search

greenpau / caddy-security

🔐 Authentication, Authorization, and Accounting (AAA) App and Plugin for Caddy v2. 💎 Implements Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0 (Github, Google, Facebook, Okta, etc.), SAML Authentication. MFA/2FA with App Authenticators and Yubico. 💎 Authorization with JWT/PASETO tokens. 🔐
https://authcrunch.com/
Apache License 2.0
1.32k stars 69 forks source link

Can not create locally hosted minimal instance for debug/test/error reproduction #347

Open MrChadMWood opened 3 weeks ago

MrChadMWood commented 3 weeks ago

Describe the issue

I am having issues creating a basic instance of Caddy that utilizes authentication / authorization via caddy-security locally. With the below configuration, authentication works fine. Authorization fails for an unknown reason, resulting in infinity redirects until the browser stops it.

Configuration

Caddyfile:

{
    order authenticate before respond
    order authorize before basicauth

    security {
        local identity store localdb {
            realm local
            path {$HOME}/.local/caddy/users.json
        }

        authentication portal myportal {
            crypto default token lifetime 3600
            crypto key sign-verify debugtoken54321
            enable identity store localdb
            transform user {
                match origin local
                action add role authp/user
            }
        }

        authorization policy mypolicy {
            set auth url https://auth.localhost/
            allow roles authp/user
            crypto key verify debugtoken54321
            inject header "X-User-Email" from "userinfo|email"
        }
    }
}

auth.localhost {
    route {
        authenticate with myportal
    }
}

caddy.localhost {
  authorize with mypolicy
  respond "Hello World"
}

Version Information

Provide output of caddy list-modules --versions | grep -E "(auth|security)" below:

http.authentication.hashes.bcrypt v2.7.6
http.authentication.hashes.scrypt v2.7.6
http.authentication.providers.http_basic v2.7.6
http.handlers.authentication v2.7.6
tls.client_auth.leaf v2.7.6
http.authentication.providers.authorizer v1.1.29
http.handlers.authenticator v1.1.29
security v1.1.29

Expected behavior

I expected login to work using the default webadmin users credentials. Authentication does work, but authorization causes infinite redirects. The caddy.localhost response is thus never received.

Additional context

I am using docker. See my docker.compose.yml;

services:
  caddy:
    build:
      context: .
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - ./config/:/config
      - ./data/:/data

with Dockerfile:

ARG CADDY_VERSION=2.7.6
FROM caddy:${CADDY_VERSION}-builder AS builder

RUN xcaddy build \
    --with github.com/greenpau/caddy-security \

FROM caddy:${CADDY_VERSION}-alpine

COPY --from=builder /usr/bin/caddy /usr/bin/caddy
greenpau commented 3 weeks ago

@MrChadMWood , see https://docs.authcrunch.com/docs/authenticate/auth-cookie#intra-domain-cookies

I suspect cookie insecure on is missing.

You might also need cookie domain localhost. You really should not, but people had that issue.

See this issue for config snippets: https://github.com/greenpau/caddy-security/issues/337

If you still running into issue, feel free to reach out on Linkedin and we can get on Google Meet to troubleshoot.