WGO9GbdG5eeCcr72xO_ZJ1m6-cDYSSZF8ahZo_6A-6H8NA_IPcDCsjz61Dr56PcQ-HXlIyoxZDtxntrdglznlxZCqGbw_YwjDsO3fF5cMjwYy_0XaCjn-dH1Y1tS4G-drCzUvQl97VTwEA-XgwrY","token_type":"Bearer"}}
{"level":"debug","ts":1710303431.045312,"logger":"security","msg":"decoded claims from OAuth 2.0 authorization server access token","request_id":"5e0a997d-fe18-4c88-bc14-0889427adcb5","claims":{"email":"andrey@example.com","exp":1710303730,"given_name":"Андрей","groups":["home-torrent","prometheus-user","andrey-syncthing","andrey-keksik"],"iat":1710303430,"iss":"https://sso.example.com/application/o/dash/","name":"Андрей","sub":"a85507ae5c060df964f05f72f54f009d2c7af7f60f2b7399fbb849019c0c456a"}}
{"level":"info","ts":1710303431.0453367,"logger":"security","msg":"Successful login","session_id":"mmEAk2RYV3Gs3TH9sNFVdWjAL2ggIwQ97Mz7fdXOJJ4","request_id":"5e0a997d-fe18-4c88-bc14-0889427adcb5","auth_method":"oauth2","auth_realm":"dash","user":{"email":"andrey@example.com","exp":1710303730,"given_name":"Андрей","groups":["home-torrent","prometheus-user","andrey-syncthing","andrey-keksik"],"iat":1710303430,"iss":"https://sso.example.com/application/o/dash/","name":"Андрей","sub":"a85507ae5c060df964f05f72f54f009d2c7af7f60f2b7399fbb849019c0c456a"}}
{"level":"debug","ts":1710303431.0453792,"logger":"security","msg":"user transformation ended","session_id":"mmEAk2RYV3Gs3TH9sNFVdWjAL2ggIwQ97Mz7fdXOJJ4","request_id":"5e0a997d-fe18-4c88-bc14-0889427adcb5","user":{"addr":"192.168.101.1","email":"andrey@example.com","exp":1710307031,"given_name":"Андрей","iat":1710303431,"iss":"https://dash.example.com/oauth2/dash/","jti":"mmEAk2RYV3Gs3TH9sNFVdWjAL2ggIwQ97Mz7fdXOJJ4","name":"Андрей","nbf":1710303371000,"origin":"dash","realm":"dash","roles":["home-torrent","prometheus-user","andrey-syncthing","andrey-keksik","authp/andrey_keksik","authp/dash_admin"],"sub":"a85507ae5c060df964f05f72f54f009d2c7af7f60f2b7399fbb849019c0c456a"}}
{"level":"info","ts":1710303431.046944,"logger":"security","msg":"Successful login","session_id":"mmEAk2RYV3Gs3TH9sNFVdWjAL2ggIwQ97Mz7fdXOJJ4","request_id":"5e0a997d-fe18-4c88-bc14-0889427adcb5","backend":{"name":"generic","realm":"dash","method":"oauth"},"user":{"addr":"192.168.101.1","email":"andrey@example.com","exp":1710307031,"given_name":"Андрей","iat":1710303431,"iss":"https://dash.example.com/oauth2/dash/","jti":"mmEAk2RYV3Gs3TH9sNFVdWjAL2ggIwQ97Mz7fdXOJJ4","name":"Андрей","nbf":1710303371000,"origin":"dash","realm":"dash","roles":["home-torrent","prometheus-user","andrey-syncthing","andrey-keksik","authp/andrey_keksik","authp/dash_admin","authp/guest"],"sub":"a85507ae5c060df964f05f72f54f009d2c7af7f60f2b7399fbb849019c0c456a"}}
@MrOzean , where is the log when tou try going to a dashboard?
