greenpau
question: Token not found when I try to access /users, /whoami, and policy settings within the portal
This has been a great plug-in for Caddy and so far provides the best solution for my use case. I've been having success implementing local authentication with MFA. I can pull up my web apps upon successful authentication and works as intended. I was able to re-direct url to the authentication page if apps were accessed directly.
However, when I try to implement /whoami, /users, and policy settings with in the portal, I get token not found. I also plan implement the local auth with registration. The apps are deployed on-premises. Not sure if the https is causing some issues? I appreciate everyone's help in this forum.
{"level":"debug","ts":1749584560.729913,"logger":"security","msg":"token validation error","session_id":"","request_id":"59a4c51b-ff06-46e2-adb4-aed735580e08","error":"no token found"}
{"level":"debug","ts":1749584560.729913,"logger":"security","msg":"redirecting unauthorized user","session_id":"","request_id":"59a4c51b-ff06-46e2-adb4-aed735580e08","method":"location"}
{"level":"error","ts":1749584560.729913,"logger":"http.handlers.authentication","msg":"auth provider returned error","provider":"authorizer","error":"user authorization failed: src_ip=10.0.0.1, src_conn_ip=10.0.0.1, reason: no token found"}
Caddyfile:
{
auto_https disable_redirects
log {
output file C:\local\caddy\caddy.log
}
http_port 8080
https_port 8443
order authenticate before respond
order authorize before basicauth
security {
local identity store localdb {
realm local
path /local/users.json
}
authentication portal myportal {
crypto default token lifetime 3600
enable identity store localdb
cookie domain 10.0.0.1
transform user {
match realm local
require mfa
}
ui {
links {
"App1 Website" https://10.0.0.1:4202/ icon "las la-star"
"App2 Website" https://10.0.0.1:4200/ icon "las la-star"
"Users" https://10.0.0.1:4203/users icon "las la-star"
"My Identity" "https://10.0.0.1:4203/whoami" icon "las la-user"
}
}
transform user {
match origin local
action add role authp/user
ui link "Portal Settings" /settings icon "las la-cog"
}
}
authorization policy redirect_policy {
set auth url https://10.0.0.1:4203/auth
allow roles authp/admin authp/user
acl rule {
comment allow users
match role authp/user
allow stop log info
}
acl rule {
comment default deny
match any
deny log warn
}
}
authorization policy users_policy {
set auth url https://10.0.0.1:4203/auth
allow roles authp/admin authp/user
acl rule {
comment allow users
match role authp/user
allow stop log info
}
acl rule {
comment default deny
match any
deny log warn
}
}
}
}
(tls_config) {
tls C:\certs\dev.crt C:\certs\dev.key
}
https://10.0.0.1:4203 {
import tls_config
route /auth* {
authenticate with myportal
}
route /users* {
authorize with users_policy
}
}
https://10.0.0.1:4202 {
import tls_config
route * {
authorize with redirect_policy
}
reverse_proxy localhost:3000
bind 0.0.0.0
}
:4200 {
import tls_config
route * {
authorize with redirect_policy
}
bind 0.0.0.0
reverse_proxy localhost:4201
}
@bnaoe , it is somehow related to your cookies. Also, the url should be
https://10.0.0.1:4203/auth/whoami, not https://10.0.0.1:4203/whoami
@greenpau Thank you so much. /whoami works now but still having issues with the cookies. I omitted the cookie domain 10.0.0.1 but still having the same issue. I checked the headers request cookies and I see the token there, I do not know what else to look at.
Thank you! Here's what's in my "who am I" page. Not sure if it matters but early on I changed the hash password in my user.json for the webadmin account using the bycrpt-tool.exe I downloaded from your site because I couldn't figure out how to get the default secret key after it generates the user.json file.
And 10.0.0.1 is not the actual IP but if you need the real one let me know. But what's in the addr: and iss: corresponds to the actual IP I am using.
When I decode the SESSION_TOKEN I got after loading /users, the payload is the same as what I see in my "who am I" page with the exclusion of authenticated:, expires_at_utc, and not_before_utc. The AUTHP_SESSION_ID is the same as what's in jti:
{
"addr": "10.0.0.1",
"authenticated": true,
"email": "[email protected]",
"exp": 1749613510,
"expires_at_utc": "Tue Jun 10 22:45:10 CDT 2025",
"iat": 1749609910,
"iss": "https://10.0.0.1:4203/auth/login",
"issued_at_utc": "Tue Jun 10 21:45:10 CDT 2025",
"jti": "<jti here>",
"nbf": 1749609850,
"not_before_utc": "Tue Jun 10 21:44:10 CDT 2025",
"origin": "local",
"realm": "local",
"roles": [
"authp/admin",
"authp/user"
],
"sub": "webadmin"
}
@greenpau browsed through the issue list and found an alternative to use /auth/profile which opens account authentication management for users which is great. But still getting that no token found even at the portal page when not loading anything. The logs just kept on warning me about it.
Hoping there's a fix for this. Appreciate the help. Thank you.
Which page are you browsing to? Provide URL. Also, provide the screenshot of what you see, as well as your HAL file from your browser
@greenpau Thank you. I'm not sure if I can share the HAL file, I realize that is needed. But if this helps, I'm trying to get to https:10.0.0.1:4203/users but I'm just getting a blank screen. Nothing to screenshot, status code is 200. When I go to /users and look at the headers I see the authp_session_id and the access_token under cookies in request headers. authp_session_id is the same as my jti. Token shows payload for my user information in auth/whoami.
@bnaoe , please reach out to me on LinkedIn. Will get on Google Meet and I will try explaining you thing or two.
route /users* {
authorize with users_policy
}
The above authorizes access, but nothing is down after it. You should probably have reverse proxy or respond handler
route /users* {
authorize with users_policy
respond βI got to usersβ
}