greenpau
Error: Google SSO broken, adapting config using caddyfile: unrecognized directive: oauth
Describe the issue
Upgrading from v1.0.26 to v1.1.31 breaks every security { ā¦ } block in a Caddyfile:
Configuration
Paste full Caddyfile below:
# minimal demo that worked on v1.0.26
{
email [email protected]
acme_dns cloudflare {env.CLOUDFLARE_API_TOKEN}
order authenticate before respond
order authorize before respond
}
security {
oauth identity provider google {env.GOOGLE_CLIENT_ID} {env.GOOGLE_CLIENT_SECRET}
authentication portal myportal {
cookie domain cdn.xyz.com
crypto key sign-verify {env.CADDY_SECURITY_SECRET}
enable identity provider google
}
authorization policy mypolicy {
allow roles authp/user authp/admin
}
}
cdn.xyz.com {
handle_path /healthz { respond "OK" 200 }
route /auth* { authenticate with myportal }
route { authorize with mypolicy; respond "ā
protected" 200 }
}
Version Information
Provide output of caddy list-modules --versions | grep -E "(auth|security)" below:
http.authentication.providers.authorizer v1.1.31
http.handlers.authenticator v1.1.31
security v1.1.31
# NOTE: caddy.adapters.security is missing in v1.1.31
xcaddy build v2.10.0 \
--with github.com/greenpau/[email protected] \
--with github.com/caddy-dns/[email protected]
Expected behavior caddy validate --config Caddyfile succeeds (as it does on v1.0.26)
Describe expected behavior. Running caddy list-modules shows caddy.adapters.security when the plugin is included.
Additional context
Caddyfile syntax oauth identity provider ā¦, authentication portal ā¦, etc. is parsed correctly.
Here is my Dockerfile
######################## 1) build stage ######################## FROM golang:1.24-alpine AS builder
ARG CADDY_VERSION=2.10.0 ARG SECURITY_REF=main # or a tag like v1.1.31 ARG CF_VERSION=v0.2.1 ARG XCADDY_VERSION=v0.4.4
RUN apk add --no-cache build-base
&& go install github.com/caddyserver/xcaddy/cmd/xcaddy@${XCADDY_VERSION}
WORKDIR /src
āā build Caddy: runtime module + Caddyfile adapter + CF DNS
RUN xcaddy build v${CADDY_VERSION}
--with github.com/greenpau/caddy-security@${SECURITY_REF}
--with github.com/greenpau/caddy-security/pkg/adapters/caddyfile@${SECURITY_REF}
--with github.com/caddy-dns/cloudflare@${CF_VERSION}
######################## 2) runtime stage ###################### FROM caddy:2.10.0-alpine AS runtime COPY --from=builder /src/caddy /usr/bin/caddy
ENTRYPOINT ["caddy"] CMD ["run", "--config", "/etc/caddy/Caddyfile", "--adapter", "caddyfile"]
docker-compose.yml
services: caddy: build: . image: caddy-oauth:2.10.0 container_name: caddy restart: unless-stopped
environment:
CLOUDFLARE_API_TOKEN: ${CLOUDFLARE_API_TOKEN}
GOOGLE_CLIENT_ID: ${GOOGLE_CLIENT_ID}
GOOGLE_CLIENT_SECRET: ${GOOGLE_CLIENT_SECRET}
CADDY_SECURITY_SECRET: ${CADDY_SECURITY_SECRET}
ports:
- "80:80"
- "443:443"
- "443:443/udp" # HTTP/3
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile
- ./logs:/var/log/caddy
- /srv/docker/data/caddy/config:/config
- /srv/docker/data/caddy/data:/data
healthcheck:
test: ["CMD-SHELL", "caddy adapt --config /etc/caddy/Caddyfile > /dev/null"]
interval: 30s
timeout: 5s
retries: 3
start_period: 10s
Caddyfile --
###############################################################################
1) GLOBAL OPTIONS ā wildcard cert via Cloudflare DNS-01
############################################################################### { email [email protected] acme_dns cloudflare {env.CLOUDFLARE_API_TOKEN}
order authenticate before respond
order authorize before respond
}
###############################################################################
2) SECURITY APP
############################################################################### security {
# āā 1) Google OAuth2 identity-provider (one-liner)
oauth identity provider google {env.GOOGLE_CLIENT_ID} {env.GOOGLE_CLIENT_SECRET}
# āā 2) SSO portal
authentication portal myportal {
cookie domain cdn.xyz.com
crypto key sign-verify {env.CADDY_SECURITY_SECRET}
enable identity provider google
}
# āā 3) Allow-list policy
authorization policy mypolicy {
crypto key sign-verify {env.CADDY_SECURITY_SECRET}
acl rule {
match email [email protected] [email protected]
allow stop
}
}
}
###############################################################################
3) WILDCARD HOLDER ā forces *.xyz.com certificate
############################################################################### *.xyz.com { respond "wildcard holder" 204 }
###############################################################################
4) PORTAL HOST ā cdn.xyz.com
############################################################################### cdn.xyz.com {
# Up-time probe
handle_path /healthz {
respond "OK" 200
}
# Portal routes
route /auth* {
authenticate with myportal
}
# All other paths ā SSO ā Dashy
@protected not path /auth* /healthz
route @protected {
authorize with mypolicy
reverse_proxy dashy:8080
}
encode gzip zstd
}
@krouter, what is the error?
