search

greenpau / caddy-security

πŸ” Authentication, Authorization, and Accounting (AAA) App and Plugin for Caddy v2. πŸ’Ž Implements Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0 (Github, Google, Facebook, Okta, etc.), SAML Authentication. MFA/2FA with App Authenticators and Yubico. πŸ’Ž Authorization with JWT/PASETO tokens. πŸ”
https://authcrunch.com/
Apache License 2.0
1.42k stars 70 forks source link

OAuth2 TLS handshake timeout #359

Closed casperdcl closed 2 weeks ago

casperdcl commented 3 weeks ago

When trying to authenticate with GitHub at https://sub.mydomain.com/github:

  1. I'm redirected to https://github.com/login/oauth/authorize?client_id=...&redirect_uri=https%3A%2F%2Fauth.sub.mydomain.com%2Foauth2%2Fgithub%2Fauthorization-code-callback&scope=read%3Auser&state=...
  2. then redirected to https://auth.sub.mydomain.com/oauth2/github/authorization-code-callback?code=...&state=... which says Unauthorized
  3. Caddy logs say:
{"level":"warn","ts":1725395929.6400962,"logger":"security",
 "msg":"Authentication failed","session_id":"...","request_id":"...",
 "error":"failed fetching OAuth 2.0 access token: Post \"https://github.com/login/oauth/access_token\": net/http: TLS handshake timeout"}

I've also tried Discord OAuth2:

{"level":"warn","ts":1725432687.607709,"logger":"security",
 "msg":"Authentication failed","session_id":"...","request_id":"...",
 "error":"failed fetching OAuth 2.0 claims: Get \"https://discord.com/api/v10/users/@me\": net/http: TLS handshake timeout"}

and

{"level":"warn","ts":1725434688.457133,"logger":"security",
 "msg":"Authentication failed","session_id":"...","request_id":"...",
 "error":"failed fetching OAuth 2.0 access token: Post \"https://discord.com/api/oauth2/token\": net/http: TLS handshake timeout"}
Configuration ```caddy { order authenticate before respond order authorize before basicauth security { oauth identity provider github {env.GITHUB_CLIENT_ID} {env.GITHUB_CLIENT_SECRET} oauth identity provider discord { realm discord driver discord client_id {env.DISCORD_CLIENT_ID} client_secret {env.DISCORD_CLIENT_SECRET} scopes identify guilds user_group_filters {env.DISCORD_GUILD_ID} } authentication portal myportal { crypto default token lifetime 3600 crypto key sign-verify {env.JWT_SHARED_KEY} cookie domain sub.mydomain.com enable identity provider github enable identity provider discord ui { links { "My Identity" "/whoami" icon "las la-user" } } transform user { match realm github action add role authp/user ui link "File Server" https://sub.mydomain.com/github icon "las la-star" } transform user { match realm discord action add role authp/user ui link "File Server" https://sub.mydomain.com/discord icon "las la-star" } transform user { match realm github match sub github.com/casperdcl action add role authp/admin } transform user { match realm discord match role discord.com/{env.DISCORD_GUILD_ID}/members action add role authp/admin } } authorization policy githubpolicy { set auth url https://auth.sub.mydomain.com/oauth2/github crypto key verify {env.JWT_SHARED_KEY} allow roles authp/admin authp/user validate bearer header inject headers with claims } authorization policy discordpolicy { set auth url https://auth.sub.mydomain.com/oauth2/discord crypto key verify {env.JWT_SHARED_KEY} allow roles authp/admin authp/user validate bearer header inject headers with claims } } } auth.sub.mydomain.com { tls casperdcl@mydomain.com authenticate with myportal } sub.mydomain.com { tls casperdcl@mydomain.com handle_path /discord* { authorize with discordpolicy root * /share/mydomain.com file_server browse } handle_path /github* { authorize with githubpolicy root * /share/mydomain.com file_server browse } encode zstd gzip log { output stdout } } ```

Version Information

http.authentication.hashes.bcrypt v2.8.4
http.authentication.providers.http_basic v2.8.4
http.handlers.authentication v2.8.4
tls.client_auth.verifier.leaf v2.8.4
http.authentication.providers.authorizer v1.1.29
http.handlers.authenticator v1.1.29
security v1.1.29

Expected behaviour

https://sub.mydomain.com/{github,discord} should:

  1. redirect to https://github.com/login/oauth/authorize?client_id=...&redirect_uri=https%3A%2F%2Fauth.sub.mydomain.com%2Foauth2%2Fgithub%2Fauthorization-code-callback&scope=read%3Auser&state=... or https://discord.com/oauth2/authorize?client_id=...&redirect_uri=https%3A%2F%2Fauth.sub.mydomain.com%2Foauth2%2Fdiscord%2Fauthorization-code-callback&response_type=code&scope=identify+guilds&state=...
  2. redirect back to https://sub.mydomain.com/{github,discord} and list files
casperdcl commented 2 weeks ago

/CC @0x2b3bfa0 found the fix: https://www.civo.com/learn/fixing-networking-for-docker

ip a | grep to find the max mtu:

networks:
  default:
    driver: bridge
    driver_opts:
      com.docker.network.driver.mtu: 1450

probably worth documenting somewhere.