Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

question: inject headers not presented #325

Closed
MrOzean opened this issue Mar 12, 2024 · 15 comments
Closed

question: inject headers not presented #325

MrOzean opened this issue Mar 12, 2024 · 15 comments
Assignees
@greenpau
Labels
javascript question Further information is requested redirects

Comments

@MrOzean
Copy link

MrOzean commented Mar 12, 2024
edited
Loading

Hello, I have a bunch of dashboard and want to make auto redirect based on user email

My setup is
Authentik 2024.2.2 as "Generic OIDC provider" at "sso.example.com"
Caddy in docker from ghcr.io/authp/authp:v1.0.5
Auth portal at "dash.example.com"
Users dashboards at "USER_NICKNAME.dash.example.com" baked by reverse_proxy directive

My caddyfile

{
  order authenticate before respond
  order authorize before basicauth

  security {
    oauth identity provider generic {
      realm dash
      driver generic
      client_id <ID>
      client_secret <secret>
      scopes openid email profile
      base_auth_url https://sso.example.com/
      metadata_url https://sso.example.com/application/o/dash/.well-known/openid-configuration
    }

    authentication portal auth_portal {
      crypto default token lifetime 3600
      enable identity provider generic
    
      ui {
        links {
          "My Identity" "/whoami" icon "las la-user"
        }
      }

      cookie domain example.com
      
       transform user {
        match groups andrey-keksik
        action add role authp/andrey_keksik
      }

      transform user {
        match email andrey@example.com
        action add role authp/dash_admin
      }
    }

    authorization policy pass_andrey_keksik {
      set auth url https://dash.example.com
      inject header "Remote-Email" from email # no header was provided
      inject headers with claims # no header was provided
      allow roles authp/andrey_keksik
    }

    authorization policy pass_dash_admin {
      set auth url https://dash.example.com
      inject header "Remote-Email" from email # no header was provided
      inject headers with claims # no header was provided
      allow roles authp/admin
    }
  }
}

dash.example.com {
  tls /certs/dash.example.com/fullchain.cer  /certs/dash.example.com/dash.example.com.key
  authenticate with auth_portal

  @has_andrey_email_header { # not work, header empty
     header "Remote-Email" "andrey@example.com"
  }

  rewrite @has_andrey_email_header andrey.dash.example.com  # no redirect
}

andrey.dash.example.com {
  authorize with pass_andrey_keksik
  reverse_proxy /* localhost:7032 
}
andrey-edit.dash.example.com {
  authorize with pass_andrey_keksik
  reverse_proxy /* localhost:7031
}

username.dash.example.com {
  ...
}

...

Login works correctly, but no one headers from JWT was provided

caddy log

{"level":"info","ts":1710233469.6411192,"logger":"security","msg":"Successful login","session_id":"uSklJaMPGLBZ0rhEX1yR53ILZXp7yWfknGqc","request_id":"6444ff37-757c-4cad-b75e-8f5cf6e953ac","auth_method":"oauth2","auth_realm":"dash","user":{"email":"andrey@example.com","exp":1710233768,"given_name":"Андрей","groups":["home-torrent","prometheus-user","andrey-syncthing","andrey-keksik"],"iat":1710233468,"iss":"https://sso.example.com/application/o/dash/","name":"Андрей","sub":"a85507ae5c060df964f05f72f54f009d2c7af7f60f2b7399fbb849019c0c456a"}}
{"level":"info","ts":1710233469.6427104,"logger":"security","msg":"Successful login","session_id":"uSklJaMPGLBZ0rhEX1yR53ILZXp7yWfknGqc","request_id":"6444ff37-757c-4cad-b75e-8f5cf6e953ac","backend":{"name":"generic","realm":"dash","method":"oauth"},"user":{"addr":"192.168.101.1","email":"andrey@example.com","exp":1710237069,"given_name":"Андрей","iat":1710233469,"iss":"https://dash.example.com/oauth2/dash/","jti":"uSklJaMPGLBZ0rhEX1yR53ILZXp7yWfknGqc","name":"Андрей","nbf":1710233409000,"origin":"dash","realm":"dash","roles":["home-torrent","prometheus-user","andrey-syncthing","andrey-keksik","authp/andrey_keksik","authp/dash_admin","authp/guest"],"sub":"a85507ae5c060df964f05f72f54f009d2c7af7f60f2b7399fbb849019c0c456a"}}

/whoami ouput

{
  "addr": "192.168.101.1",
  "authenticated": true,
  "email": "andrey@example.com",
  "exp": 1710237069,
  "expires_at_utc": "Tue Mar 12 09:51:09 UTC 2024",
  "given_name": "Андрей",
  "iat": 1710233469,
  "iss": "https://dash.example.com/oauth2/dash/",
  "issued_at_utc": "Tue Mar 12 08:51:09 UTC 2024",
  "jti": "uSklJaMPGLBZ0rhEX1yR53ILZXp7yWfknGqc",
  "name": "Андрей",
  "nbf": 1710233409,
  "not_before_utc": "Tue Mar 12 08:50:09 UTC 2024",
  "origin": "dash",
  "realm": "dash",
  "roles": [
    "home-torrent",
    "prometheus-user",
    "andrey-syncthing",
    "andrey-keksik",
    "authp/andrey_keksik",
    "authp/dash_admin",
    "authp/guest"
  ],
  "sub": "a85507ae5c060df964f05f72f54f009d2c7af7f60f2b7399fbb849019c0c456a"
}

Chrome devtools also has not show extra headers
@MrOzean MrOzean added need triage question Further information is requested labels Mar 12, 2024
@greenpau
Copy link
Owner

@MrOzean , first, use container from https://github.com/authcrunch/authcrunch/pkgs/container/authcrunch

Next, add enable debug and add trace. See here https://github.com/authcrunch/authcrunch.github.io/blob/8df7a112fbf2f8c34e5a69a1be33bbeb42d4af62/assets/solutions/A00001/Caddyfile#L96

Post the request trace here. It should contain X headers.

Additionally, watch the video related to X-Headers: https://youtu.be/mDRFLX14zTk?si=uC3OZDVJ1quwSzUG

Your goal is to get X headers propagated to your proxied application.

As for the automated redirect, it is done with JS. I will add a video in how to do it.

@greenpau
Copy link
Owner

@MrOzean , the javascript directive that can include JS code that redirects users to their own dashboards can be found here:
https://docs.authcrunch.com/docs/authenticate/ui-features#javascript

@greenpau
Copy link
Owner

@MrOzean , review the section again: https://docs.authcrunch.com/docs/authenticate/ui-features#javascript

I added Caddyfile and custom.js for your reference. None of it requires X headers. Pure JS solution. You will have to prune JavaScript a bit, because I was trying to be more explicit for code readability purposes.

I will soon publish a video about this use case www.youtube.com/@AuthCrunch

@MrOzean
Copy link
Author

MrOzean commented Mar 13, 2024

Hello, thanks for fast reply
Link https://github.com/authcrunch/authcrunch/pkgs/container/authcrunch follow 404 error, tried to use ghcr.io/authcrunch/authcrunch:v1.0.7 got authorization error

@MrOzean
Copy link
Author

MrOzean commented Mar 13, 2024
edited
Loading

At current version added trace to route
caddyfile part

# dashboards
dash.example.com {
  tls /certs/dash.example.com/fullchain.cer /certs/dash.example.com/dash.example.com.key

  route {
    authenticate with auth_portal
    trace tag="tshoot"
    respond "{http.request.host}
		time: {time.now.common_log}
		id: {http.auth.user.id}
		roles: {http.auth.user.roles}"
  }