per gpt-o3 - Still missing http.authentication.providers.oauth V1.1.31 ā the Google-OAuth directive will not work. Is it gaslighting me?
docker run --rm --entrypoint "" caddy-oauth:2.10.0
caddy list-modules --versions | grep -E '(auth|security|dns)'
http.authentication.hashes.bcrypt v2.10.0
http.authentication.providers.http_basic v2.10.0
http.handlers.authentication v2.10.0
tls.client_auth.verifier.leaf v2.10.0
tls.ech.publishers.dns v2.10.0
dns.providers.cloudflare v0.2.1
http.authentication.providers.authorizer v1.1.31
http.handlers.authenticator v1.1.31
security v1.1.31
but looks like Caddyfile verification fails..
docker run --rm --entrypoint "" -v "$PWD/Caddyfile:/etc/caddy/Caddyfile" caddy-oauth:2.10.0 caddy adapt --config /etc/caddy/Caddyfile --adapter caddyfile Error: /etc/caddy/Caddyfile:19: unrecognized directive: identity_provider or unrecognized directive: oauth
Please see this reference config https://github.com/greenpau/caddy-security/issues/353
Perhaps try compiling from scratch
Please see this reference config #353
Perhaps try compiling from scratch
Can you please share Dockerfile for Caddy + Cloudflare letsencrypt + Google Oauth plugins. i've tried numerous variations and still have oauth module missing.
gpt thinks.. Expected: http.authentication.providers.oauth v1.1.31
docker run --rm --entrypoint "" caddy-oauth:2.10.0 caddy list-modules --versions | grep -E '(auth|security|dns)' http.authentication.hashes.bcrypt v2.10.0 http.authentication.providers.http_basic v2.10.0 http.handlers.authentication v2.10.0 tls.client_auth.verifier.leaf v2.10.0 tls.ech.publishers.dns v2.10.0 dns.providers.cloudflare v0.2.1 http.authentication.providers.authorizer v1.1.31 http.handlers.authenticator v1.1.31 security v1.1.31
here is my current Dockerfile.
######################## 1) build stage ########################
ā Use Go-enabled image, not plain alpine
FROM golang:1.24-alpine AS builder
ARG CADDY_VERSION=2.10.0 ARG XCADDY_VERSION=0.4.4 # note: no leading āvā
tools needed by xcaddy and the build
RUN apk add --no-cache build-base git wget tar
WORKDIR /build
āā download xcaddy binary āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
RUN wget -qO xcaddy.tar.gz
"https://github.com/caddyserver/xcaddy/releases/download/v${XCADDY_VERSION}/xcaddy_${XCADDY_VERSION}_linux_amd64.tar.gz"
&& tar -xzf xcaddy.tar.gz
&& install -m 0755 xcaddy /usr/local/bin/xcaddy
&& rm -f xcaddy.tar.gz xcaddy
āā build custom Caddy with required plugins āāāāāāāāāāāāāāāāā
RUN xcaddy build v${CADDY_VERSION}
--with github.com/greenpau/caddy-security@main
--with github.com/caddy-dns/[email protected]
######################## 2) runtime stage ###################### FROM caddy:2.10.0-alpine AS runtime COPY --from=builder /build/caddy /usr/bin/caddy
ENTRYPOINT ["caddy"] CMD ["run", "--config", "/etc/caddy/Caddyfile", "--adapter", "caddyfile"]
Anyone please confirm the bug that's breaking caddy + OAuth inside docker container, or please share a working Dockerfile, and Caddyfile for Google Auth example inside caddy.