starred/pocket-id-pocket-id-2
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2025-12-11 07:32:57 +03:00
Code Issues 116 Packages Projects Releases 10 Wiki Activity

🐛 Bug Report: caddy-security Unauthorized "no token found" #395

New Issue
Closed
opened 2025-10-09 16:44:02 +03:00 by OVERLORD · 0 comments
OVERLORD commented 2025-10-09 16:44:02 +03:00
Owner
Copy Link

Originally created by @jmadden91 on GitHub.

Reproduction steps

Hi, thanks again for the great work on this program. I've been tearing my hair out with this for hours now, I fully suspect the issue is with my caddy config rather than pocket-id, so I'm sorry if that is the case and this is not the right place for this issue.

I have set up caddy security and pocket id, created an OIDC client in pocket-id called caddy, with the callback URL set to: https://*.mydomain.com/auth/oauth2/generic/authorization-code-callback

When I go to the service I am trying to protect (whoami) I am redirected to pocket-id, I can successfully log in, but then I am redirected back to a generic authentication portal page that says Unauthorized.

The error in my caddy logs is {"level":"error","ts":1737419909.9818547,"logger":"http.handlers.authentication","msg":"auth provider returned error","provider":"authorizer","error":"user authorization failed: src_ip=192.168.1.15, src_conn_ip=192.168.1.15, reason: no token found"}

Here is my caddyfile:

# GLOBAL SETTINGS
{
    dynamic_dns {
        provider cloudflare {env.CLOUDFLARE_API_TOKEN}
        domains {
            {env.DOMAIN} @ *
        }
        check_interval 10m
        versions ipv4
    }
    ########### Configure caddy-security ################
    order authenticate before respond
    security {
        oauth identity provider generic {
            delay_start 3
            realm generic
            driver generic
            client_id 806ef239-c81f-4f56-8810-12882170239f
            client_secret nKLUM2m3xw6V0Mgl1naPBaopcNtHTpEp6BWcsYkxOToofojYfyDgPn7sfYwNEv7o
            scopes openid email profile
            base_auth_url https://pocket-id.{env.DOMAIN}
            metadata_url https://pocket-id.{env.DOMAIN}/.well-known/openid-configuration
        }
        authentication portal myportal {
            crypto default token lifetime 3600 # Seconds until you have to re-authenticate
            enable identity provider generic
            cookie insecure off # Set to "on" if you're not using HTTPS
            transform user {
                match realm generic
                action add role user
            }
        }
        authorization policy mypolicy {
            set auth url /auth/oauth2/generic
            allow roles user
            inject headers with claims
        }
    }
}
# WILDCARD Cert for all sites
*.{env.DOMAIN} {
    encode gzip
    log {
        level INFO
        output file /var/logs/caddy.log {
            roll_size 10MB
            roll_keep 10
        }
    }
    tls {
        dns cloudflare {env.CLOUDFLARE_API_TOKEN}
        resolvers 1.1.1.1 8.8.8.8
    }
    # pocket-id #this is my authentication portal
    @pocket-id host pocket-id.{env.DOMAIN}
    handle @pocket-id {
        reverse_proxy pocket-id:80
    }
    # whoami #unprotected
    @whoami-noauth host whoami-noauth.{env.DOMAIN}
    handle @whoami-noauth {
        reverse_proxy whoami:80
    }
    # whoami #service to be protected
    @whoami host whoami.{env.DOMAIN}
    handle @whoami {
        @auth {
            path /auth/oauth2/generic
            path /auth/oauth2/generic/authorization-code-callback
        }
        route @auth {
            authenticate with myportal
        }
        route /* {
            authorize with mypolicy
            reverse_proxy whoami:80
        }
    }
    # Handle unlisted subdomains
    handle {
        respond "This service is not available" 404
        #abort
    }
}

Expected behavior

It redirect back to my whoami page.

Actual Behavior

As above

Originally created by @jmadden91 on GitHub. ### Reproduction steps Hi, thanks again for the great work on this program. I've been tearing my hair out with this for hours now, I fully suspect the issue is with my caddy config rather than pocket-id, so I'm sorry if that is the case and this is not the right place for this issue. I have set up caddy security and pocket id, created an OIDC client in pocket-id called caddy, with the callback URL set to: `https://*.mydomain.com/auth/oauth2/generic/authorization-code-callback` When I go to the service I am trying to protect (whoami) I am redirected to pocket-id, I can successfully log in, but then I am redirected back to a generic authentication portal page that says Unauthorized. The error in my caddy logs is `{"level":"error","ts":1737419909.9818547,"logger":"http.handlers.authentication","msg":"auth provider returned error","provider":"authorizer","error":"user authorization failed: src_ip=192.168.1.15, src_conn_ip=192.168.1.15, reason: no token found"}` Here is my caddyfile: ``` # GLOBAL SETTINGS { dynamic_dns { provider cloudflare {env.CLOUDFLARE_API_TOKEN} domains { {env.DOMAIN} @ * } check_interval 10m versions ipv4 } ########### Configure caddy-security ################ order authenticate before respond security { oauth identity provider generic { delay_start 3 realm generic driver generic client_id 806ef239-c81f-4f56-8810-12882170239f client_secret nKLUM2m3xw6V0Mgl1naPBaopcNtHTpEp6BWcsYkxOToofojYfyDgPn7sfYwNEv7o scopes openid email profile base_auth_url https://pocket-id.{env.DOMAIN} metadata_url https://pocket-id.{env.DOMAIN}/.well-known/openid-configuration } authentication portal myportal { crypto default token lifetime 3600 # Seconds until you have to re-authenticate enable identity provider generic cookie insecure off # Set to "on" if you're not using HTTPS transform user { match realm generic action add role user } } authorization policy mypolicy { set auth url /auth/oauth2/generic allow roles user inject headers with claims } } } # WILDCARD Cert for all sites *.{env.DOMAIN} { encode gzip log { level INFO output file /var/logs/caddy.log { roll_size 10MB roll_keep 10 } } tls { dns cloudflare {env.CLOUDFLARE_API_TOKEN} resolvers 1.1.1.1 8.8.8.8 } # pocket-id #this is my authentication portal @pocket-id host pocket-id.{env.DOMAIN} handle @pocket-id { reverse_proxy pocket-id:80 } # whoami #unprotected @whoami-noauth host whoami-noauth.{env.DOMAIN} handle @whoami-noauth { reverse_proxy whoami:80 } # whoami #service to be protected @whoami host whoami.{env.DOMAIN} handle @whoami { @auth { path /auth/oauth2/generic path /auth/oauth2/generic/authorization-code-callback } route @auth { authenticate with myportal } route /* { authorize with mypolicy reverse_proxy whoami:80 } } # Handle unlisted subdomains handle { respond "This service is not available" 404 #abort } } ``` ### Expected behavior It redirect back to my whoami page. ### Actual Behavior As above
OVERLORD added the bug label 2025-10-09 16:44:02 +03:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-2#395
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?