go-authcrunch
go-authcrunch copied to clipboard
greenpau
redirect_url for logout
I'm using caddy-security to provide auth to a few webapps that are behind reverse_proxy. Some of these custom apps are basic static files that want to have a simple logout url. After logout they want to redirect to their own custom logout page.
If I'm not missing something perhaps a feature like this would be nice:
https://caddy-security-portal.hostname/logout?redirect_url=<custom>
@s8weber-uw , added the feature to https://github.com/greenpau/go-authcrunch/releases/tag/v1.0.49 and will be adding directives to caddy-security shortly.
@s8weber-uw , this is not available with https://github.com/greenpau/caddy-security/releases/tag/v1.1.26
The documentation for the feature is here: https://docs.authcrunch.com/docs/authenticate/misc#logout
Please test.
im not having much luck. Perhaps something simple I'm overlooking.
FROM caddy:2.7-builder AS builder
RUN xcaddy build --with github.com/greenpau/[email protected]
FROM caddy:2.7
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
caddy file
{
security {
oauth identity provider generic {
realm generic
driver generic
client_id {env.CLIENT_ID}
client_secret {env.CLIENT_SECRET}
base_auth_url {env.BASE_AUTH_URL}
metadata_url {env.METADATA_URL}
# CALLBACK=/oauth2/generic/authorization-code-callback
enable logout
}
authentication portal portal1 {
enable identity provider generic
crypto default token lifetime 3600
#crypto key sign-verify {env.JWT_SHARED_KEY}
transform user {
match realm generic
action add role authp/generic-user
}
trust logout redirect uri domain regex ".*" path regex ".*"
trust logout redirect uri domain localhost path prefix "/"
}
authorization policy policy-generic-user {
# change from the portal auth select screen directly to an auth provider
set auth url http://localhost:80/oauth2/generic
enable js redirect
#crypto key verify {env.JWT_SHARED_KEY}
validate bearer header
allow roles authp/generic-user
}
}
}
# this is the auth portal
http://localhost:80 {
route {
authenticate with portal1
}
}
# this is a website
http://localhost:8000 {
route {
respond /endsession "please close your browser"
authorize with policy-generic-user
header Content-Type text/html
respond / <<EOF
<html>
<a href="http://localhost:80/logout?redirect_uri=http://localhost:8000/endsession">auth/logout | </a>
<a href="http://localhost:80/oauth2/generic/logout?redirect_uri=http://localhost:8000/endsession">auth/oauth2/generic/logout |</a>
</html>
EOF 200
}
im not having much luck. Perhaps something simple I'm overlooking.
@steverweber , I think this is because this feature works with non-OAuth 2.0 endpoint.
I did not see the config before. Now, I get it. My misunderstanding.
Here, you want to redirect a user from OAuth logout endpoint /oauth2/generic/logout to some other URL.
Let me do some magic and it will be available in the next release.
@steverweber , please test with https://github.com/greenpau/caddy-security/releases/tag/v1.1.27
I tested and it should work. Added extra clarification here: https://docs.authcrunch.com/docs/authenticate/misc#external-endpoint-logout
note updated the above example caddyfile a little...
using 1.1.27: http://localhost:80/oauth2/generic/logout?redirect_uri=... seems to do a redirect so that's neat however it did not remove the auth cookie. http://localhost:80/logout?redirect_uri=https://localhost:8000/endsession seems to ignore the redirect_uri.
i'll take another look at this next week. never the less THANKS!