  @has_andrey_email_header {
    header "Remote-Email" "andrey@example.com"
  }

  rewrite @has_andrey_email_header andrey.dash.example.com
}

andrey.dash.example.com {
  route {
    authorize with pass_andrey_keksik
    trace tag="tshoot"
    respond "{http.request.host}
		time: {time.now.common_log}
		id: {http.auth.user.id}
		roles: {http.auth.user.roles}"
  }
  
  reverse_proxy /* localhost:7032
}

Navigate to dash.example.com -> push login button -> push whoami button
result

{"level":"info","ts":1710303417.3243668,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"warn","ts":1710303417.3301847,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
{"level":"info","ts":1710303417.33275,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1710303417.333198,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000cfb800"}
{"level":"debug","ts":1710303417.3369842,"logger":"events","msg":"event","name":"cached_unmanaged_cert","id":"9c199cf2-da99-441c-865a-ea37df615dcb","origin":"tls","data":{"sans":["matrixserver.example.com"]}}
{"level":"debug","ts":1710303417.3371625,"logger":"tls.cache","msg":"added certificate to cache","subjects":["matrixserver.example.com"],"expiration":1717395165,"managed":false,"issuer_key":"","hash":"36368a6c045b0c420ad8a2a469ecebfa8207af66c7e7be7ad0e6e4307428fe85","cache_size":1,"cache_capacity":10000}
{"level":"debug","ts":1710303417.337424,"logger":"events","msg":"event","name":"cached_unmanaged_cert","id":"3bf1df3f-97ee-4b40-8e01-07059c705f8f","origin":"tls","data":{"sans":["streamwatch.example.com"]}}
{"level":"debug","ts":1710303417.3375294,"logger":"tls.cache","msg":"added certificate to cache","subjects":["streamwatch.example.com"],"expiration":1717400762,"managed":false,"issuer_key":"","hash":"0fadaec95186494e5286fb59c465acb9156da02222c82c56ad8724c9e700fe17","cache_size":2,"cache_capacity":10000}
{"level":"debug","ts":1710303417.337739,"logger":"events","msg":"event","name":"cached_unmanaged_cert","id":"440a87d8-5a29-4686-a370-675823c12423","origin":"tls","data":{"sans":["linkwarden.example.com"]}}
{"level":"debug","ts":1710303417.3378325,"logger":"tls.cache","msg":"added certificate to cache","subjects":["linkwarden.example.com"],"expiration":1717394893,"managed":false,"issuer_key":"","hash":"de2ecfd361f96d1da21fb8f4cd10905172cafadaa52d0b7c98bf7d6a308812cf","cache_size":3,"cache_capacity":10000}
{"level":"debug","ts":1710303417.338038,"logger":"events","msg":"event","name":"cached_unmanaged_cert","id":"65bedc44-4c9e-454b-bfe6-d45be5f540b3","origin":"tls","data":{"sans":["collabora.example.com"]}}
{"level":"debug","ts":1710303417.338062,"logger":"tls.cache","msg":"added certificate to cache","subjects":["collabora.example.com"],"expiration":1717398248,"managed":false,"issuer_key":"","hash":"e65fd2ba1f1c3b94794ae34ce5443d53077884c211dbe1f9436000cbfb5456af","cache_size":4,"cache_capacity":10000}
{"level":"debug","ts":1710303417.338199,"logger":"events","msg":"event","name":"cached_unmanaged_cert","id":"a5fc05f1-ccfb-4e6d-92bb-6e3374a9db4d","origin":"tls","data":{"sans":["streamer.example.com"]}}
{"level":"debug","ts":1710303417.3382108,"logger":"tls.cache","msg":"added certificate to cache","subjects":["streamer.example.com"],"expiration":1717403938,"managed":false,"issuer_key":"","hash":"87733a2900b70904abebe10f0ab77c919b1e42174afe5cba9a63bd3903dfdc84","cache_size":5,"cache_capacity":10000}
{"level":"debug","ts":1710303417.3383439,"logger":"events","msg":"event","name":"cached_unmanaged_cert","id":"7adea089-2df6-44a0-83bd-9da9bf4fb144","origin":"tls","data":{"sans":["dash.example.com","*.dash.example.com"]}}
{"level":"debug","ts":1710303417.3383563,"logger":"tls.cache","msg":"added certificate to cache","subjects":["dash.example.com","*.dash.example.com"],"expiration":1717468977,"managed":false,"issuer_key":"","hash":"6dfd280453a6e86d5552589f75172f4fcb17b474738a18dc3f9e51945d15747d","cache_size":6,"cache_capacity":10000}
{"level":"debug","ts":1710303417.3384943,"logger":"events","msg":"event","name":"cached_unmanaged_cert","id":"e3162a4d-25e4-48d9-beb4-2b1faf749532","origin":"tls","data":{"sans":["git.example.com"]}}
{"level":"debug","ts":1710303417.3385057,"logger":"tls.cache","msg":"added certificate to cache","subjects":["git.example.com"],"expiration":1717387896,"managed":false,"issuer_key":"","hash":"81076d5dd4c10e65337113512e24d21218c508f43229dc20d6335b2edaf4cdd5","cache_size":7,"cache_capacity":10000}
{"level":"info","ts":1710303417.3386366,"logger":"http.auto_https","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"collabora.example.com","server_name":"srv0"}
{"level":"info","ts":1710303417.3386455,"logger":"http.auto_https","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"streamer.example.com","server_name":"srv0"}
{"level":"info","ts":1710303417.338653,"logger":"http.auto_https","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"git.example.com","server_name":"srv0"}
{"level":"info","ts":1710303417.3386614,"logger":"http.auto_https","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"keksik-edit.dash.example.com","server_name":"srv0"}
{"level":"info","ts":1710303417.3386683,"logger":"http.auto_https","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"matrixserver.example.com","server_name":"srv0"}
{"level":"info","ts":1710303417.3386838,"logger":"http.auto_https","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"andrey.dash.example.com","server_name":"srv0"}
{"level":"info","ts":1710303417.3386905,"logger":"http.auto_https","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"linkwarden.example.com","server_name":"srv0"}
{"level":"info","ts":1710303417.3386977,"logger":"http.auto_https","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"andrey-edit.dash.example.com","server_name":"srv0"}
{"level":"info","ts":1710303417.338704,"logger":"http.auto_https","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"streamwatch.example.com","server_name":"srv0"}
{"level":"info","ts":1710303417.3387113,"logger":"http.auto_https","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"keksik.dash.example.com","server_name":"srv0"}
{"level":"info","ts":1710303417.3387167,"logger":"http.auto_https","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"dash.example.com","server_name":"srv0"}
