caddy-security
caddy-security copied to clipboard
greenpau
breakfix: RBAC can't access [realm_access-roles]
Describe the issue**
RBAC can't access:
- realm_access - roles
- app_metadata - authorization - roles
Expected behavior According the documentation By default, the plugin should finds role information in the following token fields:
- roles
- role
- group
- groups
- app_metadata - authorization - roles
- realm_access - roles
I believe I am experiencing this issue and have documented my approach to setting app_metadata.authorization.roles in this Auth0 thread.
~~I think the next step for me to confirm the condition is to find a way to access the portal's /whoami page so I can inspect the token received by Caddy Security. Presently, I am always redirected to /login with I visit that page, even when I'm already authenticated.~~
EDIT: I found the tokens in the log
authentication portal authn {
crypto default token lifetime 3600
crypto key sign-verify {env.JWT_SHARED_KEY}
enable identity provider auth0
cookie domain {$ZROK_DNS_ZONE}
ui {
links {
"Homepage" "https://www.example.com" icon "las la-home"
"My Account Info" "/whoami" icon "las la-user"
}
}
}
authorization policy authz {
set auth url https://auth.example.com/oauth2/generic
crypto key verify {env.JWT_SHARED_KEY}
allow roles user
validate bearer header
inject headers with claims
}
Although I can not access the portal's account info page when the provider is enabled (link to open issue describing the same symptom), only when local store is enabled, I do see the debug logs that include the id token and access token from the provider.
Strangely, the access token has no claims. Only the header and signature are defined. The OAuth 2.0 server access token from Auth0, which is a JWT, looks like this asdklfjhasdkljh..lkjhasdlkjhasdlkjhsadlkjhasdflkjhasdf (zero bytes in the claimset between header and signature).
Then Caddy Security does something unexpected.
DEBUG: decoded claims from OAuth 2.0 authorization server access token
The claims shown next are from the OIDC id token, not the OAuth access token. Maybe Caddy Security has confused the two?
The claims shown next are from the OIDC id token
@qrkourier , see the below source code references. https://github.com/search?q=repo%3Agreenpau%2Fgo-authcrunch%20id_token&type=code
Happy to jump on google meet to troubleshoot. Feel free to reach me on LinkedIn.
I am hitting this I believe now as well with Keycloak 26. My access token from KC after login has the correct structure according to the docs.
KEYCLOAK ACCESS TOKEN SNIPPET
"realm_access": {
"roles": [
"authp/user",
"offline_access",
"default-roles-caddytest",
"uma_authorization"
]
},
My caddy authorization policy has the proper roles defined for access:
authorization policy mypolicy {
set auth url https://auth.acme.org:8443/
allow roles authp/admin authp/user
crypto key verify {env.JWT_SHARED_KEY}
}
After successful login to the Portal my Identity seems to only have me a Guest even though my access token has the proper roles but when I try to hit the protected resource below, I get 403 forbidden (401 Unauthorized)
wiki.acme.org {
import tls_config
authorize with mypolicy
respond "assetq is running"
}
My IDENTITY seems to ignore/not pass the KC realm roles and put me in GUEST?
....
"not_before_utc": "Mon Jun 9 14:41:37 EDT 2025",
"origin": "CaddyTest",
"roles": [
"authp/guest"
],
"sub": "8239eec4-03ac-4976-97d9-f9793b7f1b87"
UPDATE: Reading this doc it seems we need to create and map "Groups" to our clients? https://docs.authcrunch.com/docs/authenticate/oauth/backend-oauth2-0011-keycloak#realm
Once I did that my configuration worked. But can it work directly with Realm roles assigned to the user directly and not have to go through a mapper?
