caddy-security icon indicating copy to clipboard operation
caddy-security copied to clipboard
verified publisher icon greenpau

Can not create locally hosted minimal instance for debug/test/error reproduction

Open MrChadMWood opened this issue 1 year ago • 1 comments

Describe the issue

I am having issues creating a basic instance of Caddy that utilizes authentication / authorization via caddy-security locally. With the below configuration, authentication works fine. Authorization fails for an unknown reason, resulting in infinity redirects until the browser stops it.

Configuration

Caddyfile:

{
	order authenticate before respond
	order authorize before basicauth

	security {
		local identity store localdb {
			realm local
			path {$HOME}/.local/caddy/users.json
		}
	
		authentication portal myportal {
			crypto default token lifetime 3600
			crypto key sign-verify debugtoken54321
			enable identity store localdb
			transform user {
				match origin local
				action add role authp/user
			}
		}
  
		authorization policy mypolicy {
			set auth url https://auth.localhost/
			allow roles authp/user
			crypto key verify debugtoken54321
			inject header "X-User-Email" from "userinfo|email"
		}
	}
}

auth.localhost {
	route {
		authenticate with myportal
	}
}

caddy.localhost {
  authorize with mypolicy
  respond "Hello World"
}

Version Information

Provide output of caddy list-modules --versions | grep -E "(auth|security)" below:

http.authentication.hashes.bcrypt v2.7.6
http.authentication.hashes.scrypt v2.7.6
http.authentication.providers.http_basic v2.7.6
http.handlers.authentication v2.7.6
tls.client_auth.leaf v2.7.6
http.authentication.providers.authorizer v1.1.29
http.handlers.authenticator v1.1.29
security v1.1.29

Expected behavior

I expected login to work using the default webadmin users credentials. Authentication does work, but authorization causes infinite redirects. The caddy.localhost response is thus never received.

Additional context

I am using docker. See my docker.compose.yml;

services:
  caddy:
    build:
      context: .
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - ./config/:/config
      - ./data/:/data

with Dockerfile:

ARG CADDY_VERSION=2.7.6
FROM caddy:${CADDY_VERSION}-builder AS builder

RUN xcaddy build \
    --with github.com/greenpau/caddy-security \

FROM caddy:${CADDY_VERSION}-alpine

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

MrChadMWood avatar Jun 18 '24 00:06 MrChadMWood

@MrChadMWood , see https://docs.authcrunch.com/docs/authenticate/auth-cookie#intra-domain-cookies

I suspect cookie insecure on is missing.

You might also need cookie domain localhost. You really should not, but people had that issue.

See this issue for config snippets: https://github.com/greenpau/caddy-security/issues/337

If you still running into issue, feel free to reach out on Linkedin and we can get on Google Meet to troubleshoot.

greenpau avatar Jun 18 '24 01:06 greenpau