{"level":"info","ts":1710303417.3387206,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"debug","ts":1710303417.33878,"logger":"http.auto_https","msg":"adjusted config","tls":{"automation":{"policies":[{"subjects":["andrey-edit.dash.example.com","keksik-edit.dash.example.com","matrixserver.example.com","streamwatch.example.com","andrey.dash.example.com","keksik.dash.example.com","linkwarden.example.com","collabora.example.com","streamer.example.com","dash.example.com","git.example.com"]},{"subjects":["nextcloud.hs.lan"]},{}]}},"http":{"servers":{"remaining_auto_https_redirects":{"listen":[":80"],"routes":[{},{}]},"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"authentication","providers":{"authorizer":{"gatekeeper_name":"pass_andrey_keksik","route_matcher":"*"}}}]},{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:7031"}]}],"match":[{"path":["/*"]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"authentication","providers":{"authorizer":{"gatekeeper_name":"pass_andrey_keksik","route_matcher":"*"}}}]},{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:7033"}]}],"match":[{"path":["/*"]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:8088"}]}],"match":[{"path":["/*"]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"file_server","hide":["/etc/caddy/Caddyfile"],"index_names":["index.html"],"precompressed":{"br":{},"gzip":{},"zstd":{}},"precompressed_order":["zstd","br","gzip"],"root":"/srv/streamwatch"}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"authentication","providers":{"authorizer":{"gatekeeper_name":"pass_andrey_keksik","route_matcher":"*"}}},{"handler":"trace","tag":"tshoot"},{"body":"{http.request.host}\n\t\ttime: {time.now.common_log}\n\t\tid: {http.auth.user.id}\n\t\troles: {http.auth.user.roles}","handler":"static_response"}]}]}]},{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:7032"}]}],"match":[{"path":["/*"]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"authentication","providers":{"authorizer":{"gatekeeper_name":"pass_andrey_keksik","route_matcher":"*"}}}]},{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:7034"}]}],"match":[{"path":["/*"]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:8016"}]}],"match":[{"path":["/*"]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:9980"}]}],"match":[{"path":["/*"]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:8023"}]}],"match":[{"path":["/*"]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:8085"}]}],"match":[{"path":["/*"]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"group":"group12","handle":[{"handler":"rewrite","uri":"andrey.dash.example.com"}],"match":[{"header":{"Remote-Email":["andrey@example.com"]}}]},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"authenticator","portal_name":"auth_portal","route_matcher":"*"}]}]}],"match":[{"path":["*"]}]},{"handle":[{"handler":"trace","tag":"tshoot"},{"body":"{http.request.host}\n\t\ttime: {time.now.common_log}\n\t\tid: {http.auth.user.id}\n\t\troles: {http.auth.user.roles}","handler":"static_response"}]}]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:8087"}]}],"match":[{"path":["/*"]}]}]}],"terminal":true}],"tls_connection_policies":[{"match":{"sni":["matrixserver.example.com"]},"certificate_selection":{"any_tag":["cert2"]}},{"match":{"sni":["streamwatch.example.com"]},"certificate_selection":{"any_tag":["cert4"]}},{"match":{"sni":["linkwarden.example.com"]},"certificate_selection":{"any_tag":["cert1"]}},{"match":{"sni":["collabora.example.com"]},"certificate_selection":{"any_tag":["cert3"]}},{"match":{"sni":["streamer.example.com"]},"certificate_selection":{"any_tag":["cert5"]}},{"match":{"sni":["dash.example.com"]},"certificate_selection":{"any_tag":["cert6"]}},{"match":{"sni":["git.example.com"]},"certificate_selection":{"any_tag":["cert0"]}},{}],"automatic_https":{}}}}}
{"level":"info","ts":1710303417.3390932,"logger":"security","msg":"provisioning app instance","app":"security"}
{"level":"debug","ts":1710303418.0699155,"logger":"security","msg":"fetchMetadataURL succeeded","identity_provider_name":"generic","metadata":{"acr_values_supported":["goauthentik.io/providers/oauth2/default"],"authorization_endpoint":"https://sso.example.com/application/o/authorize/","claims_parameter_supported":false,"claims_supported":["sub","iss","aud","exp","iat","auth_time","acr","amr","nonce","email","email_verified","name","given_name","preferred_username","nickname","groups"],"code_challenge_methods_supported":["plain","S256"],"device_authorization_endpoint":"https://sso.example.com/application/o/device/","end_session_endpoint":"https://sso.example.com/application/o/dash/end-session/","grant_types_supported":["authorization_code","refresh_token","implicit","client_credentials","password","urn:ietf:params:oauth:grant-type:device_code"],"id_token_signing_alg_values_supported":["RS256"],"introspection_endpoint":"https://sso.example.com/application/o/introspect/","issuer":"https://sso.example.com/application/o/dash/","jwks_uri":"https://sso.example.com/application/o/dash/jwks/","request_parameter_supported":false,"response_modes_supported":["query","fragment","form_post"],"response_types_supported":["code","id_token","id_token token","code token","code id_token","code id_token token"],"revocation_endpoint":"https://sso.example.com/application/o/revoke/","scopes_supported":["offline_access","openid","email","profile"],"subject_types_supported":["public"],"token_endpoint":"https://sso.example.com/application/o/token/","token_endpoint_auth_methods_supported":["client_secret_post","client_secret_basic"],"userinfo_endpoint":"https://sso.example.com/application/o/userinfo/"},"userinfo_endpoint":"https://sso.example.com/application/o/userinfo/"}
{"level":"info","ts":1710303418.7669978,"logger":"security","msg":"successfully configured OAuth 2.0 identity provider","provider":"generic","client_id":"GHpQxIyC6BMlXry4Q7KhFpE2HRBXRG50W1FvigGH","server_id":"","domain_name":"","metadata":{"acr_values_supported":["goauthentik.io/providers/oauth2/default"],"authorization_endpoint":"https://sso.example.com/application/o/authorize/","claims_parameter_supported":false,"claims_supported":["sub","iss","aud","exp","iat","auth_time","acr","amr","nonce","email","email_verified","name","given_name","preferred_username","nickname","groups"],"code_challenge_methods_supported":["plain","S256"],"device_authorization_endpoint":"https://sso.example.com/application/o/device/","end_session_endpoint":"https://sso.example.com/application/o/dash/end-session/","grant_types_supported":["authorization_code","refresh_token","implicit","client_credentials","password","urn:ietf:params:oauth:grant-type:device_code"],"id_token_signing_alg_values_supported":["RS256"],"introspection_endpoint":"https://sso.example.com/application/o/introspect/","issuer":"https://sso.example.com/application/o/dash/","jwks_uri":"https://sso.example.com/application/o/dash/jwks/","request_parameter_supported":false,"response_modes_supported":["query","fragment","form_post"],"response_types_supported":["code","id_token","id_token token","code token","code id_token","code id_token