caddy-security icon indicating copy to clipboard operation
caddy-security copied to clipboard
verified publisher icon greenpau

question: issuing custom claims dynamically

Open zhirschtritt opened this issue 3 years ago • 3 comments

To preface, this is probably a feature request and likely a non-trivial one, but I thought I'd figure out if it's actually a reasonable request.

I would like to use the auth plugin to issue roles based on a call to my backend service or some other shared crud-y resource that caddy can read and my app can update. I want to be able to edit authorized users on the fly and apply roles/custom claims without having to edit the Caddyfile.

I'm guessing this is outside of scope for this project, but wondering what your thoughts are on a feature like this.

Edit: On further reading of other issues, I see I'm not the first person to bring this up. I also see https://github.com/greenpau/caddy-security/issues/16 which is related to my request. Here's what I'm imagining a auth flow might look like:

  • User authenticates with some OAuth2 provider
  • caddy-auth sends JWT to endpoint specified
  • Endpoint responds with json listing roles/claims for that user
  • caddy-auth assigns roles/claims to token and forwards downstream

zhirschtritt avatar Mar 07 '22 01:03 zhirschtritt

caddy-auth sends JWT to endpoint specified. Endpoint responds with json listing roles/claims for that user

@zhirschtritt , thank you for the issue! 👍

What would that endpoint be?

My understanding is you want to have a "hook" into an "entitlement" system that would have role (or other info) info. Is that correct?

The idea would be that one could have Google, Microsoft, Github, etc. ... however, there will be some other system that would provide the "roles" to the users authenticated with public OAuth services.

greenpau avatar Mar 23 '22 00:03 greenpau

My understanding is you want to have a "hook" into an "entitlement" system that would have role (or other info) info. Is that correct?

Right, exactly. This way there can be a dynamic list of roles/claims that can be applied per-user without caddy or this plugin having to expose an api or durable storage mechanism for that.

What would that endpoint be?

Just a https GET endpoint specified in the config that accepts the jwt retrieved for the user (and probably a secret shared-key in the header that the endpoint can validate) that returns json of the the roles and/or claims for that user. Like:

{
  "userId": "ddcc63b3-7864-42af-8ecf-9a76d317155e",
  "roles": ["admin"] 
}

zhirschtritt avatar Mar 23 '22 18:03 zhirschtritt

Will call it this new subsystem ClaimProvider ...

FYI, I am splitting backends to (1) "IdentityStore" and (2) "IdentityProvider"

greenpau avatar Mar 25 '22 13:03 greenpau