greenpau / caddy-security

🔐 Authentication, Authorization, and Accounting (AAA) App and Plugin for Caddy v2. 💎 Implements Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0 (Github, Google, Facebook, Okta, etc.), SAML Authentication. MFA/2FA with App Authenticators and Yubico. 💎 Authorization with JWT/PASETO tokens. 🔐
https://authcrunch.com/
Apache License 2.0
1.46k stars 72 forks source link

decouple the internal and external URLs #59

Open lbreitk opened 2 years ago

lbreitk commented 2 years ago

Describe the issue

When you start caddy with the module, it connects to the URL of the provider. The issue is, at least with oauth, is that the end-user has to connect directly to the oauth provider. But the caddy service also connects to the provider to get the settings, etc. This causes an issue as the external URL is not internally accessible, meaning that to get everything to play nicely, I have to enable NAT reflection, or configure reverse policy zones, etc. so that the external URL resolves to an internal IP address internally for caddy, so it can connect to the oauth server. It would be nice if I could just specify the URL to server to external clients, and to use internally.

Version Information

v2.4.6
http.authentication.providers.authorizer v1.0.16
http.handlers.authenticator v1.0.16
http.handlers.teapot v0.0.2
security v1.0.16

Expected behavior Out of the box compatibility with internally hosted services, rather than make assumptions that services are all external or hosted in a "cloud" somewhere

greenpau commented 2 years ago

This causes an issue as the external URL is not internally accessible

@lbreitk , thank you for the issue! 👍 Please provide a configuration snippet for this. Additionally, please provide a Caddyfile config snippet for that future state (i want to see the logic from Caddyfile perspective) where internal and external URL are being separate.

greenpau commented 2 years ago

Please provide a configuration snippet for this

@lbreitk , please respond.

lbreitk commented 2 years ago

@greenpau Thanks for the follow up - I apologize that I haven't responded, I'll try to make time to reply soon. My work priorities get shuffled around a lot.

greenpau commented 2 years ago

My work priorities get shuffled around a lot.

@lbreitk , same here. I was MIA for the last 3-4 weeks.

greenpau commented 2 years ago

@lbreitk , in the coming release, there will be an option to specify trusted public keys inside caddy security config. This way, there will be no need for external comms. Would that help your use case?

greenpau commented 2 years ago

@lbreitk, bump.