token"],"revocation_endpoint":"https://sso.example.com/application/o/revoke/","scopes_supported":["offline_access","openid","email","profile"],"subject_types_supported":["public"],"token_endpoint":"https://sso.example.com/application/o/token/","token_endpoint_auth_methods_supported":["client_secret_post","client_secret_basic"],"userinfo_endpoint":"https://sso.example.com/application/o/userinfo/"},"jwks_keys":{"ab222aa0a4b7125003fbe272c07cc120":{"alg":"RS256","e":"AQAB","kid":"ab222aa0a4b7125003fbe272c07cc120","kty":"RSA","n":"mdiuojVVRujhT6UsOMtw4Oc27lNYd7k5bWUQlUVmfwXWQ_M1jZzTzLXF2Ltk3fa3Q6fNBz6krtnV17mMHvEkxb7GrsOoBnM8aMu1b2B3KGbeAh2wY5stwtWPWAnQsEi12BlJP5vpGKvS9VOrZ6Towi70ZiTD0IuvU4kZyw7KwO6M9THm_8KJkEblR1mCvzrBfvVSo4eFBrblnvldVpL5wEn43cvmA13ajt4hYf81c9pDbK2IjMt_F73yRS1J-U0CjT49x_a6vZYHm-UnotAWGakDAKb-X7DCuGQMwKFHqZu6tGadU7lIkyVlggvv7_VExBs-07guT78LKXUt9Mq64RaQLVq1KBJ1EQpa_cBi9E3NVkGGqNfnSiFR4RfLZycxAxGI7mje2a8PD6W2Pan7hlRW4xWrz6hkstnhQfweu5COLoSwMbrCxhSUE9UYy_nURDB5hFulv-4a3b5stkCSaSdy8minsj-518DPv59u2IabRtBfBkDBJ8-R1HjNhhh07pmE4zZ_CrB_PBzSsEbE21iSA2H0OsgqwJ8x9AEUNXU-3bGuS1keznEFFk7-JN9au8TYDNVy-s0jQUCFoWxP5k3krN-ALn4vCVeBieLE8pMcQtt0lfHfEZ0LBgFe3ZnNms3v2nidmCBytZoxwz9kovvwfGQfTjQeyVPeSHaslBc=","use":"sig"}},"required_token_fields":["access_token","id_token"],"delayed_by":0,"retry_attempts":0,"retry_interval":0,"scopes":["openid","email","profile"],"login_icon":{"class_name":"lab la-codepen la-2x","color":"white","background_color":"#324960","text_color":"#37474f"}}
{"level":"debug","ts":1710303418.7671072,"logger":"security","msg":"Configuring caching","portal_name":"auth_portal","portal_id":"2982f558-f551-406b-ab86-6dc775983a73"}
{"level":"debug","ts":1710303418.7671359,"logger":"security","msg":"Configuring cookie parameters","portal_name":"auth_portal"}
{"level":"debug","ts":1710303418.7671452,"logger":"security","msg":"Configuring authentication ACL","portal_name":"auth_portal","portal_id":"2982f558-f551-406b-ab86-6dc775983a73","access_list_configs":[{"conditions":["match roles authp/admin authp/user authp/guest superuser superadmin"],"action":"allow stop"}]}
{"level":"debug","ts":1710303418.783529,"logger":"security","msg":"Configured validator ACL","portal_name":"auth_portal","portal_id":"2982f558-f551-406b-ab86-6dc775983a73","token_validator_options":{"validate_bearer_header":true},"token_grantor_options":{}}
{"level":"debug","ts":1710303418.7835689,"logger":"security","msg":"Configuring identity provider login options","portal_name":"auth_portal","portal_id":"2982f558-f551-406b-ab86-6dc775983a73","identity_provider_count":1}
{"level":"debug","ts":1710303418.7836108,"logger":"security","msg":"Provisioned login options","portal_name":"auth_portal","portal_id":"2982f558-f551-406b-ab86-6dc775983a73","options":{"authenticators":[{"background_color":"#324960","class_name":"lab la-codepen la-2x","color":"white","endpoint":"oauth2/dash","realm":"dash","text":"DASH","text_color":"#37474f"}],"authenticators_required":"yes","default_realm":"dash","form_required":"no","hide_contact_support_link":"yes","hide_forgot_username_link":"yes","hide_links":"yes","hide_register_link":"yes","identity_required":"no","realm_dropdown_required":"no"},"identity_store_count":0,"identity_provider_count":1}
{"level":"debug","ts":1710303418.7836578,"logger":"security","msg":"Configuring user interface","portal_name":"auth_portal","portal_id":"2982f558-f551-406b-ab86-6dc775983a73"}
{"level":"debug","ts":1710303418.7836657,"logger":"security","msg":"Configuring default authentication user interface templates","portal_name":"auth_portal","template_theme":"basic","template_name":"register"}
{"level":"debug","ts":1710303418.783948,"logger":"security","msg":"Configuring default authentication user interface templates","portal_name":"auth_portal","template_theme":"basic","template_name":"generic"}
{"level":"debug","ts":1710303418.7840557,"logger":"security","msg":"Configuring default authentication user interface templates","portal_name":"auth_portal","template_theme":"basic","template_name":"apps_sso"}
{"level":"debug","ts":1710303418.7842166,"logger":"security","msg":"Configuring default authentication user interface templates","portal_name":"auth_portal","template_theme":"basic","template_name":"apps_mobile_access"}
{"level":"debug","ts":1710303418.7843316,"logger":"security","msg":"Configuring default authentication user interface templates","portal_name":"auth_portal","template_theme":"basic","template_name":"login"}
{"level":"debug","ts":1710303418.7846692,"logger":"security","msg":"Configuring default authentication user interface templates","portal_name":"auth_portal","template_theme":"basic","template_name":"portal"}
{"level":"debug","ts":1710303418.7848182,"logger":"security","msg":"Configuring default authentication user interface templates","portal_name":"auth_portal","template_theme":"basic","template_name":"whoami"}
{"level":"debug","ts":1710303418.7849538,"logger":"security","msg":"Configuring default authentication user interface templates","portal_name":"auth_portal","template_theme":"basic","template_name":"settings"}
{"level":"debug","ts":1710303418.786262,"logger":"security","msg":"Configuring default authentication user interface templates","portal_name":"auth_portal","template_theme":"basic","template_name":"sandbox"}
{"level":"debug","ts":1710303418.7868485,"logger":"security","msg":"Configured user interface","portal_name":"auth_portal","portal_id":"2982f558-f551-406b-ab86-6dc775983a73","title":"Sign In","logo_url":"/assets/images/logo.svg","logo_description":"Authentication Portal","action_endpoint":"","private_links":[{"link":"/whoami","title":"My Identity","icon_name":"las la-user","icon_enabled":true}],"realms":[],"theme":"basic"}
{"level":"debug","ts":1710303418.7868643,"logger":"security","msg":"Configuring user transforms","portal_name":"auth_portal","portal_id":"2982f558-f551-406b-ab86-6dc775983a73"}
{"level":"debug","ts":1710303418.788027,"logger":"security","msg":"Configured user transforms","portal_name":"auth_portal","portal_id":"2982f558-f551-406b-ab86-6dc775983a73","transforms":[{"matchers":["exact match groups andrey-keksik"],"actions":["action add role authp/andrey_keksik"]},{"matchers":["exact match email andrey@example.com"],"actions":["action add role authp/dash_admin"]}]}
{"level":"debug","ts":1710303418.7936773,"logger":"security","msg":"Configured gatekeeper","gatekeeper_name":"pass_andrey_keksik","gatekeeper_id":"ca54ef9f-21c8-40e4-9aab-12ce9a0d934b","auth_url_path":"https://dash.example.com","token_sources":"cookie header query","token_validator_options":{},"access_list_rules":[{"conditions":["match roles authp/andrey_keksik"],"action":"allow log debug"}],"forbidden_path":""}
