question: How to initiate proxy pass after successful auth?
icsy7867 opened this issue · 2 comments
I am testing out an application with caddy embedded. And there are a lot of variables at play, so I will do my best to get rid of a lot of that other stuff. Ultimately, I am missing something. Probably from my lack of understanding of the tool. but i would love some assistance!
So I have oauth working! Woo! I get my companies ADFS login, and it successfully goes through. The token has the correct information and everything seems happy, but after I access the page I get this screen
And then after successfully authenticating I see this:
{
order authenticate before respond
order authorize before reverse_proxy
security {
oauth identity provider generic {
realm generic
driver generic
client_id oauth-client-id
client_secret oauth-client-secret
scopes openid email profile
base_auth_url https://my.company.org/adfs
metadata_url https://my.company.org/adfs/.well-known/openid-configuration
}
authentication portal myportal {
crypto default token lifetime 3600
enable identity provider generic
cookie domain subdomain.my.company.org
transform user {
match realm generic
action add role authp/user
}
}
authorization policy mypolicy {
set auth url https://{{ .ZrokBindAddress }}/oauth2/generic
inject headers with claims
allow roles authp/admin authp/user
}
}
}
http:// {
# Bind to the zrok share
bind {{ .ZrokBindAddress }}
authenticate with myportal
# All other traffic goes to localhost:3000
authorize with mypolicy
reverse_proxy /* localhost:8080 {
header_up Host localhost:8080
header_up X-Real-IP {http.request.header.x-forwarded-for}
}
}
I should note, that with just this portion, it works fine:
http:// {
# Bind to the zrok share
bind {{ .ZrokBindAddress }}
reverse_proxy /* localhost:8080 {
header_up Host localhost:8080
header_up X-Real-IP {http.request.header.x-forwarded-for}
}
}
ut after I access the page I get this screen
@icsy7867 , what you see here is the "portal" screen. You should add links there. See https://docs.authcrunch.com/docs/authenticate/user-transforms#add-ui-links
Additionally, see this video to introduce conditional logic "on login." It is a bit advanced for first timers. Try UI links first.
Please ask clarification questions.
Ohhh thanks! I will give this a whirl. I think, after diving into some caddy docs, I have it working! But i think I can do this better, I will definitely give you video a look. Thanks!
{
order authenticate before respond
# order authorize before reverse_proxy
security {
oauth identity provider generic {
realm generic
driver generic
client_id client-id
client_secret client-secret
scopes openid email profile
base_auth_url https://my.company.org/adfs
metadata_url https://my.company.org/adfs/.well-known/openid-configuration
}
authentication portal myportal {
crypto default token lifetime 3600
enable identity provider generic
cookie domain zrok.my.company.org
ui {
links {
"My Identity" "/whoami" icon "las la-user"
"app" "/app/" icon "las la-user"
}
}
transform user {
match realm generic
action add role authp/user
}
}
authorization policy mypolicy {
set auth url /auth
inject headers with claims
allow roles authp/admin authp/user
}
}
}
http:// {
# Bind to the zrok share
bind {{ .ZrokBindAddress }}
route /auth* {
authenticate with myportal
}
authenticate with myportal
# All other traffic goes to localhost:3000
# authorize with mypolicy
route /* {
authorize with mypolicy
reverse_proxy localhost:8080 {
header_up Host localhost:8080
header_up X-Real-IP {http.request.header.x-forwarded-for}
}
}
}