question: Are there any way to configure Caddy security to return JSON response for errors?

[alirf81]

I am using Caddy-security with OAuth 2.0 Idp of Keycloak, which is working pretty well. The only issue is that when I make a request to API, it returns 302 responses to redirect to the login page. It's pretty good for browser users but for the API client, better to return a JSON error response of "Forbidden". Is there any way to configure Caddy-security for this?

[greenpau]

@alirf81 , you can have custom authorization policy with “ disable auth redirect”. More on the subject https://authp.github.io/docs/authorize/auto-redirect-url#http-redirect

[alirf81]

Yes, it's working well, just it disables all redirects but I need to disable it for API requests only. Is there any way to disable redirect only if the 'Accept' header is 'application/json'?

[greenpau]

@alirf81 , create a separate authorization policy and apply it conditionally based on Caddy’s (not this plugin) match directives, see handle in caddy docs

[alirf81]

@greenpau I've found another issue. When I remove the Authorization header in API request, the server returns 500 Internal Server Error. The caddy log says: {"level":"error","ts":1662539546.8188977,"logger":"http.handlers.authentication","msg":"auth provider returned error","provider":"authorizer","error":"user authorization failed: src_ip=10.23.5.107, src_conn_ip=10.23.5.107, reason: no token found"} If there is no token found, can we return something like "Access Forbidden"?