{"level":"debug","ts":1710303418.7983153,"logger":"security","msg":"Configured gatekeeper","gatekeeper_name":"pass_dash_admin","gatekeeper_id":"5a26beb9-23c7-4ca8-b913-0358144e1146","auth_url_path":"https://dash.example.com","token_sources":"cookie header query","token_validator_options":{},"access_list_rules":[{"conditions":["match roles authp/admin"],"action":"allow log debug"}],"forbidden_path":""}
{"level":"info","ts":1710303418.7983365,"logger":"security","msg":"provisioned app instance","app":"security"}
{"level":"debug","ts":1710303418.8001373,"logger":"security","msg":"started app instance","app":"security"}
{"level":"info","ts":1710303418.8002813,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
{"level":"info","ts":1710303418.8003743,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}
{"level":"debug","ts":1710303418.8005111,"logger":"http","msg":"starting server loop","address":"[::]:443","tls":true,"http3":true}
{"level":"info","ts":1710303418.800524,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"debug","ts":1710303418.800572,"logger":"http","msg":"starting server loop","address":"[::]:80","tls":false,"http3":false}
{"level":"info","ts":1710303418.8005793,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1710303418.800585,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["nextcloud.hs.lan"]}
{"level":"warn","ts":1710303418.8010666,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [nextcloud.hs.lan]: no OCSP server specified in certificate","identifiers":["nextcloud.hs.lan"]}
{"level":"debug","ts":1710303418.8010836,"logger":"tls.cache","msg":"added certificate to cache","subjects":["nextcloud.hs.lan"],"expiration":1710323465,"managed":true,"issuer_key":"local","hash":"6114c26d8a7f0dddb22944a6e79aa0867fdd993483e6280832697c71ef90bfd7","cache_size":8,"cache_capacity":10000}
{"level":"debug","ts":1710303418.8011024,"logger":"events","msg":"event","name":"cached_managed_cert","id":"9241435a-4b07-4f9c-9f0c-f725c3fcf418","origin":"tls","data":{"sans":["nextcloud.hs.lan"]}}
{"level":"info","ts":1710303418.8011463,"logger":"pki.ca.local","msg":"root certificate is already trusted by system","path":"storage:pki/authorities/local/root.crt"}
{"level":"info","ts":1710303418.8012555,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
{"level":"info","ts":1710303418.8012936,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1710303418.8014657,"msg":"serving initial configuration"}
{"level":"info","ts":1710303418.8027291,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"debug","ts":1710303425.951998,"logger":"events","msg":"event","name":"tls_get_certificate","id":"63024391-e1cc-4dff-a449-d4c123dab065","origin":"tls","data":{"client_hello":{"CipherSuites":[23130,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"dash.example.com","SupportedCurves":[6682,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[27242,772,771],"Conn":{}}}}
{"level":"debug","ts":1710303425.9521568,"logger":"tls.handshake","msg":"choosing certificate","identifier":"dash.example.com","num_choices":1}
{"level":"debug","ts":1710303425.9521744,"logger":"tls.handshake","msg":"custom certificate selection results","identifier":"dash.example.com","subjects":["dash.example.com","*.dash.example.com"],"managed":false,"issuer_key":"","hash":"6dfd280453a6e86d5552589f75172f4fcb17b474738a18dc3f9e51945d15747d"}
{"level":"debug","ts":1710303425.9521823,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"192.168.101.1","remote_port":"59994","subjects":["dash.example.com","*.dash.example.com"],"managed":false,"expiration":1717468977,"hash":"6dfd280453a6e86d5552589f75172f4fcb17b474738a18dc3f9e51945d15747d"}
{"level":"debug","ts":1710303429.386395,"logger":"security","msg":"External login requested","session_id":"mmEAk2RYV3Gs3TH9sNFVdWjAL2ggIwQ97Mz7fdXOJJ4","request_id":"dd5cffc0-0869-4737-af75-cda4ffc060c6","base_url":"https://dash.example.com","base_path":"/","auth_method":"oauth2","auth_realm":"dash","request_path":"/oauth2/dash"}
{"level":"debug","ts":1710303429.386442,"logger":"security","msg":"redirecting to OAuth 2.0 endpoint","request_id":"dd5cffc0-0869-4737-af75-cda4ffc060c6","redirect_url":"https://sso.example.com/application/o/authorize/?client_id=GHpQxIyC6BMlXry4Q7KhFpE2HRBXRG50W1FvigGH&nonce=AYRhIJvogfGcroiM8f5ibxRg1X5IDtFb&redirect_uri=https%3A%2F%2Fdash.example.com%2Foauth2%2Fdash%2Fauthorization-code-callback&response_type=code&scope=openid+email+profile&state=9025553f-91f4-41aa-a266-59316884d554"}
{"level":"debug","ts":1710303429.3864496,"logger":"security","msg":"Redirect to authorization server","session_id":"mmEAk2RYV3Gs3TH9sNFVdWjAL2ggIwQ97Mz7fdXOJJ4","request_id":"dd5cffc0-0869-4737-af75-cda4ffc060c6","url":"https://sso.example.com/application/o/authorize/?client_id=GHpQxIyC6BMlXry4Q7KhFpE2HRBXRG50W1FvigGH&nonce=AYRhIJvogfGcroiM8f5ibxRg1X5IDtFb&redirect_uri=https%3A%2F%2Fdash.example.com%2Foauth2%2Fdash%2Fauthorization-code-callback&response_type=code&scope=openid+email+profile&state=9025553f-91f4-41aa-a266-59316884d554"}
{"level":"debug","ts":1710303430.175213,"logger":"security","msg":"External login requested","session_id":"mmEAk2RYV3Gs3TH9sNFVdWjAL2ggIwQ97Mz7fdXOJJ4","request_id":"5e0a997d-fe18-4c88-bc14-0889427adcb5","base_url":"https://dash.example.com","base_path":"/","auth_method":"oauth2","auth_realm":"dash","request_path":"/oauth2/dash/authorization-code-callback"}
{"level":"debug","ts":1710303430.1752443,"logger":"security","msg":"received OAuth 2.0 response","session_id":"mmEAk2RYV3Gs3TH9sNFVdWjAL2ggIwQ97Mz7fdXOJJ4","request_id":"5e0a997d-fe18-4c88-bc14-0889427adcb5","params":{"code":["23ee5898bcac4bc8b291f8386ccf4fb3"],"state":["9025553f-91f4-41aa-a266-59316884d554"]}}
{"level":"debug","ts":1710303430.1752715,"logger":"security","msg":"received OAuth 2.0 code and state from the authorization server","session_id":"mmEAk2RYV3Gs3TH9sNFVdWjAL2ggIwQ97Mz7fdXOJJ4","request_id":"5e0a997d-fe18-4c88-bc14-0889427adcb5","state":"9025553f-91f4-41aa-a266-59316884d554","code":"23ee5898bcac4bc8b291f8386ccf4fb3"}
