Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feature: Simplify configuring multiple OAuth clients #307

Open
matthias-stone opened this issue Jan 5, 2024 · 0 comments
Open

feature: Simplify configuring multiple OAuth clients #307

matthias-stone opened this issue Jan 5, 2024 · 0 comments
Assignees
@greenpau
Labels
feature need triage

Comments

@matthias-stone
Copy link

A clear and concise description of what you want the system to do.

Set up:

  • Single Caddy instance hosting multiple applications with separate authentication portals.
  • Some applications share 1 (or more) identity providers (Google, Github, etc.)
  • Applications have unique OAuth client credentials (logging in to application1 does not authorize access to application2)

This is possible with the plugin as is, but it requires two awkward steps:

  • Specifying a unique realm name for each configured OAuth client credential
  • Using that unique realm name in each OAuth client's allowed callback configuration, requiring all OAuth client configurations to be coordinated.

It would be helpful if multiple identity providers could share their realm name, so long as they are not used within the same authentication portal. This requires allowing go-authcrunch to permit the registering multiple providers with the same realm.

What are the Caddyfile directives that need to be added.

Example of a Caddyfile that works today, note the realm google1 and realm google2

{
    order authenticate before respond
    order authorize before reverse_proxy

    security {
        oauth identity provider googleapp1 {
            realm google1
            driver google
            client_id <client_id_1>
            client_secret <client_secret_1>
            scopes openid email profile
        }

        oauth identity provider googleapp2 {
            realm google2
            driver google
            client_id <client_id_2>
            client_secret <client_secret_2>
            scopes openid email profile
        }

        authentication portal myportal1 {
            enable identity provider googleapp1
            cookie domain auth.site1.com
        }

        authentication portal myportal2 {
            enable identity provider googleapp2
            cookie domain auth.site2.com
        }
    }
}

auth1.internal.bellstone.ca {
    authenticate with myportal1
}
auth2.internal.bellstone.ca {
    authenticate with myportal2
}

Desired Caddyfile, all identity providers refer to realm google

{
    order authenticate before respond
    order authorize before reverse_proxy

    security {
        oauth identity provider googleapp1 {
            realm google1
            driver google
            client_id <client_id_1>
            client_secret <client_secret_1>
            scopes openid email profile
        }

        oauth identity provider googleapp2 {
            realm google2
            driver google
            client_id <client_id_2>
            client_secret <client_secret_2>
            scopes openid email profile
        }

        authentication portal myportal1 {
            enable identity provider googleapp1
            cookie domain auth.site1.com
        }

        authentication portal myportal2 {
            enable identity provider googleapp2
            cookie domain auth.site2.com
        }
    }
}

auth1.internal.bellstone.ca {
    authenticate with myportal1
}
auth2.internal.bellstone.ca {
    authenticate with myportal2
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@greenpau greenpau

Labels
feature need triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@matthias-stone @greenpau