Open bakabaka0613 opened 2 months ago
I believe I am experiencing this issue and have documented my approach to setting app_metadata.authorization.roles
in this Auth0 thread.
I think the next step for me to confirm the condition is to find a way to access the portal's /whoami
page so I can inspect the token received by Caddy Security. Presently, I am always redirected to /login
with I visit that page, even when I'm already authenticated.
EDIT: I found the tokens in the log
authentication portal authn {
crypto default token lifetime 3600
crypto key sign-verify {env.JWT_SHARED_KEY}
enable identity provider auth0
cookie domain {$ZROK_DNS_ZONE}
ui {
links {
"Homepage" "https://www.example.com" icon "las la-home"
"My Account Info" "/whoami" icon "las la-user"
}
}
}
authorization policy authz {
set auth url https://auth.example.com/oauth2/generic
crypto key verify {env.JWT_SHARED_KEY}
allow roles user
validate bearer header
inject headers with claims
}
Although I can not access the portal's account info page when the provider is enabled (link to open issue describing the same symptom), only when local store is enabled, I do see the debug logs that include the id token and access token from the provider.
Strangely, the access token has no claims. Only the header and signature are defined. The OAuth 2.0 server access token from Auth0, which is a JWT, looks like this asdklfjhasdkljh..lkjhasdlkjhasdlkjhsadlkjhasdflkjhasdf
(zero bytes in the claimset between header and signature).
Then Caddy Security does something unexpected.
DEBUG: decoded claims from OAuth 2.0 authorization server access token
The claims
shown next are from the OIDC id token, not the OAuth access token. Maybe Caddy Security has confused the two?
The claims shown next are from the OIDC id token
@qrkourier , see the below source code references. https://github.com/search?q=repo%3Agreenpau%2Fgo-authcrunch%20id_token&type=code
Happy to jump on google meet to troubleshoot. Feel free to reach me on LinkedIn.
Describe the issue**
RBAC can't access:
Expected behavior According the documentation By default, the plugin should finds role information in the following token fields: