search

greenpau / caddy-security

πŸ” Authentication, Authorization, and Accounting (AAA) App and Plugin for Caddy v2. πŸ’Ž Implements Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0 (Github, Google, Facebook, Okta, etc.), SAML Authentication. MFA/2FA with App Authenticators and Yubico. πŸ’Ž Authorization with JWT/PASETO tokens. πŸ”
https://authcrunch.com/
Apache License 2.0
1.42k stars 70 forks source link

Kinde Support #344

Open andrefmarques opened 3 months ago

andrefmarques commented 3 months ago

Hi! I'm testing Kinde, and I've configured authcrunch and Kinde to successfully login.

However I'm facing 2 issues:

The first one is that the roles are only available on the access token. I've confirmed with their team that this is the case. Is there any way to configure the service to read them from the access token instead of the id token?

The second is that custom fields are not appearing on the /whoami page. The id token retrieved from logs:

{
  "at_hash": "redacted",
  "aud": [
    "redacted"
  ],
  "auth_time": 1717690054,
  "azp": "redacted",
  "email": "redacted",
  "exp": 1717693654,
  "family_name": "Doe",
  "given_name": "John",
  "iat": redacted,
  "iss": "https://redacted.kinde.com",
  "jti": "redacted",
  "name": "John Doe",
  "nonce": "redacted",
  "org_codes": [
    "org_11111111111"
  ],
  "organization_properties": {
    "kp_org_city": {},
    "testpropertyorg": {
      "v": "testpropertyorgval"
    }
  },
  "organizations": [
    {
      "id": "org_11111111111",
      "name": "OrgName"
    }
  ],
  "preferred_username": "john",
  "rat": 1717690054,
  "sub": "kp_22222222222222222222222222222221",
  "updated_at": 1717500946,
  "user_properties": {
    "kp_usr_city": {
      "v": "City"
    },
    "test4": {
      "v": "test4val"
    }
  }
}

The output in /whoami:

{
  "addr": "redacted",
  "authenticated": true,
  "email": "john@redacted.com",
  "exp": 1717682813,
  "expires_at_utc": "Thu Jun  6 14:06:53 UTC 2024",
  "family_name": "Doe",
  "given_name": "John",
  "iat": 1717681913,
  "iss": "https://subdomain.redacted.com/oauth2/kinde/",
  "issued_at_utc": "Thu Jun  6 13:51:53 UTC 2024",
  "jti": "iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii",
  "name": "John Doe",
  "nbf": 1717681853,
  "not_before_utc": "Thu Jun  6 13:50:53 UTC 2024",
  "origin": "kinde",
  "realm": "kinde",
  "roles": [
    "authp/guestkinde",
    "authp/guest"
  ],
  "sub": "kp_22222222222222222222222222222221",
  "userinfo": {
    "email": "john@redacted.com",
    "family_name": "Doe",
    "given_name": "John",
    "id": "kp_22222222222222222222222222222221",
    "name": "John Doe",
    "phone": null,
    "picture": null,
    "preferred_username": "john",
    "sub": "kp_22222222222222222222222222222221",
    "updated_at": 1717500946
  }
}

I was expecting to see the fields org_codes, organization_properties, organizations and user_properties since I'm using extract all from userinfo in the Caddyfile:

{
    debug
    order authenticate before respond
    order authorize before basicauth

    security {
        oauth identity provider kinde {
            realm kinde
            driver generic
            client_id {env.GENERIC_CLIENT_ID}
            client_secret {env.GENERIC_CLIENT_SECRET}
            scopes openid email profile address offline phone
            base_auth_url https://subdomain.redacted.com
            metadata_url https://redacted.kinde.com/.well-known/openid-configuration
            extract all from userinfo
        }

        authentication portal partners {
            crypto key sign-verify {env.SHARED_KEY}
            enable identity provider kinde
            cookie domain subdomain.redacted.com
            ui {
                links {
                    [...]
                }
            }

            transform user {
                match realm kinde
                action add role authp/guestkinde
                ui link "kinde" /whoami icon "las la-star"
            }
        }

        authorization policy partners {
            allow roles any
            crypto key verify {env.SHARED_KEY}
            validate bearer header
            inject headers with claims

        }
    }
}

:8080 {

[...]
}

I'm using ghcr.io/authcrunch/authcrunch:v1.0.11. Let me know if I can provide more information. Thank you!

greenpau commented 3 months ago

@andrefmarques , please confirm that the login flow works.

have you tried β€œnested” injections? https://docs.authcrunch.com/docs/authorize/headers#nested-data-source

andrefmarques commented 3 months ago

Yes, I can login and access the links configured. I haven't tried nested injections since the fields are not appearing in whoami's userinfo

greenpau commented 3 months ago

I haven't tried nested injections since the fields are not appearing in whoami's userinfo

@andrefmarques , please try configuring the following and see whether it propagates. 

inject header "X-Org-Prop-A" from "organization_properties|testpropertyorg|v"
andrefmarques commented 3 months ago

I've tried with

authorization policy partners {
            allow roles any
            crypto key verify {env.SHARED_KEY}
            validate bearer header
            inject headers with claims
            inject header "X-Org-Prop-A" from "organization_properties|testpropertyorg|v"
        }

And it's not propagating

greenpau commented 3 months ago

@andrefmarques , I suggest you somehow bring these props to userinfo field. Otherwise, it will not work out of the box.

andrefmarques commented 3 months ago

Any tips to find out why fields such as org_codes are not appearing in userinfo?