You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I got the the example config provided over here and modified it as following:
I changed the default http and https ports.
I removed tls_config section so that caddy itself request for certificates.
I commented out password_recovery_enabled yes because with that, authp gave me this error:
INFO using adjacent Caddyfile
Error: adapting config using caddyfile: parsing caddyfile tokens for 'security': unsupported subdirective for security.authentication.portal.ui: password_recovery_enabled, at Caddyfile:31
So my Caddyfile is like this (I've change the domains here obviously):
{
http_port 80
https_port 443
debug
order authenticate before respond
order authorize before basicauth
security {
local identity store localdb {
realm local
path /root/caddy/users.json
}
oauth identity provider github {env.GITHUB_CLIENT_ID} {env.GITHUB_CLIENT_SECRET}
authentication portal myportal {
crypto default token lifetime 3600
crypto key sign-verify {env.JWT_SHARED_KEY}
enable identity store localdb
enable identity provider github
cookie domain example.com
ui {
links {
"My Website" https://test.example.com:443/ icon "las la-star"
"Guests" https://test.example.com:443/guests icon "las la-star"
"Users" https://test.example.com:443/users icon "las la-star"
"Admins" https://test.example.com:443/admins icon "las la-star"
"My Identity" "/whoami" icon "las la-user"
}
# password_recovery_enabled yes
}
transform user {
match origin local
action add role authp/user
ui link "Portal Settings" /settings icon "las la-cog"
}
transform user {
match realm github
match sub github.com/greenpau
action add role authp/user
}
}
authorization policy guests_policy {
# disable auth redirect
set auth url https://auth.example.com:443/
allow roles authp/admin authp/user
crypto key verify {env.JWT_SHARED_KEY}
acl rule {
comment allow guests only
match role guest authp/guest
allow stop log info
}
acl rule {
comment default deny
match any
deny log warn
}
}
authorization policy users_policy {
set auth url https://auth.example.com:443/
allow roles authp/admin authp/user
crypto key verify {env.JWT_SHARED_KEY}
acl rule {
comment allow users
match role authp/user
allow stop log info
}
acl rule {
comment default deny
match any
deny log warn
}
}
authorization policy admins_policy {
set auth url https://auth.example.com:443/
allow roles authp/admin authp/user
crypto key verify {env.JWT_SHARED_KEY}
acl rule {
comment allow users
match role authp/user
allow stop log info
}
acl rule {
comment default deny
match any
deny log warn
}
}
}
}
auth.example.com {
route {
authenticate with myportal
}
}
test.example.com {
route /guests* {
authorize with guests_policy
respond * "assetq - guests only" 200
}
route /users* {
authorize with users_policy
respond * "assetq - users" 200
}
route /admins* {
authorize with admins_policy
respond * "assetq - admins" 200
}
route {
respond "assetq is running"
}
}
I can access auth.example.com and login with the initial credentials created by caddy but even if I sign out, all the routes under test.example.com are still accessible and they never get redirected to auth.example.com (even with different IPs and browsers without cached cookies)
The text was updated successfully, but these errors were encountered:
I got the the example config provided over here and modified it as following:
http
andhttps
ports.tls_config
section so that caddy itself request for certificates.password_recovery_enabled yes
because with that,authp
gave me this error:So my Caddyfile is like this (I've change the domains here obviously):
I can access
auth.example.com
and login with the initial credentials created by caddy but even if I sign out, all the routes undertest.example.com
are still accessible and they never get redirected toauth.example.com
(even with different IPs and browsers without cached cookies)The text was updated successfully, but these errors were encountered: