question: Caddy is oauth proxy for grafana oauth identity forwarding

[moritz31]

A clear and concise description of what you want to accomplish.

We currently use caddy together with basic auth to protect some of our prometheus datasources.
Grafana has a feature called Forward Oauth Identity, where the server requets the datasource by proxing the Authorization Header from your oauth2 session.
Would it be possible for caddy-security to authorize these calls ?
Tried it with the following config but get an unauthorized from caddy
authorization policy mypolicy { set auth url http://localhost:8080/oaut2/okta validate bearer header disable auth redirect acl rule { comment Test match email xxx allow log debug } }

Request from Grafana looks like this
{"level":"error","ts":1705567522.9418292,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"","remote_port":"37956","client_ip":"","proto":"HTTP/1.1","method":"GET","host":"caddy:8080","uri":"/api/v1/status/buildinfo","headers":{"X-Id-Token":["TOKEN"],"Accept-Encoding":["gzip"],"User-Agent":["Grafana/10.2.3"],"Authorization":["Bearer TOKEN"],"X-Datasource-Uid":["faac24e5-b2c5-4723-87c8-28aaefff61a7"],"X-Grafana-Org-Id":["1"]}},"bytes_read":0,"user_id":"","duration":0.000051834,"size":0,"status":401,"resp_headers":{"Server":["Caddy"]}}

If this would work there could be a second issue, to verify the signature of the jwt caddy have to go against the introspect endpoint and not against the jwks endpoint like default.
https://support.okta.com/help/s/article/Signature-Validation-Failed-on-Access-Token?language=en_US

Could this work ? Or can this maybe be easily implemented. ?

Regards
Moritz

[greenpau]

@moritz31 , this is a nuanced question. This plugin supports grafana but looks like things have changed in Grafana labs and some new auth features were added. Here is what I can offer. Connect with me on Linkedin and we will setup Google Meet to look at your setup together.