greenpau
question: authorization policy with oauth identity provider
I found the following configuration on the docu page for Auto-Redirect URL, but it did not work:
{
security {
oauth identity provider customer {
realm customerRealm
driver generic
client_id <THE CLIENT ID>
client_secret <THE CLIENT SECRET>
base_auth_url <THE BASE AUTHENTICATION URL>
scopes openid profile
}
authorization policy mypolicy {
set auth url /auth/oauth2/customerRealm
enable additional scopes
}
}
}
myapp.com {
route /protected* {
authorize with mypolicy
respond "myapp is running"
}
}
I have configured my own OIDC identity provider (keycloak), how should I set the set auth url?
I tried set auth url /auth/oauth2/<myRealm> as in this example, but then caddy-security tried to get tokens from https://myapp.com/auth/oauth2/<myRealm>.
When I try the keycloak authorization endpoint set auth url https://<keycloak_hostname>:<port>/realms/<myRealm>/protocol/openid-connect/auth, caddy-security does not send the configured client ID, client secret, ... from the oauth identity provider configuration.
Can you please help me with this? How should this example work?
Also struggling with this. Trying to remove the authentication plugin as it seems to be sending its own JWT token to authorization instead of passing the token directly from my OIDC provider.
@trefzaxSICKAG , @jmadden91 , here is how it supposed to work with authorization plugin only.
Authorization plugin does not care about providers. It cares about decryption keys. Say a request came with a token signed by Google. It needs public keys from Google to decrypt, but you don’t have the keys configured in the “authorization” plugin. The plugin does not download the keys. It expects you to download the keys, put them into a folder somewhere, configure “crypto key” directive. Then things would works.
If you are thinking that oauth provider configuration does this type of download and storage of keys, it does not. Perhaps it should, but it is not implemented.
