question: Oauth2 with Ory stack and Caddy-security

[jpbaril]

Goal in short: I want to have self-hosted Oauth2 authentication service to be used for SSO done by Caddy-security.

Now for the long non-concise explanation: (First, sorry to bother you with my question because I'm just a hobbyist trying to have unnecessary SSO for self-hosted apps on his homelab.)

I have been playing with Caddy-security for the last two months and even though I was able to configure it to use Github authentication I would rather prefer to have the Oauth2 part also self-hosted, for the fun (I thought, but yet not much for now). Keycloak seems to be the open source reference, but it is overkill and consume too much resources for a few users use case. At the opposite, Ory stack seems lightweight as it's GoLang written. https://www.ory.sh/docs/

In addition to not finding a lot of ready-to-use examples online because of its lesser popularity, because of its modular architecture, integrating Ory necessary parts for achieving Oauth2 is very confusing, especially when like me you are not a dev. And I want to say that I spent my whole week free time researching on that before writing here.

At first I thought that as Caddy-Security provided login and registration, then I only needed the Ory Hydra part and that I would link to it from Caddy-Security as a generic oauth2/OIDC provider. But then I understood that Ory Hydra did not store users. So I thought that I maybe also needed Ory Kratos to store users even thought it also provided user login and registration that Caddy-Security was already providing. But that made some sense since I indeed had to register to Github at some point and that I do get redirected to Github login when I choose that option in Caddy-Security portal.

But then I thought: the apps that I want to protect and use SSO for, if they were to point in their oauth2 config to Ory Hydra, then could it be and made sense that Hydra would then redirect users to Caddy-Security portal for login where users would in the end be in the local backend instead of being in oauth2 backend ?

As you can see I'm really confused, I don't really understand oauth2, and I'm not a native English speaker. ;-)

Yet, my goal remain: to not use Github/Microsoft/whatever external oauth2 provider.

Do you have some idea on what stack piece I would need and how each piece should connect together?

Thanks a lot for your help and Caddy-Security, and sorry for my "newbie" idiot question.

[greenpau]

Yet, my goal remain: to not use Github/Microsoft/whatever external oauth2 provider.

@jpbaril , thank you for the question! 👍

This is what I understood your are looking for this project to do:

• Store user identities in auth portal's local db (i.e. Caddy Security)
• Provide OAuth2.0 endpoint in the auth portal so you could issue client id and secrets to your apps. In turn, your apps would redirect users to Auth Portal and, upon successful auth, the users will be redirected back to the apps.

Am I correct in reading your ask?

[jpbaril]

To be honest, I'm not exactly sure. For me the uncertainty is how to make apps work with Oauth2 login and have SSO backed by oauth2?

As I tried to explain, at first the idea was just to use a generic oauth2 provider so to have a "Log with [generic oauth2 provider]" button in Caddy-Security. The simplest/slimmest self-hosted option for that seemed to be Ory Hydra oauth2 provider. But to achieve that I now seem to understand that I would also need the Ory Kratos service for user storing. And even then I'm not sure how I would configure each app to use that oauth2 provider. Would that even be the case since the oauth provider would be "behind" Caddy-Security ?

That's why I then thought -- but again maybe I mix things and I don't understand -- that each app that can use Oauth2/OpenID authentification could point directly to the Ory Hydra Oauth2 service which would redirect to the Caddy-Security service for the login/user-storage instead of the Ory Kratos service that a typical Ory stack deployement would use. And I say this because from my understanding Caddy-Security can do everything the whole Ory stack does except for the Oauth2 provider, effectively replacing Ory Kratos, Ory Keto and Ory Oathkeeper.

What you describe in your message seems to be my second idea I explained both here and in my original message. Is it really what I want? Honestly I don't have a preference or constrain leaning me towards one or the other. All I really want is the simplest solution to have SSO based on Oauth2 when possible.

Could one or the other be achieved right now with the current state of Caddy-Security (with the help of Ory Hydra Oauth2 service)?

Thank you and sorry again for the long, vague, not good English, and capricious-executive-style explanation/request. ;-)

[greenpau]

Unfortunately, I have no resources/time go dive deep into Ory stack integration.