{"level":"debug","ts":1710303431.043035,"logger":"security","msg":"OAuth 2.0 access token response received","body":"eyJhY2Nlc3NfdG9rZW4iOiAiZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNkltRmlNakl5WVdFd1lUUmlOekV5TlRBd00yWmlaVEkzTW1Nd04yTmpNVEl3SWl3aWRIbHdJam9pU2xkVUluMC5leUpwYzNNaU9pSm9kSFJ3Y3pvdkwzTnpieTR3ZW1WaExtTnZiUzloY0hCc2FXTmhkR2x2Ymk5dkwyUmhjMmd2SWl3aWMzVmlJam9pWVRnMU5UQTNZV1UxWXpBMk1HUm1PVFkwWmpBMVpqY3laalUwWmpBd09XUXlZemRoWmpkbU5qQm1NbUkzTXprNVptSmlPRFE1TURFNVl6QmpORFUyWVNJc0ltRjFaQ0k2SWtkSWNGRjRTWGxETmtKTmJGaHllVFJSTjB0b1JuQkZNa2hTUWxoU1J6VXdWekZHZG1sblIwZ2lMQ0psZUhBaU9qRTNNVEF6TURNM016QXNJbWxoZENJNk1UY3hNRE13TXpRek1Dd2lZWFYwYUY5MGFXMWxJam94TnpFd01qazNPREl3TENKaFkzSWlPaUpuYjJGMWRHaGxiblJwYXk1cGJ5OXdjbTkyYVdSbGNuTXZiMkYxZEdneUwyUmxabUYxYkhRaUxDSnViMjVqWlNJNklrRlpVbWhKU25adloyWkhZM0p2YVUwNFpqVnBZbmhTWnpGWU5VbEVkRVppSWl3aVpXMWhhV3dpT2lKaGJtUnlaWGxBTUhwbFlTNWpiMjBpTENKbGJXRnBiRjkyWlhKcFptbGxaQ0k2ZEhKMVpTd2libUZ0WlNJNklseDFNRFF4TUZ4MU1EUXpaRngxTURRek5GeDFNRFEwTUZ4MU1EUXpOVngxTURRek9TSXNJbWRwZG1WdVgyNWhiV1VpT2lKY2RUQTBNVEJjZFRBME0yUmNkVEEwTXpSY2RUQTBOREJjZFRBME16VmNkVEEwTXpraUxDSndjbVZtWlhKeVpXUmZkWE5sY201aGJXVWlPaUpoYm1SeVpYa2lMQ0p1YVdOcmJtRnRaU0k2SW1GdVpISmxlU0lzSW1keWIzVndjeUk2V3lKb2IyMWxMWFJ2Y25KbGJuUWlMQ0p3Y205dFpYUm9aWFZ6TFhWelpYSWlMQ0poYm1SeVpYa3RjM2x1WTNSb2FXNW5JaXdpWVc1a2NtVjVMV3RsYTNOcGF5SmRMQ0poZW5BaU9pSkhTSEJSZUVsNVF6WkNUV3hZY25rMFVUZExhRVp3UlRKSVVrSllVa2MxTUZjeFJuWnBaMGRJSWl3aWRXbGtJam9pTjNKQlJuSmxTbGhRY0ZwSVVtTmlRVkl6VFhWWlZVa3lhekZrTWxGM01XUmxTbmd5VFRJek55SjkuZjNKREpqa2lyV1M0TV9OYjRtSk51cVJnQVFSZl96VTRBTjVmUE5VQzQ3cmxmV25tanpKQ0xfSzhaeUFDaXRnTDR4X3NWR3JSTllMZEl3MzMwWll0VGttYWpRNmJ2Vkh3UnB6UHVCQTVCMGc5ZTlMVXRfal9ZYXpYNVhfN2ZMSE1kUnpodUZwYnVqdVE0SFFIeEpMNHNlN3luc00waDhBYVM4WGNLcFFGNXNNWkFqaHVUdHRzbEFzRnBpSVpZTTJPOXAta2VLOHZEU0tEdWpOT1VnZTVNbmIzdzdodURPVml2cjhSa3kxdmNzRkd4YVUwcnVRX2R5UE9Pb2ZBVDl0NlgzMEtzV1ZOMEJpcENjQWVPQTVsTWhHY1FlRDVzS3BmSVM3TDU5dm10cDBuX0J1RHphSDNqb1hBczJ1VVVLWHNIS09RZS03SlVHREFrN1lxQ1g2dWZzOGRSSUVOODBXWld4eVVwbm9hNF9UUlk5czc5T3AxVG5tQUdqWVdEbXlXN0xyWXRMemN4ZUFlT0dpdjQ2T0V5QnNJVjFSa3JTbWtLaW9ERFlqY2Z2eHB0b0lWVDlGSnlmRHpRcWFRaVRVc3E2RjBlajZ2ZGVTQ0EwYnRaazl1RHlGNkdZSGJCWjVlUElvY0lWYm9XaWh5SWVkRGFvdzNOSDNKZHVQMk95NUlLSDlJZnVlakVkZHIxU1dPRFVNYWJ0cHRnaXptenkzTGpQa2Rqd3RfR2cxQXZKT283NFRWRFNXbkNVNk03TlA4OHdOSjBzdVZKMktBazg3TENZbVRlbVEwUDRRTmlYaHc2LS1ibWhGRmVyYlVKQlYxQUtJMDQyTE5SVTBXdlhVcF9yd0lBdENhbVkyeVBJcWE3aFZ3djFMQU8xWlNBTlk5RERWTFRpOGFjaG8iLCAidG9rZW5fdHlwZSI6ICJCZWFyZXIiLCAiZXhwaXJlc19pbiI6IDMwMCwgImlkX3Rva2VuIjogImV5SmhiR2NpT2lKU1V6STFOaUlzSW10cFpDSTZJbUZpTWpJeVlXRXdZVFJpTnpFeU5UQXdNMlppWlRJM01tTXdOMk5qTVRJd0lpd2lkSGx3SWpvaVNsZFVJbjAuZXlKcGMzTWlPaUpvZEhSd2N6b3ZMM056Ynk0d2VtVmhMbU52YlM5aGNIQnNhV05oZEdsdmJpOXZMMlJoYzJndklpd2ljM1ZpSWpvaVlUZzFOVEEzWVdVMVl6QTJNR1JtT1RZMFpqQTFaamN5WmpVMFpqQXdPV1F5WXpkaFpqZG1OakJtTW1JM016azVabUppT0RRNU1ERTVZekJqTkRVMllTSXNJbUYxWkNJNklrZEljRkY0U1hsRE5rSk5iRmh5ZVRSUk4wdG9SbkJGTWtoU1FsaFNSelV3VnpGR2RtbG5SMGdpTENKbGVIQWlPakUzTVRBek1ETTNNekFzSW1saGRDSTZNVGN4TURNd016UXpNQ3dpWVhWMGFGOTBhVzFsSWpveE56RXdNamszT0RJd0xDSmhZM0lpT2lKbmIyRjFkR2hsYm5ScGF5NXBieTl3Y205MmFXUmxjbk12YjJGMWRHZ3lMMlJsWm1GMWJIUWlMQ0p1YjI1alpTSTZJa0ZaVW1oSlNuWnZaMlpIWTNKdmFVMDRaalZwWW5oU1p6RllOVWxFZEVaaUlpd2laVzFoYVd3aU9pSmhibVJ5WlhsQU1IcGxZUzVqYjIwaUxDSmxiV0ZwYkY5MlpYSnBabWxsWkNJNmRISjFaU3dpYm1GdFpTSTZJbHgxTURReE1GeDFNRFF6WkZ4MU1EUXpORngxTURRME1GeDFNRFF6TlZ4MU1EUXpPU0lzSW1kcGRtVnVYMjVoYldVaU9pSmNkVEEwTVRCY2RUQTBNMlJjZFRBME16UmNkVEEwTkRCY2RUQTBNelZjZFRBME16a2lMQ0p3Y21WbVpYSnlaV1JmZFhObGNtNWhiV1VpT2lKaGJtUnlaWGtpTENKdWFXTnJibUZ0WlNJNkltRnVaSEpsZVNJc0ltZHliM1Z3Y3lJNld5Sm9iMjFsTFhSdmNuSmxiblFpTENKd2NtOXRaWFJvWlhWekxYVnpaWElpTENKaGJtUnlaWGt0YzNsdVkzUm9hVzVuSWl3aVlXNWtjbVY1TFd0bGEzTnBheUpkZlEuWTRHRko2endlMGFQdzl1RnpKQzctdkpkektkcC1PS0pNZFhVd0Y1RnNwSlR1OXI5Z1FGbWFUNmpjZ1BuTU9DdWNjR3V4U3BXMmp5SnF4cW5TR091UWFfdTFzUXVmQS1yYTg1NkExV003bkRoT3hocjUtWmlqdEp3dG1SV1ZldllpX3RHWjFVSHBYN2hwY3Z6WXREdUdFd1dPYWV3MVhjNTZnWFY5SmtzbVZ6bHQ0TnhJU25KalR3OWdwbjluM1VIb1c3TDJWQjB3c3A4Sy0wa0RxbGZWT3psTUc3ZjdHU0xzUzdGTkxwYXRWTFdrNVJ3cXB6Y2lfNy1fOE1CVGM3RmxTbmlXRFppeW9PcUdHUmoxWDdURU5HcnhpQ3VNMEstUEQ1b0loS3d4cGFJZ09DOWJfODNzVWFncHVoZEhnaUNmOVFMYkpZVXIwMmt3UzRZcUNNZFB1bTRzODZPQ2VPcjk5aEtobjJ2akxPNDl1WkpaTWF5R21WcDdic3NoYTlUbDZZaXMwTTdQM0RpbFlwQmNXRFUzcGhwWlFKTHlybUNrNW5xTy1fT2RDRDNoUktIa3dGckNCQjlGS3ptY01nS3A4N1o5UjZpaFVfUVlaTXhoWVN6SjZlOUNRRG5fTjlpUVcwdmhETnFNbFY4Rnh6WEx2TjJZdVZnM01pcUlkaFVidXVvR3pfZ0pnTmNMT042UGw0RUhhNldHTzlHYmRHNWVlQ2NyNzJ4T19aSjFtNi1jRFlTU1pGOGFoWm9fNkEtNkg4TkFfSVBjRENzano2MURyNTZQY1EtSFhsSXlveFpEdHhudHJkZ2x6bmx4WkNxR2J3X1l3akRzTzNmRjVjTWp3WXlfMFhhQ2puLWRIMVkxdFM0Ry1kckN6VXZRbDk3VlR3RUEtWGd3clkifQ==","redirect_uri":"https://dash.example.com/oauth2/dash/authorization-code-callback"}
{"level":"debug","ts":1710303431.0431418,"logger":"security","msg":"OAuth 2.0 access token response decoded","body":{"access_token":"eyJhbGciOiJSUzI1NiIsImtpZCI6ImFiMjIyYWEwYTRiNzEyNTAwM2ZiZTI3MmMwN2NjMTIwIiwidHlwIjoiSldUIn0.eyJpc3MiOiJodHRwczovL3Nzby4wemVhLmNvbS9hcHBsaWNhdGlvbi9vL2Rhc2gvIiwic3ViIjoiYTg1NTA3YWU1YzA2MGRmOTY0ZjA1ZjcyZjU0ZjAwOWQyYzdhZjdmNjBmMmI3Mzk5ZmJiODQ5MDE5YzBjNDU2YSIsImF1ZCI6IkdIcFF4SXlDNkJNbFhyeTRRN0toRnBFMkhSQlhSRzUwVzFGdmlnR0giLCJleHAiOjE3MTAzMDM3MzAsImlhdCI6MTcxMDMwMzQzMCwiYXV0aF90aW1lIjoxNzEwMjk3ODIwLCJhY3IiOiJnb2F1dGhlbnRpay5pby9wcm92aWRlcnMvb2F1dGgyL2RlZmF1bHQiLCJub25jZSI6IkFZUmhJSnZvZ2ZHY3JvaU04ZjVpYnhSZzFYNUlEdEZiIiwiZW1haWwiOiJhbmRyZXlAMHplYS5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwibmFtZSI6Ilx1MDQxMFx1MDQzZFx1MDQzNFx1MDQ0MFx1MDQzNVx1MDQzOSIsImdpdmVuX25hbWUiOiJcdTA0MTBcdTA0M2RcdTA0MzRcdTA0NDBcdTA0MzVcdTA0MzkiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhbmRyZXkiLCJuaWNrbmFtZSI6ImFuZHJleSIsImdyb3VwcyI6WyJob21lLXRvcnJlbnQiLCJwcm9tZXRoZXVzLXVzZXIiLCJhbmRyZXktc3luY3RoaW5nIiwiYW5kcmV5LWtla3NpayJdLCJhenAiOiJHSHBReEl5QzZCTWxYcnk0UTdLaEZwRTJIUkJYUkc1MFcxRnZpZ0dIIiwidWlkIjoiN3JBRnJlSlhQcFpIUmNiQVIzTXVZVUkyazFkMlF3MWRlSngyTTIzNyJ9.f3JDJjkirWS4M_Nb4mJNuqRgAQRf_zU4AN5fPNUC47rlfWnmjzJCL_K8ZyACitgL4x_sVGrRNYLdIw330ZYtTkmajQ6bvVHwRpzPuBA5B0g9e9LUt_j_YazX5X_7fLHMdRzhuFpbujuQ4HQHxJL4se7ynsM0h8AaS8XcKpQF5sMZAjhuTttslAsFpiIZYM2O9p-keK8vDSKDujNOUge5Mnb3w7huDOVivr8Rky1vcsFGxaU0ruQ_dyPOOofAT9t6X30KsWVN0BipCcAeOA5lMhGcQeD5sKpfIS7L59vmtp0n_BuDzaH3joXAs2uUUKXsHKOQe-7JUGDAk7YqCX6ufs8dRIEN80WZWxyUpnoa4_TRY9s79Op1TnmAGjYWDmyW7LrYtLzcxeAeOGiv46OEyBsIV1RkrSmkKioDDYjcfvxptoIVT9FJyfDzQqaQiTUsq6F0ej6vdeSCA0btZk9uDyF6GYHbBZ5ePIocIVboWihyIedDaow3NH3JduP2Oy5IKH9IfuejEddr1SWODUMabtptgizmzy3LjPkdjwt_Gg1AvJOo74TVDSWnCU6M7NP88wNJ0suVJ2KAk87LCYmTemQ0P4QNiXhw6--bmhFFerbUJBV1AKI042LNRU0WvXUp_rwIAtCamY2yPIqa7hVwv1LAO1ZSANY9DDVLTi8acho","expires_in":300,"id_token":"eyJhbGciOiJSUzI1NiIsImtpZCI6ImFiMjIyYWEwYTRiNzEyNTAwM2ZiZTI3MmMwN2NjMTIwIiwidHlwIjoiSldUIn0.eyJpc3MiOiJodHRwczovL3Nzby4wemVhLmNvbS9hcHBsaWNhdGlvbi9vL2Rhc2gvIiwic3ViIjoiYTg1NTA3YWU1YzA2MGRmOTY0ZjA1ZjcyZjU0ZjAwOWQyYzdhZjdmNjBmMmI3Mzk5ZmJiODQ5MDE5YzBjNDU2YSIsImF1ZCI6IkdIcFF4SXlDNkJNbFhyeTRRN0toRnBFMkhSQlhSRzUwVzFGdmlnR0giLCJleHAiOjE3MTAzMDM3MzAsImlhdCI6MTcxMDMwMzQzMCwiYXV0aF90aW1lIjoxNzEwMjk3ODIwLCJhY3IiOiJnb2F1dGhlbnRpay5pby9wcm92aWRlcnMvb2F1dGgyL2RlZmF1bHQiLCJub25jZSI6IkFZUmhJSnZvZ2ZHY3JvaU04ZjVpYnhSZzFYNUlEdEZiIiwiZW1haWwiOiJhbmRyZXlAMHplYS5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwibmFtZSI6Ilx1MDQxMFx1MDQzZFx1MDQzNFx1MDQ0MFx1MDQzNVx1MDQzOSIsImdpdmVuX25hbWUiOiJcdTA0MTBcdTA0M2RcdTA0MzRcdTA0NDBcdTA0MzVcdTA0MzkiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhbmRyZXkiLCJuaWNrbmFtZSI6ImFuZHJleSIsImdyb3VwcyI6WyJob21lLXRvcnJlbnQiLCJwcm9tZXRoZXVzLXVzZXIiLCJhbmRyZXktc3luY3RoaW5nIiwiYW5kcmV5LWtla3NpayJdfQ.Y4GFJ6zwe0aPw9uFzJC7-vJdzKdp-OKJMdXUwF5FspJTu9r9gQFmaT6jcgPnMOCuccGuxSpW2jyJqxqnSGOuQa_u1sQufA-ra856A1WM7nDhOxhr5-ZijtJwtmRWVevYi_tGZ1UHpX7hpcvzYtDuGEwWOaew1Xc56gXV9JksmVzlt4NxISnJjTw9gpn9n3UHoW7L2VB0wsp8K-0kDqlfVOzlMG7f7GSLsS7FNLpatVLWk5Rwqpzci_7-_8MBTc7FlSniWDZiyoOqGGRj1X7TENGrxiCuM0K-PD5oIhKwxpaIgOC9b_83sUagpuhdHgiCf9QLbJYUr02kwS4YqCMdPum4s86OCeOr99hKhn2vjLO49uZJZMayGmVp7bssha9Tl6Yis0M7P3DilYpBcWDU3phpZQJLyrmCk5nqO-_OdCD3hRKHkwFrCBB9FKzmcMgKp87Z9R6ihU_QYZMxhYSzJ6e9CQDn_N9iQW0vhDNqMlV8FxzXLvN2YuVg3MiqIdhUbuuoGz_gJgNcLON6Pl4EHa6WGO9GbdG5eeCcr72xO_ZJ1m6-cDYSSZF8ahZo_6A-6H8NA_IPcDCsjz61Dr56PcQ-HXlIyoxZDtxntrdglznlxZCqGbw_YwjDsO3fF5cMjwYy_0XaCjn-dH1Y1tS4G-drCzUvQl97VTwEA-XgwrY","token_type":"Bearer"}}
