caddy-security icon indicating copy to clipboard operation
caddy-security copied to clipboard
verified publisher icon greenpau

question: Using Google provider without portal

Open wimhaanstra opened this issue 11 months ago • 1 comments

A clear and concise description of what you want to accomplish.

I would like to add a Google OAuth login in front of my hosted sites, whenever a request is not coming from an internal IP. This so I can authentication between my apps simple. I would like to use the Google OAuth Provider.

I would like to skip the use of the Portal, but just immediatly get onto the Google signin page.

This is my Caddyfile

{
	order authenticate before respond
	order authorize before basicauth

	security {
		oauth identity provider google {
			realm google
			driver google
			client_id <google-client-id>
			client_secret <google-secret>
			scopes openid email profile
		}

		authentication portal myportal {
			crypto default token lifetime 3600
			crypto key sign-verify <random key>
			enable identity provider google
			cookie domain <my domain>

			transform user {
				match realm google
				action add role authp/user
				action add role authp/admin
			}
		}

		authorization policy mypolicy {
			set auth url https://auth.mydomain.here/auth/oauth2/google
			crypto key <random key>
			allow roles authp/admin authp/user
			validate bearer header
			inject headers with claims
		}
	}
}

auth.mydomain.here {
	authenticate with myportal
}

my.hostname.here {
   authorize with mypolicy
   reverse_proxy http://10.210.1.1:32400
}

I tried looking at the previously asked question about this, but I am not really sure what I should be changing in my config to get this to work. I have a feeling I am missing something, expecially the set auth url?

In my Google Auth Platform configuration for this client I have the following authorized redirect URI: https://auth.mydomain.here/auth/oauth2/google/authorization-code-callback, but the Google sign-in page says:

Image

I am sorry, as I am not that well versed in this authentication stuff.

wimhaanstra avatar Feb 09 '25 11:02 wimhaanstra

@wimhaanstra , there are a few options.

  1. use authorize plugin only and get it the RSA public keys from Google. You probably don't need anything else. Sync JWKS and create RSA keys
  2. use authorize and authenticate plugins together. Your config above is that option

Based on the error in your screenshot, the issue is that you either don't pass OAuth client id or the ID you pass does not match the configured client. That's your next step in troubleshooting.

I am sorry, as I am not that well versed in this authentication stuff.

Thank you for asking the question! We are all learners for life. Good question!

greenpau avatar Feb 09 '25 11:02 greenpau