56 lines
1.2 KiB
Plaintext
56 lines
1.2 KiB
Plaintext
order authenticate before respond
|
|
order authorize before reverse_proxy
|
|
security {
|
|
local identity store localdb {
|
|
realm local
|
|
path /data/caddy/users.json
|
|
}
|
|
oauth identity provider generic {
|
|
realm remote
|
|
driver generic
|
|
client_id {$OAUTH_CLIENT_ID}
|
|
client_secret {$OAUTH_CLIENT_SECRET}
|
|
scopes openid email profile seafile joh
|
|
|
|
enable logout
|
|
# extract all from userinfo
|
|
extract seafile_email from userinfo
|
|
|
|
delay_start 5
|
|
retry_attempts 3
|
|
retry_interval 10
|
|
|
|
base_auth_url https://authentik.{$DOMAIN}
|
|
metadata_url https://authentik.{$DOMAIN}/application/o/caddy/.well-known/openid-configuration
|
|
}
|
|
authentication portal myportal {
|
|
enable identity store localdb
|
|
enable identity provider generic
|
|
cookie domain {$DOMAIN}
|
|
ui {
|
|
links {
|
|
"My Identity" "/whoami" icon "las la-user"
|
|
}
|
|
}
|
|
transform user {
|
|
match realm remote
|
|
action add role authp/user
|
|
}
|
|
transform user {
|
|
match origin local
|
|
action add role authp/user
|
|
}
|
|
}
|
|
authorization policy mypolicy {
|
|
set auth url https://auth.{$SUBDOMAIN}.{$DOMAIN}/oauth2/generic
|
|
allow roles authp/admin authp/user
|
|
validate bearer header
|
|
|
|
set user identity seafile_id
|
|
|
|
inject headers with claims
|
|
inject header "X-Seafile-Email" from "userinfo|seafile_email"
|
|
}
|
|
}
|
|
|