greenpau
question: Redirect to login page
Hi all,
I am looking for a way to config my Caddyfile regarding a very specific need of mine. So, I will start off by saying that I have two user groups in my OAuth Identity Provider (Pocket ID) and two OIDC clients (admin-user and regular-user. A group and an OIDC client for "regular" users and a group and an OIDC client for "admin" users.
Some of my subdomains get authorised with a policy that allows both regular and admin users and other subdomains with a policy that allows only admin users.
My admin users can login into "regular" subdomains and then have access to "admin" ones as well. On the other hand, the regular users are denied if they try to login into a "admin" subdomain, but and here's my issue, if my regulars first login into "regular" subdomains and then try to access "admin" ones then a blank page with a small Forbidden text is slapped on the screen.
Isn't there a way so my regular users would be redirected to a login page for the admin subdomain?
Redacted Caddyfile:
{
acme_dns cloudflare {$CLOUDFLARE_API_TOKEN}
# Configure caddy-security.
order authenticate before respond
security {
# =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= #
# Admin User Provider #
# =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= #
oauth identity provider admin-user {
# Delay start otherwise it sometimes fails
delay_start 1
# Set realm (used by match realm directive)
realm realm-admin-user
# Generic driver
driver generic
# Client ID and Client Secret from Pocket-ID
client_id XXX
client_secret YYY
base_auth_url https://auth.{$DOMAIN}
metadata_url https://auth.{$DOMAIN}/.well-known/openid-configuration
scopes openid email groups
}
# =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= #
# Regular User Provider #
# =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= #
oauth identity provider regular-user {
# Delay start otherwise it sometimes fails
delay_start 1
# Set realm (used by match realm directive)
realm realm-regular-user
# Generic driver
driver generic
# Client ID and Client Secret from Pocket-ID
client_id AAA
client_secret BBB
base_auth_url https://auth.{$DOMAIN}
metadata_url https://auth.{$DOMAIN}/.well-known/openid-configuration
scopes openid email groups
}
# =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= #
# My Portal. #
# Auth portal for all users #
# =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= #
authentication portal myportal {
# Crypto settings - can also be an JWT token from env
crypto default token lifetime 3600 # Seconds until you have to re-authenticate
# Source IP tracking so force re-auth if it's different
enable source ip tracking
# Disallow insecure cookies
cookie insecure off # Set to "on" if you're not using HTTPS
# Enable the identity providers we configured before
enable identity provider admin-user
enable identity provider regular-user
}
# =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= #
# Authorization Policy for Admin Users #
# =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= #
authorization policy admin-user-policy {
# Set the auth url
set auth url /oauth2/realm-admin-user
# We enabled source IP tracking in portal, so we are now enabling validation of source ip address
validate source address
# Allow admin users
allow roles admin
# Add headers
inject headers with claims
}
# =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= #
# Authorization Policy for Regular User #
# =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= #
authorization policy regular-user-policy {
# Set the auth url
set auth url /oauth2/realm-regular-user
# We enabled source IP tracking in portal, so we are now enabling validation of source ip address
validate source address
# Allow both admin and regular users
allow roles admin regular
# Add headers
inject headers with claims
}
}
}
auth.{$DOMAIN} {
reverse_proxy pocket-id:5050
}
regular-one.{$DOMAIN} {
@caddy-security {
path /oauth2/*
}
route @caddy-security {
authenticate with myportal
}
route /* {
authorize with regular-user-policy
reverse_proxy service_one:1234
}
}
regular-two.{$DOMAIN} {
@caddy-security {
path /oauth2/*
}
route @caddy-security {
authenticate with myportal
}
route /* {
authorize with regular-user-policy
reverse_proxy service_two:4567
}
}
admin-one.{$DOMAIN} {
@caddy-security {
path /oauth2/*
}
route @caddy-security {
authenticate with myportal
}
route /* {
authorize with admin-user-policy
reverse_proxy service_three:8901
}
}
admin-two.{$DOMAIN} {
@caddy-security {
path /oauth2/*
}
route @caddy-security {
authenticate with myportal
}
route /* {
authorize with admin-user-policy
reverse_proxy service_four:2345
}
}
@denisgabriel5 , the short answer is yes. Search issues for a pattern where I explain how to inject custom javascript. There is an issue with code sample.
@denisgabriel5 , see https://github.com/greenpau/caddy-security/issues/325#issuecomment-1994170624
And watch the video https://github.com/greenpau/caddy-security/issues/325#issuecomment-2022898132