Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

breakfix: Environment Substitution does not work for auth url within policy #355

Open
alex3305 opened this issue Aug 5, 2024 · 0 comments
Open

breakfix: Environment Substitution does not work for auth url within policy #355

alex3305 opened this issue Aug 5, 2024 · 0 comments
Assignees
@greenpau
Labels
breakfix need triage

Comments

@alex3305
Copy link

alex3305 commented Aug 5, 2024

Describe the issue

I want to substitute (part) of the auth url within an authorization policy. This way I can have a somewhat 'generic' Caddyfile that I can include and distribute with my custom Docker image without exposing my own domain name. However substitution doesn't seem to work.

Configuration

Paste full Caddyfile below:

{
    order authenticate before respond
    order authorize before basicauth

    security {
        oauth identity provider dex {
            realm generic
            driver generic
            client_id {env.IDP_CLIENT_ID}
            client_secret {env.IDP_CLIENT_SECRET}
            scopes openid email profile
            base_auth_url https://{env.IDP_DOMAIN_NAME}/
            metadata_url https://{env.IDP_DOMAIN_NAME}/.well-known/openid-configuration
        }

        authentication portal pepperportal {
            crypto default token lifetime 3600
            crypto key sign-verify {env.JWT_SHARED_KEY}
            enable identity provider dex
            cookie domain {env.DOMAIN}
        }

        authorization policy pepperpolicy {
            set auth url https://auth.{env.DOMAIN}/oauth2/generic/authorization-code-callback
            crypto key verify {env.JWT_SHARED_KEY}
            allow roles authp/admin authp/user
            validate bearer header
            inject headers with claims
        }
    }
}

On other parts of the Caddyfile substitution works perfectly 😄.

Version Information

Provide output of caddy list-modules --versions | grep -E "(auth|security)" below:

/srv # caddy list-modules --versions | grep -E "(auth|security)"
http.authentication.hashes.bcrypt v2.8.4
http.authentication.providers.http_basic v2.8.4
http.handlers.authentication v2.8.4
tls.client_auth.verifier.leaf v2.8.4
http.authentication.providers.authorizer v1.1.29
http.handlers.authenticator v1.1.29
security v1.1.29

Expected behavior

That the redirection goes to my domain i.e. https://auth.example.com instead of the variable value: https://auth.{env.DOMAIN}.

Additional context

n/a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@greenpau greenpau

Labels
breakfix need triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@greenpau @alex3305