feature: Simplify configuring multiple OAuth clients

Question

feature: Simplify configuring multiple OAuth clients

matthias-stone opened this issue 10 months ago · 0 comments

matthias-stone commented 10 months ago

A clear and concise description of what you want the system to do.

Set up:

Single Caddy instance hosting multiple applications with separate authentication portals.
Some applications share 1 (or more) identity providers (Google, Github, etc.)
Applications have unique OAuth client credentials (logging in to application1 does not authorize access to application2)

This is possible with the plugin as is, but it requires two awkward steps:

Specifying a unique realm name for each configured OAuth client credential
Using that unique realm name in each OAuth client's allowed callback configuration, requiring all OAuth client configurations to be coordinated.

It would be helpful if multiple identity providers could share their realm name, so long as they are not used within the same authentication portal. This requires allowing go-authcrunch to permit the registering multiple providers with the same realm.

What are the Caddyfile directives that need to be added.

Example of a Caddyfile that works today, note the realm google1 and realm google2

{
    order authenticate before respond
    order authorize before reverse_proxy

    security {
        oauth identity provider googleapp1 {
            realm google1
            driver google
            client_id <client_id_1>
            client_secret <client_secret_1>
            scopes openid email profile
        }

        oauth identity provider googleapp2 {
            realm google2
            driver google
            client_id <client_id_2>
            client_secret <client_secret_2>
            scopes openid email profile
        }

        authentication portal myportal1 {
            enable identity provider googleapp1
            cookie domain auth.site1.com
        }

        authentication portal myportal2 {
            enable identity provider googleapp2
            cookie domain auth.site2.com
        }
    }
}

auth1.internal.bellstone.ca {
    authenticate with myportal1
}
auth2.internal.bellstone.ca {
    authenticate with myportal2
}

Desired Caddyfile, all identity providers refer to realm google

{
    order authenticate before respond
    order authorize before reverse_proxy

    security {
        oauth identity provider googleapp1 {
            realm google1
            driver google
            client_id <client_id_1>
            client_secret <client_secret_1>
            scopes openid email profile
        }

        oauth identity provider googleapp2 {
            realm google2
            driver google
            client_id <client_id_2>
            client_secret <client_secret_2>
            scopes openid email profile
        }

        authentication portal myportal1 {
            enable identity provider googleapp1
            cookie domain auth.site1.com
        }

        authentication portal myportal2 {
            enable identity provider googleapp2
            cookie domain auth.site2.com
        }
    }
}

auth1.internal.bellstone.ca {
    authenticate with myportal1
}
auth2.internal.bellstone.ca {
    authenticate with myportal2
}