search

greenpau / caddy-security

🔐 Authentication, Authorization, and Accounting (AAA) App and Plugin for Caddy v2. 💎 Implements Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0 (Github, Google, Facebook, Okta, etc.), SAML Authentication. MFA/2FA with App Authenticators and Yubico. 💎 Authorization with JWT/PASETO tokens. 🔐
https://authcrunch.com/
Apache License 2.0
1.42k stars 70 forks source link

Integration with Oauth provider LemonLDAP is not working #331

Closed radokristof closed 5 months ago

radokristof commented 5 months ago

Describe the issue

Integration with Oauth provider LemonLDAP is not working. I tried multiple configuration options, I always get the same error:

ERR ts=1712268954.276949 logger=docker-proxy msg=Error response from server server=localhost status code=400 body={"error":"loading config: loading new config: loading security app module: provision security: server initialization failed: failed configuring identity provider: failed to fetch jwt keys for OAuth 2.0 authorization server: invalid jwks key: jwks unsupported key algorithm RSA-OAEP-256 for encrypt01"}

Configuration

Paste full Caddyfile below:

{
    order authenticate before respond
    order authorize before reverse_proxy
    acme_dns cloudflare REDACTED_KEY
    email me@company.com
    log access {
        format json
        include http.log.access http.handlers.reverse_proxy
        level DEBUG
        output file /var/log/caddy/access.log {
            roll_keep 5
            roll_keep_for 2160h
            roll_size 1gb
        }
    }
    log default {
        exclude http.log.access
        format json
        level INFO
        output file /var/log/caddy/runtime.log {
            roll_keep 3
            roll_keep_for 720h
            roll_size 500mb
        }
    }
    security {
        oauth identity provider generic {
            realm generic
            driver generic
            client_id caddy
            client_secret SECRET
            scopes openid email profile
            base_auth_url https://sso.company.com/
            metadata_url https://sso.company.com/.well-known/openid-configuration
        }
        authentication portal applogin {
            crypto default token lifetime 3600
            cookie domain auth.company.com
            enable identity provider generic
            transform user {
                action add role app/user
                match realm generic
            }
        }
    }
    servers {
        trusted_proxies cloudflare {
            interval 12h
            timeout 15s
        }
    }
}

Expected behavior

The JWKS key should be accepted and oauth provider should work correctly.

greenpau commented 5 months ago

@radokristof , it is impossible to troubleshoot this without having access to live system. If you do set one up for me, please reach on LinkedIn and I will help you out.

radokristof commented 5 months ago

@greenpau thank you, message sent

radokristof commented 5 months ago

version 1.1.29 now supports lemonldap. Thank you @greenpau for your help!