search

greenpau / caddy-security

🔐 Authentication, Authorization, and Accounting (AAA) App and Plugin for Caddy v2. 💎 Implements Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0 (Github, Google, Facebook, Okta, etc.), SAML Authentication. MFA/2FA with App Authenticators and Yubico. 💎 Authorization with JWT/PASETO tokens. 🔐
https://authcrunch.com/
Apache License 2.0
1.49k stars 73 forks source link

Injected headers not forwarded to underlying application. #346

Open MrChadMWood opened 5 months ago

MrChadMWood commented 5 months ago

Describe the issue Directive to add inject headers does not seem to make the headers appear for the application.

Configuration

{
    order authenticate before respond
    order authorize before basicauth

  security {
        oauth identity provider cognito-idp {
            driver cognito
            realm cognito-idp
            client_id {env.COGNITO_CLIENT_ID}
            client_secret {env.COGNITO_CLIENT_SECRET}
            user_pool_id {env.COGNITO_POOL_ID}
            region us-west-1
            icon "AWS Cognito US" "aws"
        }

        authentication portal cognito-portal {
            crypto default token lifetime 3600
            crypto key sign-verify {env.JWT_SHARED_KEY}
            enable identity provider cognito-idp
            cookie domain mysite.link
            transform user {
                match realm cognito-idp
                action add role authp/user
            }
            transform user {
                match email thisisme@mysite.link
                action add role authp/admin
            }
        }

        authorization policy cognito-auth-user {
            set auth url https://auth.mysite.link
            allow roles authp/admin authp/user
            crypto key verify {env.JWT_SHARED_KEY}
            inject header "X-User-Email" from "userinfo|email"
        }

        authorization policy cognito-auth-admin {
            set auth url https://auth.mysite.link
            allow roles authp/admin
            crypto key verify {env.JWT_SHARED_KEY}
            inject header "X-User-Email" from "userinfo|email"
        }
    }
}

(tls_config) {
    tls {
    dns route53 {
      max_retries 10
    }
  }
}

auth.mysite.link {
  import tls_config
  route {
    authenticate with cognito-portal
  }
}

app.mysite.link {
  import tls_config
  authorize with cognito-auth-admin
  reverse_proxy 10.0.2.209:80
}

Version Information

caddy list-modules --versions | grep -E "(auth|security)" below:

/etc/caddy # caddy list-modules --versions | grep -E "(auth|security)"
http.authentication.hashes.bcrypt v2.7.6
http.authentication.hashes.scrypt v2.7.6
http.authentication.providers.http_basic v2.7.6
http.handlers.authentication v2.7.6
tls.client_auth.leaf v2.7.6
http.authentication.providers.authorizer v1.1.29
http.handlers.authenticator v1.1.29
security v1.1.29

Expected behavior

Perhaps I am misunderstanding, but I expected the header to be propagated down to the application being proxied to.

Authorization policy contains:

inject header "X-User-Email" from "userinfo|email"

app.mysite.link would get this header:

{"X-User-Email": "thisisme@mysite.link"}

Additional context

Possible duplicate of: https://github.com/greenpau/caddy-security/issues/325 I don't know if the solution there will work in my case. It seems to be concerning redirects. I just want the user email available from a header, for the application being proxied to