{"level":"debug","ts":1710303431.0431826,"logger":"security","msg":"received OAuth 2.0 authorization server access token","request_id":"5e0a997d-fe18-4c88-bc14-0889427adcb5","token":{"access_token":"eyJhbGciOiJSUzI1NiIsImtpZCI6ImFiMjIyYWEwYTRiNzEyNTAwM2ZiZTI3MmMwN2NjMTIwIiwidHlwIjoiSldUIn0.eyJpc3MiOiJodHRwczovL3Nzby4wemVhLmNvbS9hcHBsaWNhdGlvbi9vL2Rhc2gvIiwic3ViIjoiYTg1NTA3YWU1YzA2MGRmOTY0ZjA1ZjcyZjU0ZjAwOWQyYzdhZjdmNjBmMmI3Mzk5ZmJiODQ5MDE5YzBjNDU2YSIsImF1ZCI6IkdIcFF4SXlDNkJNbFhyeTRRN0toRnBFMkhSQlhSRzUwVzFGdmlnR0giLCJleHAiOjE3MTAzMDM3MzAsImlhdCI6MTcxMDMwMzQzMCwiYXV0aF90aW1lIjoxNzEwMjk3ODIwLCJhY3IiOiJnb2F1dGhlbnRpay5pby9wcm92aWRlcnMvb2F1dGgyL2RlZmF1bHQiLCJub25jZSI6IkFZUmhJSnZvZ2ZHY3JvaU04ZjVpYnhSZzFYNUlEdEZiIiwiZW1haWwiOiJhbmRyZXlAMHplYS5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwibmFtZSI6Ilx1MDQxMFx1MDQzZFx1MDQzNFx1MDQ0MFx1MDQzNVx1MDQzOSIsImdpdmVuX25hbWUiOiJcdTA0MTBcdTA0M2RcdTA0MzRcdTA0NDBcdTA0MzVcdTA0MzkiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhbmRyZXkiLCJuaWNrbmFtZSI6ImFuZHJleSIsImdyb3VwcyI6WyJob21lLXRvcnJlbnQiLCJwcm9tZXRoZXVzLXVzZXIiLCJhbmRyZXktc3luY3RoaW5nIiwiYW5kcmV5LWtla3NpayJdLCJhenAiOiJHSHBReEl5QzZCTWxYcnk0UTdLaEZwRTJIUkJYUkc1MFcxRnZpZ0dIIiwidWlkIjoiN3JBRnJlSlhQcFpIUmNiQVIzTXVZVUkyazFkMlF3MWRlSngyTTIzNyJ9.f3JDJjkirWS4M_Nb4mJNuqRgAQRf_zU4AN5fPNUC47rlfWnmjzJCL_K8ZyACitgL4x_sVGrRNYLdIw330ZYtTkmajQ6bvVHwRpzPuBA5B0g9e9LUt_j_YazX5X_7fLHMdRzhuFpbujuQ4HQHxJL4se7ynsM0h8AaS8XcKpQF5sMZAjhuTttslAsFpiIZYM2O9p-keK8vDSKDujNOUge5Mnb3w7huDOVivr8Rky1vcsFGxaU0ruQ_dyPOOofAT9t6X30KsWVN0BipCcAeOA5lMhGcQeD5sKpfIS7L59vmtp0n_BuDzaH3joXAs2uUUKXsHKOQe-7JUGDAk7YqCX6ufs8dRIEN80WZWxyUpnoa4_TRY9s79Op1TnmAGjYWDmyW7LrYtLzcxeAeOGiv46OEyBsIV1RkrSmkKioDDYjcfvxptoIVT9FJyfDzQqaQiTUsq6F0ej6vdeSCA0btZk9uDyF6GYHbBZ5ePIocIVboWihyIedDaow3NH3JduP2Oy5IKH9IfuejEddr1SWODUMabtptgizmzy3LjPkdjwt_Gg1AvJOo74TVDSWnCU6M7NP88wNJ0suVJ2KAk87LCYmTemQ0P4QNiXhw6--bmhFFerbUJBV1AKI042LNRU0WvXUp_rwIAtCamY2yPIqa7hVwv1LAO1ZSANY9DDVLTi8acho","expires_in":300,"id_token":"eyJhbGciOiJSUzI1NiIsImtpZCI6ImFiMjIyYWEwYTRiNzEyNTAwM2ZiZTI3MmMwN2NjMTIwIiwidHlwIjoiSldUIn0.eyJpc3MiOiJodHRwczovL3Nzby4wemVhLmNvbS9hcHBsaWNhdGlvbi9vL2Rhc2gvIiwic3ViIjoiYTg1NTA3YWU1YzA2MGRmOTY0ZjA1ZjcyZjU0ZjAwOWQyYzdhZjdmNjBmMmI3Mzk5ZmJiODQ5MDE5YzBjNDU2YSIsImF1ZCI6IkdIcFF4SXlDNkJNbFhyeTRRN0toRnBFMkhSQlhSRzUwVzFGdmlnR0giLCJleHAiOjE3MTAzMDM3MzAsImlhdCI6MTcxMDMwMzQzMCwiYXV0aF90aW1lIjoxNzEwMjk3ODIwLCJhY3IiOiJnb2F1dGhlbnRpay5pby9wcm92aWRlcnMvb2F1dGgyL2RlZmF1bHQiLCJub25jZSI6IkFZUmhJSnZvZ2ZHY3JvaU04ZjVpYnhSZzFYNUlEdEZiIiwiZW1haWwiOiJhbmRyZXlAMHplYS5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwibmFtZSI6Ilx1MDQxMFx1MDQzZFx1MDQzNFx1MDQ0MFx1MDQzNVx1MDQzOSIsImdpdmVuX25hbWUiOiJcdTA0MTBcdTA0M2RcdTA0MzRcdTA0NDBcdTA0MzVcdTA0MzkiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhbmRyZXkiLCJuaWNrbmFtZSI6ImFuZHJleSIsImdyb3VwcyI6WyJob21lLXRvcnJlbnQiLCJwcm9tZXRoZXVzLXVzZXIiLCJhbmRyZXktc3luY3RoaW5nIiwiYW5kcmV5LWtla3NpayJdfQ.Y4GFJ6zwe0aPw9uFzJC7-vJdzKdp-OKJMdXUwF5FspJTu9r9gQFmaT6jcgPnMOCuccGuxSpW2jyJqxqnSGOuQa_u1sQufA-ra856A1WM7nDhOxhr5-ZijtJwtmRWVevYi_tGZ1UHpX7hpcvzYtDuGEwWOaew1Xc56gXV9JksmVzlt4NxISnJjTw9gpn9n3UHoW7L2VB0wsp8K-0kDqlfVOzlMG7f7GSLsS7FNLpatVLWk5Rwqpzci_7-_8MBTc7FlSniWDZiyoOqGGRj1X7TENGrxiCuM0K-PD5oIhKwxpaIgOC9b_83sUagpuhdHgiCf9QLbJYUr02kwS4YqCMdPum4s86OCeOr99hKhn2vjLO49uZJZMayGmVp7bssha9Tl6Yis0M7P3DilYpBcWDU3phpZQJLyrmCk5nqO-_OdCD3hRKHkwFrCBB9FKzmcMgKp87Z9R6ihU_QYZMxhYSzJ6e9CQDn_N9iQW0vhDNqMlV8FxzXLvN2YuVg3MiqIdhUbuuoGz_gJgNcLON6Pl4EHa6WGO9GbdG5eeCcr72xO_ZJ1m6-cDYSSZF8ahZo_6A-6H8NA_IPcDCsjz61Dr56PcQ-HXlIyoxZDtxntrdglznlxZCqGbw_YwjDsO3fF5cMjwYy_0XaCjn-dH1Y1tS4G-drCzUvQl97VTwEA-XgwrY","token_type":"Bearer"}}
{"level":"debug","ts":1710303431.045312,"logger":"security","msg":"decoded claims from OAuth 2.0 authorization server access token","request_id":"5e0a997d-fe18-4c88-bc14-0889427adcb5","claims":{"email":"andrey@example.com","exp":1710303730,"given_name":"Андрей","groups":["home-torrent","prometheus-user","andrey-syncthing","andrey-keksik"],"iat":1710303430,"iss":"https://sso.example.com/application/o/dash/","name":"Андрей","sub":"a85507ae5c060df964f05f72f54f009d2c7af7f60f2b7399fbb849019c0c456a"}}
{"level":"info","ts":1710303431.0453367,"logger":"security","msg":"Successful login","session_id":"mmEAk2RYV3Gs3TH9sNFVdWjAL2ggIwQ97Mz7fdXOJJ4","request_id":"5e0a997d-fe18-4c88-bc14-0889427adcb5","auth_method":"oauth2","auth_realm":"dash","user":{"email":"andrey@example.com","exp":1710303730,"given_name":"Андрей","groups":["home-torrent","prometheus-user","andrey-syncthing","andrey-keksik"],"iat":1710303430,"iss":"https://sso.example.com/application/o/dash/","name":"Андрей","sub":"a85507ae5c060df964f05f72f54f009d2c7af7f60f2b7399fbb849019c0c456a"}}
{"level":"debug","ts":1710303431.0453792,"logger":"security","msg":"user transformation ended","session_id":"mmEAk2RYV3Gs3TH9sNFVdWjAL2ggIwQ97Mz7fdXOJJ4","request_id":"5e0a997d-fe18-4c88-bc14-0889427adcb5","user":{"addr":"192.168.101.1","email":"andrey@example.com","exp":1710307031,"given_name":"Андрей","iat":1710303431,"iss":"https://dash.example.com/oauth2/dash/","jti":"mmEAk2RYV3Gs3TH9sNFVdWjAL2ggIwQ97Mz7fdXOJJ4","name":"Андрей","nbf":1710303371000,"origin":"dash","realm":"dash","roles":["home-torrent","prometheus-user","andrey-syncthing","andrey-keksik","authp/andrey_keksik","authp/dash_admin"],"sub":"a85507ae5c060df964f05f72f54f009d2c7af7f60f2b7399fbb849019c0c456a"}}
{"level":"info","ts":1710303431.046944,"logger":"security","msg":"Successful login","session_id":"mmEAk2RYV3Gs3TH9sNFVdWjAL2ggIwQ97Mz7fdXOJJ4","request_id":"5e0a997d-fe18-4c88-bc14-0889427adcb5","backend":{"name":"generic","realm":"dash","method":"oauth"},"user":{"addr":"192.168.101.1","email":"andrey@example.com","exp":1710307031,"given_name":"Андрей","iat":1710303431,"iss":"https://dash.example.com/oauth2/dash/","jti":"mmEAk2RYV3Gs3TH9sNFVdWjAL2ggIwQ97Mz7fdXOJJ4","name":"Андрей","nbf":1710303371000,"origin":"dash","realm":"dash","roles":["home-torrent","prometheus-user","andrey-syncthing","andrey-keksik","authp/andrey_keksik","authp/dash_admin","authp/guest"],"sub":"a85507ae5c060df964f05f72f54f009d2c7af7f60f2b7399fbb849019c0c456a"}}

