starred/pocket-id-pocket-id-1
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2025-12-11 07:42:58 +03:00
Code Issues 122 Packages Projects Releases 10 Wiki Activity

🐛 Bug Report: Caddy, caddy-security and Pocket-ID not working? #342

New Issue
Closed
opened 2025-10-08 00:04:15 +03:00 by OVERLORD · 0 comments
OVERLORD commented 2025-10-08 00:04:15 +03:00
Owner
Copy Link

Originally created by @web-josh on GitHub.

Reproduction steps

Hey guys,
I tried to protect a docker service pointed to a subdomain with pocket-id, caddy reverse proxy and the caddy-security plugin(caddy add-package github.com/greenpau/caddy-security).
Sadly this doesn't seem to work. I know from reddit that there are a couple of open threads that also struggle with this.
The plugin is installed, pocket-id runs correct (and is working for other services already) this is the Caddyfile:

{
	email blub@myDomain.dev
  	# Port to listen on
	http_port 443

  	# Configure caddy-security.
	order authenticate before respond
	security {
		oauth identity provider generic {
			delay_start 3
			realm generic
			driver generic
			client_id <CLIENT-ID>
			client_secret <CLIENT-SECRET>
			scopes openid email profile
			base_auth_url http://localhost
			metadata_url http://localhost/.well-known/openid-configuration
		}

		authentication portal myportal {
			crypto default token lifetime 3600 # Seconds until you have to re-authenticate
			enable identity provider generic
			cookie insecure off # Set to "on" if you're not using HTTPS

			transform user {
				match realm generic
				action add role user
			}
		}

		authorization policy mypolicy {
			set auth url /caddy-security/oauth2/generic
			allow roles user
			inject headers with claims
		}
	}
}

subdomain.myDomain.dev {
	@auth {
		path /caddy-security/*
	}

	route @auth {
		authenticate with myportal
	}

	route /* {
		authorize with mypolicy
		reverse_proxy myDockerService:3000 # Replace with your own service
	}
}

# Other stuff that doesn't need to be protected by pocket-id
ai.myDomain.dev {
	reverse_proxy open-webui:8080
}

git.myDomain.dev {
	reverse_proxy gitea:3000
}

This gives me the following error:
docker logs caddy-caddy-1
{"level":"info","ts":1739791363.5531156,"msg":"using config from file","file":"/etc/caddy/Caddyfile"}
Error: adapting config using caddyfile: parsing caddyfile tokens for 'order': authenticate is not a registered directive, at /etc/caddy/Caddyfile:7

I'm thankful for every help!

Expected behavior

Subdomain should be protected by pocket-id

Actual Behavior

Caddy reverse proxy throws error

Version and Environment

v 0.33

All in Docker compose environments

Log Output

No response

Originally created by @web-josh on GitHub. ### Reproduction steps Hey guys, I tried to protect a docker service pointed to a subdomain with pocket-id, caddy reverse proxy and the caddy-security plugin(caddy add-package github.com/greenpau/caddy-security). Sadly this doesn't seem to work. I know from reddit that there are a couple of open threads that also struggle with this. The plugin is installed, pocket-id runs correct (and is working for other services already) this is the Caddyfile: ``` { email blub@myDomain.dev # Port to listen on http_port 443 # Configure caddy-security. order authenticate before respond security { oauth identity provider generic { delay_start 3 realm generic driver generic client_id <CLIENT-ID> client_secret <CLIENT-SECRET> scopes openid email profile base_auth_url http://localhost metadata_url http://localhost/.well-known/openid-configuration } authentication portal myportal { crypto default token lifetime 3600 # Seconds until you have to re-authenticate enable identity provider generic cookie insecure off # Set to "on" if you're not using HTTPS transform user { match realm generic action add role user } } authorization policy mypolicy { set auth url /caddy-security/oauth2/generic allow roles user inject headers with claims } } } subdomain.myDomain.dev { @auth { path /caddy-security/* } route @auth { authenticate with myportal } route /* { authorize with mypolicy reverse_proxy myDockerService:3000 # Replace with your own service } } # Other stuff that doesn't need to be protected by pocket-id ai.myDomain.dev { reverse_proxy open-webui:8080 } git.myDomain.dev { reverse_proxy gitea:3000 } ``` This gives me the following error: docker logs caddy-caddy-1 {"level":"info","ts":1739791363.5531156,"msg":"using config from file","file":"/etc/caddy/Caddyfile"} Error: adapting config using caddyfile: parsing caddyfile tokens for 'order': authenticate is not a registered directive, at /etc/caddy/Caddyfile:7 I'm thankful for every help! ### Expected behavior Subdomain should be protected by pocket-id ### Actual Behavior Caddy reverse proxy throws error ### Version and Environment v 0.33 All in Docker compose environments ### Log Output _No response_
OVERLORD added the bug label 2025-10-08 00:04:15 +03:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-1#342
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?