I have Caddy (a Docker container) handling multiple subdomains and use caddy-security to protect a number of them. E.g. when I want to view test.domain.com, I get redirected to auth.domain.com, I put my credentials there, and finally I get redirected back to test.domain.com with a valid access_token cookie set.
After some time has passed, e.g. 15 minutes or more, I can still view test.domain.com and other subdomains, unless the cookie/token gets expired (I use 24 hours period as both cookie and token lifetime). However, if I navigate to auth.domain.com/portal, or just auth.domain.com, my cookie is invalidated, and I get redirected to auth.domain.com/login.
What’s also important, it doesn’t happen every time. And I can’t track what it may be caused by. But when it does happen, it’s quite annoying to type credentials every time it asks, even though I have already logged in a few minutes/hours before.
Configuration
Paste full Caddyfile below:
{
order authenticate before respond
order authorize before basicauth
security {
local identity store users {
realm local
path /data/caddy/users.json
}
authorization policy authpolicy {
allow roles authp/admin authp/user
crypto key verify [secret_value]
set auth url https://auth.domain.com/
validate source address
}
authentication portal authportal {
cookie domain domain.com
cookie lifetime 86400
crypto default token lifetime 86400
crypto key sign-verify [secret_value]
enable identity store users
enable source ip tracking
}
}
domain.com, *.domain.com {
import [tls_encoding_headers_etc]
@auth host auth.domain.com
handle @auth {
authenticate with authportal
}
handle {
authorize with authpolicy
import [reverse_proxy_etc]
}
}
Version Information
Provide output of caddy list-modules --versions | grep -E "(auth|security)" below:
caddy v2.7.6
security v1.1.23
Expected behavior
I don't expect a cookie/token to be invalidated until it expires or unless the user logs out.
Additional context
Can't say exactly how many minutes should pass before caddy-security demonstrates such behaviour. It seems to occur both if I restart Caddy within this time frame or just leave it running.
GerardPolloRebozado
commented
3 weeks ago
Describe the issue
I have Caddy (a Docker container) handling multiple subdomains and use caddy-security to protect a number of them. E.g. when I want to view test.domain.com, I get redirected to auth.domain.com, I put my credentials there, and finally I get redirected back to test.domain.com with a valid access_token cookie set.
After some time has passed, e.g. 15 minutes or more, I can still view test.domain.com and other subdomains, unless the cookie/token gets expired (I use 24 hours period as both cookie and token lifetime). However, if I navigate to auth.domain.com/portal, or just auth.domain.com, my cookie is invalidated, and I get redirected to auth.domain.com/login.
What’s also important, it doesn’t happen every time. And I can’t track what it may be caused by. But when it does happen, it’s quite annoying to type credentials every time it asks, even though I have already logged in a few minutes/hours before.
Configuration
Paste full
Caddyfilebelow:Version Information
Provide output of
caddy list-modules --versions | grep -E "(auth|security)"below:Expected behavior
I don't expect a cookie/token to be invalidated until it expires or unless the user logs out.
Additional context
Can't say exactly how many minutes should pass before caddy-security demonstrates such behaviour. It seems to occur both if I restart Caddy within this time frame or just leave it running.