greenpau
question: Generic OAuth 2.0 Provider for Caddy 2
Hello, I'm trying to test OIDC login for my day-job Org's IdP.
I have created an app and I have setup the redirect URI to http://localhost:8080/login
Here is the following Caddyfile that I am starting with to test the setup:
{
http_port 8080
# https_port 8443
# debug
order authenticate before respond
security {
oauth identity provider generic {
realm generic
driver generic
client_id app-caddy-server
client_secret caddy-app-server
scopes openid profile
base_auth_url https://org.com/
metadata_url https://org.com/.well-known/openid-configuration
}
authentication portal applogin {
crypto default token lifetime 3600
crypto key sign-verify shared_secret_key
enable identity provider generic
cookie domain localhost
transform user {
match realm generic
action add role app/user
}
transform user {
match realm generic
match email [email protected]
action add role app/admin
}
}
}
}
localhost:8080 {
authenticate with applogin
}
I am able to start the server and on navigating to http://localhost:8080/login, I'm just getting a white screen like so:
How do I specify the redirect URI in the Caddyfile? How do I validate. that I am getting the metadata document from https://org.com/.well-known/openid-configuration ? What is the trigger for redirecting to the https://org.com/authorization.oauth2 with the client id and client secret?
I'm new to this and all I could find on the documentation here was: When a user browses to login, the user will be redirected to the provider discovered via metadata_url and base_auth_url URLs.
My goal here is to be able to get to the org's SSO login page.
I am able to start the server and on navigating to http://localhost:8080/login, I'm just getting a white screen like so:
@sprkv5 , please add cookie insecure on to your config and see if you get a different looking screen.
debug
Un-comment debug and you will get more info about what is going on.
How do I specify the redirect URI in the Caddyfile?
You need to specify redirect URI in you OAuth provider. The plugin knows where to redirect to based on the contents of https://org.com/.well-known/openid-configuration.
Hello @greenpau,
Thank you for suggesting so fast! :)
I still don't see a different screen with cookie insecure on .
I am able to see the metadata document gets retrieved on server startup though:
2022/05/09 13:45:22.277 β[35mDEBUGβ[0m security fetchMetadataURL succeeded {"identity_provider_name": "generic", "metadata": {"authorization_endpoint":"https://org.com/authorization.oauth2","backchannel_authentication_endpoint": ...
The plugin now knows the authorization endpoint but does not redirect to it. Clickin on generic link takes me to http://localhost:8080/oauth2/generic
Just to confirm, by redirect URI did you mean 1 or 2 from this pic:
I ask this because the authorization endpoint is indeed specified by OAuth Provider's metadata. But the client I created for my application, has a redirect URI which should be sent as a redirect_uri query parameter to the authorization endpoint. How do I specify this?
I am able to see the metadata document gets retrieved on server startup though:
@sprkv5, I need to see the entirety of the log you see in the console, i.e. the entire log ... from start of the server to the rejection of the user.
Just to confirm, by redirect URI did you mean 1 or 2 from this pic:
The 1 is derived automatically ... My hunch is that your OAuth server does not like you using http (non-https).
The 2 is derived based on the metadata it fetches.
So switch to using https.
Can the logs be provided via DM/mail since it does contain sensitive information?
Can the logs be provided via DM/mail since it does contain sensitive information?
@sprkv5, please email me at greenpau<>outlook.com
@greenpau, I've mailed you the logs. Apologies for the delay.
The redirect URI is specified in the client created for OAuth provider. But it is not fetched in network request as you can see in the logs mailed to you.