pass oauth claim as header
This commit is contained in:
@@ -1,21 +1,30 @@
|
|||||||
order authenticate before respond
|
order authenticate before respond
|
||||||
order authorize before reverse_proxy
|
order authorize before reverse_proxy
|
||||||
security {
|
security {
|
||||||
|
local identity store localdb {
|
||||||
|
realm local
|
||||||
|
path /data/caddy/users.json
|
||||||
|
}
|
||||||
oauth identity provider generic {
|
oauth identity provider generic {
|
||||||
realm mine
|
realm remote
|
||||||
driver generic
|
driver generic
|
||||||
client_id {$OAUTH_CLIENT_ID}
|
client_id {$OAUTH_CLIENT_ID}
|
||||||
client_secret {$OAUTH_CLIENT_SECRET}
|
client_secret {$OAUTH_CLIENT_SECRET}
|
||||||
scopes openid email profile
|
scopes openid email profile seafile joh
|
||||||
|
|
||||||
|
enable logout
|
||||||
|
# extract all from userinfo
|
||||||
|
extract seafile_email from userinfo
|
||||||
|
|
||||||
delay_start 5
|
delay_start 5
|
||||||
retry_attempts 3
|
retry_attempts 3
|
||||||
retry_interval 10
|
retry_interval 10
|
||||||
|
|
||||||
base_auth_url https://authentik.{$SUBDOMAIN}.{$DOMAIN}
|
base_auth_url https://authentik.{$DOMAIN}
|
||||||
metadata_url https://authentik.{$SUBDOMAIN}.{$DOMAIN}/application/o/caddy/.well-known/openid-configuration
|
metadata_url https://authentik.{$DOMAIN}/application/o/caddy/.well-known/openid-configuration
|
||||||
}
|
}
|
||||||
authentication portal myportal {
|
authentication portal myportal {
|
||||||
|
enable identity store localdb
|
||||||
enable identity provider generic
|
enable identity provider generic
|
||||||
cookie domain {$DOMAIN}
|
cookie domain {$DOMAIN}
|
||||||
ui {
|
ui {
|
||||||
@@ -24,24 +33,27 @@ security {
|
|||||||
"Jellyfin" https://jellyfin.{$SUBDOMAIN}.{$DOMAIN} icon "las la-play"
|
"Jellyfin" https://jellyfin.{$SUBDOMAIN}.{$DOMAIN} icon "las la-play"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
transform user {
|
transform user {
|
||||||
match realm mine
|
match realm remote
|
||||||
action add role authp/user
|
action add role authp/user
|
||||||
|
action add iets "Zo iets!" as string
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
transform user {
|
transform user {
|
||||||
match realm mine
|
match origin local
|
||||||
|
action add role authp/user
|
||||||
# Give this account admin role in the auth portal
|
|
||||||
match email rik.veenboer@gmail.com
|
|
||||||
action add role authp/admin
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
authorization policy mypolicy {
|
authorization policy mypolicy {
|
||||||
set auth url https://auth.{$SUBDOMAIN}.{$DOMAIN}/oauth2/generic
|
set auth url https://auth.{$SUBDOMAIN}.{$DOMAIN}/oauth2/generic
|
||||||
allow roles authp/admin authp/user
|
allow roles authp/admin authp/user
|
||||||
validate bearer header
|
validate bearer header
|
||||||
|
|
||||||
|
set user identity seafile_id
|
||||||
|
|
||||||
inject headers with claims
|
inject headers with claims
|
||||||
|
inject header "X-Seafile-Email" from "user|email"
|
||||||
|
inject header "X-Test" from "userinfo|seafile_email"
|
||||||
|
inject header "X-Onzin" from "realm"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -4,7 +4,7 @@ test.{$SUBDOMAIN}.{$DOMAIN} {
|
|||||||
}
|
}
|
||||||
|
|
||||||
authorize with mypolicy
|
authorize with mypolicy
|
||||||
reverse_proxy host:15000
|
reverse_proxy host:12345
|
||||||
}
|
}
|
||||||
|
|
||||||
auth.{$SUBDOMAIN}.{$DOMAIN} {
|
auth.{$SUBDOMAIN}.{$DOMAIN} {
|
||||||
|
|||||||
Reference in New Issue
Block a user