Also, something strange. There are no traces in the log.
remove rewrite directive and the has conditional.
@MrOzean , please reach out on whatsup (12123807343), I will try to explain over the phone.
First I think need to update container. As I say, link https://github.com/authcrunch/authcrunch/pkgs/container/authcrunch follow 404 error, tried to use ghcr.io/authcrunch/authcrunch:v1.0.7 got authorization error
About phone call, not good idea. My English speaking far from perfect + 12 hours time difference + this conversation can help anyone else
JS redirect works perfectly, thanks. Working solution
caddyfile
{
order authenticate before respond
order authorize before basicauth
security {
oauth identity provider generic {
realm dash
driver generic
client_id <CLIENT_ID>
client_secret <SECRET>
scopes openid email profile
base_auth_url https://sso.example.com/
metadata_url https://sso.example.com/application/o/dash/.well-known/openid-configuration
}
authentication portal auth_portal {
crypto default token lifetime 3600
enable identity provider generic
ui {
links {
"My Identity" "/whoami" icon "las la-user"
}
custom js path /js/redirect_to_dashboard_by_email.js
}
cookie domain example.com
transform user {
match groups andrey-keksik
action add role authp/andrey_keksik
}
transform user {
match email andrey@example.com
action add role authp/dash_admin
}
}
authorization policy pass_andrey_keksik {
set auth url https://dash.example.com
allow roles authp/andrey_keksik
}
authorization policy pass_dash_admin {
set auth url https://dash.example.com
allow roles authp/admin
}
}
}
# dashboards
dash.example.com {
tls /certs/dash.example.com/fullchain.cer /certs/dash.example.com/dash.example.com.key
authenticate with auth_portal
}
andrey.dash.example.com {
authorize with pass_andrey_keksik
reverse_proxy /* localhost:7032
}
...
js file
(async () => {
console.log("Injected JS Found");
const whoamiEndpoint = "/whoami";
const portalEndpoint = "/portal";
const dashboardBaseUrl = "https://dash.example.com";
async function fetchUserData(path) {
try {
const response = await fetch(path, {
method: "GET",
headers: {
"Content-Type": "application/json",
Accept: "application/json",
},
});
if (response.ok) {
const data = await response.json();
return data;
} else {
console.log(path, 'fetch returns not success status', response.statusText)
}
} catch (error) {
console.log("encountered error while fetching user data", error);
}
return null;
}
try {
if (typeof window !== "undefined") {
const currentURL = new URL(window.location.href);
if (currentURL.href === dashboardBaseUrl + portalEndpoint) {
console.log(currentURL);
const userData = await fetchUserData(dashboardBaseUrl + whoamiEndpoint);
if (userData && "email" in userData) {
const email = userData['email'];
const userId = email.substring(0, email.indexOf('@'))
console.log(
`Redirecting user ${userId} to ${dashboardBaseUrl}/${userId}`
);
const redirectUrl = 'https://' + userId + '.' + (new URL(dashboardBaseUrl)).hostname;
window.location.href = redirectUrl;
} else {
console.log("No email found in user data", userData);
}
}
}
} catch (error) {
console.log("encountered error", error);
}
})();
About phone call, not good idea. My English speaking far from perfect + 12 hours time difference + this conversation can help anyone else
I can speak Russian.
@MrOzean , glad this is resolved!
Thanks for help!
I recorded a video about this one: https://youtu.be/DAzfxtqxD5s
Hello, I have a bunch of dashboard and want to make auto redirect based on user email
My setup is Authentik 2024.2.2 as "Generic OIDC provider" at "sso.example.com" Caddy in docker from ghcr.io/authp/authp:v1.0.5 Auth portal at "dash.example.com" Users dashboards at "USER_NICKNAME.dash.example.com" baked by reverse_proxy directive
My caddyfile
Login works correctly, but no one headers from JWT was provided
caddy log
/whoami ouput
Chrome devtools also has not show extra headers