caddy-security
caddy-security copied to clipboard
greenpau
Kinde Support
Hi! I'm testing Kinde, and I've configured authcrunch and Kinde to successfully login.
However I'm facing 2 issues:
The first one is that the roles are only available on the access token. I've confirmed with their team that this is the case. Is there any way to configure the service to read them from the access token instead of the id token?
The second is that custom fields are not appearing on the /whoami page. The id token retrieved from logs:
{
"at_hash": "redacted",
"aud": [
"redacted"
],
"auth_time": 1717690054,
"azp": "redacted",
"email": "redacted",
"exp": 1717693654,
"family_name": "Doe",
"given_name": "John",
"iat": redacted,
"iss": "https://redacted.kinde.com",
"jti": "redacted",
"name": "John Doe",
"nonce": "redacted",
"org_codes": [
"org_11111111111"
],
"organization_properties": {
"kp_org_city": {},
"testpropertyorg": {
"v": "testpropertyorgval"
}
},
"organizations": [
{
"id": "org_11111111111",
"name": "OrgName"
}
],
"preferred_username": "john",
"rat": 1717690054,
"sub": "kp_22222222222222222222222222222221",
"updated_at": 1717500946,
"user_properties": {
"kp_usr_city": {
"v": "City"
},
"test4": {
"v": "test4val"
}
}
}
The output in /whoami:
{
"addr": "redacted",
"authenticated": true,
"email": "[email protected]",
"exp": 1717682813,
"expires_at_utc": "Thu Jun 6 14:06:53 UTC 2024",
"family_name": "Doe",
"given_name": "John",
"iat": 1717681913,
"iss": "https://subdomain.redacted.com/oauth2/kinde/",
"issued_at_utc": "Thu Jun 6 13:51:53 UTC 2024",
"jti": "iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii",
"name": "John Doe",
"nbf": 1717681853,
"not_before_utc": "Thu Jun 6 13:50:53 UTC 2024",
"origin": "kinde",
"realm": "kinde",
"roles": [
"authp/guestkinde",
"authp/guest"
],
"sub": "kp_22222222222222222222222222222221",
"userinfo": {
"email": "[email protected]",
"family_name": "Doe",
"given_name": "John",
"id": "kp_22222222222222222222222222222221",
"name": "John Doe",
"phone": null,
"picture": null,
"preferred_username": "john",
"sub": "kp_22222222222222222222222222222221",
"updated_at": 1717500946
}
}
I was expecting to see the fields org_codes, organization_properties, organizations and user_properties since I'm using extract all from userinfo in the Caddyfile:
{
debug
order authenticate before respond
order authorize before basicauth
security {
oauth identity provider kinde {
realm kinde
driver generic
client_id {env.GENERIC_CLIENT_ID}
client_secret {env.GENERIC_CLIENT_SECRET}
scopes openid email profile address offline phone
base_auth_url https://subdomain.redacted.com
metadata_url https://redacted.kinde.com/.well-known/openid-configuration
extract all from userinfo
}
authentication portal partners {
crypto key sign-verify {env.SHARED_KEY}
enable identity provider kinde
cookie domain subdomain.redacted.com
ui {
links {
[...]
}
}
transform user {
match realm kinde
action add role authp/guestkinde
ui link "kinde" /whoami icon "las la-star"
}
}
authorization policy partners {
allow roles any
crypto key verify {env.SHARED_KEY}
validate bearer header
inject headers with claims
}
}
}
:8080 {
[...]
}
I'm using ghcr.io/authcrunch/authcrunch:v1.0.11. Let me know if I can provide more information. Thank you!
