caddy-security icon indicating copy to clipboard operation
caddy-security copied to clipboard
verified publisher icon greenpau

breakfix: Unable to use env var in `transform user`

Open jackblk opened this issue 2 years ago • 2 comments

Very nice project! Took me a few hours to figure out but it looks great!

Describe the issue

Unable to use env var in transform user. The admin user will receive the role authp/user but no authp/admin. If I use the hardcoded Caddyfile then it gives me both roles authp/user and authp/admin correctly.

Configuration

I follow this guide: https://authp.github.io/docs/authenticate/oauth/backend-oauth2-0002-google

BTW the redirect URI should be https://localhost:8443/oauth2/google/authorization-code-callback, not https://localhost:8443/auth/oauth2/google/authorization-code-callback.

Paste full Caddyfile below:

{
	http_port 8080
	https_port 8443
	# debug

	order authenticate before respond
	order authorize before basicauth

	security {
		oauth identity provider google {
			realm google
			driver google
			client_id {env.GOOGLE_CLIENT_ID}.apps.googleusercontent.com
			client_secret {env.GOOGLE_CLIENT_SECRET}
			scopes openid email profile
		}

		authentication portal myportal {
			crypto default token lifetime 3600
			enable identity provider google
			cookie domain testsite.com
			ui {
				links {
					"My Identity" "/whoami" icon "las la-user"
				}
			}

			transform user {
				match realm google
				action add role authp/user
				ui link "File Server" https://test.testsite.com/ icon "las la-star"
			}

			transform user {
				match realm google
				match email {env.ADMIN_EMAIL}
				action add role authp/admin
				ui link "Blog" https://blog.testsite.com/ icon "las la-star"
			}
		}

		authorization policy mypolicy {
			set auth url https://auth.testsite.com/oauth2/google
			allow roles authp/admin authp/user
			validate bearer header
			inject headers with claims
		}
	}
}


auth.testsite.com {
	authenticate with myportal
}

test.testsite.com {
	authorize with mypolicy
	root * /testdir
	file_server
}

Version Information

I run this using Docker image, with latest tag.

Expected behavior

Should be able to load env.ADMIN_EMAIL into the plugin correctly and transform the user to admin role.

Additional context

Here's my docker-compose.yml

version: "3.8"
services:
  caddy:
    image: ghcr.io/authp/authp
    pull_policy: always
    restart: unless-stopped
    container_name: caddy
    ports:
      - 80:8080
      - 443:8443
    env_file:
      - .env
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - ./data/caddy/data:/data
      - ./data/caddy/config:/config
      - ./testdir:/testdir

.env file:

GOOGLE_CLIENT_ID=client-id
GOOGLE_CLIENT_SECRET=secret
[email protected]

Check env inside docker container:

~/caddy-security$ docker exec -it caddy sh
/srv # echo $ADMIN_EMAIL
[email protected]

jackblk avatar May 01 '23 01:05 jackblk

If there's no way to work with env var, is there any way to load the list of the users dynamically?

jackblk avatar May 05 '23 03:05 jackblk

If there's no way to work with env var, is there any way to load the list of the users dynamically?

@jackblk , this would be new feature request.

greenpau avatar May 08 '23 11:05 greenpau