@greenpau
Copy link
Owner

@MrOzean , where is the log when tou try going to a dashboard?

@greenpau
Copy link
Owner

Also, something strange. There are no traces in the log.

remove rewrite directive and the has conditional.

@greenpau
Copy link
Owner

@MrOzean , please reach out on whatsup (12123807343), I will try to explain over the phone.

@MrOzean
Copy link
Author

MrOzean commented Mar 13, 2024
edited
Loading

First I think need to update container. As I say, link https://github.com/authcrunch/authcrunch/pkgs/container/authcrunch follow 404 error, tried to use ghcr.io/authcrunch/authcrunch:v1.0.7 got authorization error

@MrOzean
Copy link
Author

MrOzean commented Mar 13, 2024

About phone call, not good idea. My English speaking far from perfect + 12 hours time difference + this conversation can help anyone else

@MrOzean
Copy link
Author

MrOzean commented Mar 13, 2024

JS redirect works perfectly, thanks. Working solution

caddyfile

{
	order authenticate before respond
	order authorize before basicauth

	security {
		oauth identity provider generic {
			realm dash
			driver generic
			client_id <CLIENT_ID>
			client_secret <SECRET>
			scopes openid email profile
			base_auth_url https://sso.example.com/
			metadata_url https://sso.example.com/application/o/dash/.well-known/openid-configuration
		}

		authentication portal auth_portal {
			crypto default token lifetime 3600
			enable identity provider generic

			ui {
				links {
					"My Identity" "/whoami" icon "las la-user"
				}

				custom js path /js/redirect_to_dashboard_by_email.js
			}

			cookie domain example.com

			transform user {
				match groups andrey-keksik
				action add role authp/andrey_keksik
			}

			transform user {
				match email andrey@example.com
				action add role authp/dash_admin
			}
		}

		authorization policy pass_andrey_keksik {
			set auth url https://dash.example.com
			allow roles authp/andrey_keksik
		}

		authorization policy pass_dash_admin {
			set auth url https://dash.example.com
			allow roles authp/admin
		}
	}
}

# dashboards
dash.example.com {
	tls /certs/dash.example.com/fullchain.cer /certs/dash.example.com/dash.example.com.key
        authenticate with auth_portal
}

andrey.dash.example.com {
	authorize with pass_andrey_keksik
	reverse_proxy /* localhost:7032
}
...

js file

(async () => {
  console.log("Injected JS Found");

  const whoamiEndpoint = "/whoami";
  const portalEndpoint = "/portal";
  const dashboardBaseUrl = "https://dash.example.com";

  async function fetchUserData(path) {
    try {
      const response = await fetch(path, {
        method: "GET",
        headers: {
          "Content-Type": "application/json",
          Accept: "application/json",
        },
      });
      if (response.ok) {
        const data = await response.json();
        return data;
      } else {
        console.log(path, 'fetch returns not success status', response.statusText)
      }

    } catch (error) {
      console.log("encountered error while fetching user data", error);
    }
    return null;
  }

  try {
    if (typeof window !== "undefined") {
      const currentURL = new URL(window.location.href);

      if (currentURL.href === dashboardBaseUrl + portalEndpoint) {
        console.log(currentURL);
        const userData = await fetchUserData(dashboardBaseUrl + whoamiEndpoint);

        if (userData && "email" in userData) {
          const email = userData['email'];
          const userId = email.substring(0, email.indexOf('@'))
          console.log(
            `Redirecting user ${userId} to ${dashboardBaseUrl}/${userId}`
          );
          const redirectUrl = 'https://' + userId + '.' + (new URL(dashboardBaseUrl)).hostname;
          window.location.href = redirectUrl;
        } else {
          console.log("No email found in user data", userData);
        }

      } 
    }
  } catch (error) {
    console.log("encountered error", error);
  }
})();

@greenpau
Copy link
Owner

About phone call, not good idea. My English speaking far from perfect + 12 hours time difference + this conversation can help anyone else

I can speak Russian.

@greenpau
Copy link
Owner

@MrOzean , glad this is resolved!

@MrOzean
Copy link
Author

MrOzean commented Mar 14, 2024

Thanks for help!

@greenpau
Copy link
Owner

I recorded a video about this one: https://youtu.be/DAzfxtqxD5s

@MrChadMWood MrChadMWood mentioned this issue Jun 17, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@greenpau greenpau

Labels
javascript question Further information is requested redirects
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@greenpau @MrOzean