Caddy-security "Password authentication failed."

Help
1

1. Output of caddy version:

./caddy-hetzner version
v2.5.2 h1:eCJdLyEyAGzuQTa5Mh3gETnYWDClo1LjtQm2q9RNZrs=

I have build caddy with this command.

~/Downloads/xcaddy/xcaddy_0.3.0/xcaddy build \
--with github.com/greenpau/caddy-security \
--with github.com/kirsch33/realip \
--with github.com/caddy-dns/hetzner

# rename
cp caddy caddy-hetzner

2. How I run Caddy:

YOUR_HETZNER_AUTH_API_TOKEN=<TOKEN> JWT_SHARED_KEY=lal01 \
./caddy-hetzner run -adapter caddyfile -config security-Caddyfile

a. System environment:

lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 16.04.7 LTS
Release:	16.04
Codename:	xenial

b. Command:

YOUR_HETZNER_AUTH_API_TOKEN=<TOKEN> JWT_SHARED_KEY=lal01 \
./caddy-hetzner run -adapter caddyfile -config security-Caddyfile

c. Service/unit/compose file:

I call it via cli

d. My complete Caddy config:

Because the forum does not allow to post “test<without_blank>.com” I have to separate the domain with a “blank”.

{
	http_port 8081
	https_port 8443
	debug

	order authenticate before respond
	order authorize before basicauth

	security {
		credentials root@localhost {
			username root
			password foobar
		}

		messaging file provider my-file {
			rootdir {$HOME}/.local/caddy/myfile.json
		}

		messaging email provider localhost-smtp-server {
			address smtp.none.at:25
			protocol smtp
			passwordless
			sender al-caddysec@none.at "My Auth Portal"
			# credentials root@localhost
			#bcc greenpau@localhost
		}

		local identity store localdb {
			realm local
			path {$HOME}/.local/caddy/users.json
		}

		oauth identity provider github {env.GITHUB_CLIENT_ID} {env.GITHUB_CLIENT_SECRET}

		user registration localdbRegistry {
			dropbox {$HOME}/.local/caddy/registrations.json
			title "User Registration"
			code "NY2020"
			require accept terms
			require domain mx
			admin email al-admin@none.at
			email provider localhost-smtp-server
			identity store localdb
		}

		authentication portal myportal {
			crypto default token lifetime 3600
			crypto key sign-verify {env.JWT_SHARED_KEY}
			cookie domain nis2-test .com
			enable identity store localdb
			#enable identity provider github
			ui {
				links {
					"My Website" https://assetq.nis2-test .com:8443/ icon "las la-star"
					"Guests" https://assetq.nis2-test .com:8443/guests icon "las la-star"
					"Users" https://assetq.nis2-test .com:8443/users icon "las la-star"
					"Admins" https://assetq.nis2-test .com:8443/admins icon "las la-star"
					"My Identity" "/whoami" icon "las la-user"
				}
				# password_recovery_enabled yes
			}
			transform user {
				match origin local
				action add role authp/user
				ui link "Portal Settings" /settings icon "las la-cog"
			}
			transform user {
				match realm github
				match sub github.com/greenpau
				action add role authp/user
			}
		}

		authorization policy guests_policy {
			# disable auth redirect
			set auth url https://auth.nis2-test .com:8443/
			allow roles authp/admin authp/user
			crypto key verify {env.JWT_SHARED_KEY}
			acl rule {
				comment allow guests only
				match role guest authp/guest
				allow stop log info
			}
			acl rule {
				comment default deny
				match any
				deny log warn
			}
		}

		authorization policy users_policy {
			set auth url https://auth.nis2-test .com:8443/
			allow roles authp/admin authp/user
			crypto key verify {env.JWT_SHARED_KEY}
			acl rule {
				comment allow users
				match role authp/user
				allow stop log info
			}
			acl rule {
				comment default deny
				match any
				deny log warn
			}
		}

		authorization policy admins_policy {
			set auth url https://auth.nis2-test .com:8443/
			allow roles authp/admin authp/user
			crypto key verify {env.JWT_SHARED_KEY}
			acl rule {
				comment allow users
				match role authp/user
				allow stop log info
			}
			acl rule {
				comment default deny
				match any
				deny log warn
			}
		}
	}
}

(tls_config) {
	#tls {$HOME}/.local/caddy/server.crt {$HOME}/.local/caddy/server.key
	tls {
		dns hetzner {env.YOUR_HETZNER_AUTH_API_TOKEN}
	}
}

auth.nis2-test .com {
	import tls_config
	route {
		authenticate with myportal
	}
}

assetq.nis2-test .com {
	import tls_config
	route /guests* {
		authorize with guests_policy
		respond * "assetq - guests only" 200
	}

	route /users* {
		authorize with users_policy
		respond * "assetq - users" 200
	}

	route /admins* {
		authorize with admins_policy
		respond * "assetq - admins" 200
	}

	route {
		respond "assetq is running"
	}
}

3. The problem I’m having:

I’m able to register a user via the register url https://auth.nis2-test .com:8443/register/local and the user is written in the local json file {$HOME}/.local/caddy/registrations.json.
After the successful confirmaton of my registration have I tried to login but I always get “Password authentication failed”

I’m not sure where my mistake it, please point me to the right direction.

4. Error messages and/or full log output:

2022/08/17 09:52:00.504	DEBUG	security	Redirect served	{"session_id": "Hfud5lZvAEdDw1UK0DSRwJtAAXO7Cnb3uzUBBbTrARtC", "request_id": "0564dc15-5581-4a3f-96ea-f4f043fca4a4", "redirect_url": "https://auth.nis2-test .com:8443/login", "status_code": 302}
2022/08/17 09:52:04.618	DEBUG	security	user transformation ended	{"session_id": "Hfud5lZvAEdDw1UK0DSRwJtAAXO7Cnb3uzUBBbTrARtC", "request_id": "919ffde7-4653-43ef-8895-2f091d1c04ea", "user": {"addr":"IP","email":"nobody@localhost","exp":1660729929,"frontend_links":["\"Portal Settings\" /settings icon \"las la-cog\""],"iat":1660729924,"iss":"https://auth.nis2-test .com:8443/login","jti":"Hfud5lZvAEdDw1UK0DSRwJtAAXO7Cnb3uzUBBbTrARtC","nbf":1660729864,"origin":"local","realm":"local","roles":["authp/user"],"sub":"nobody"}}
2022/08/17 09:52:04.649	DEBUG	security	user authorization sandbox	{"sandbox_id": "Y5kVlwcakPJQoDJtJ7oI9kdEBBQsegiaHfAxJsNEYLRO0", "sandbox_secret": "5id9Ah4L1XBWQZbrEduaIXg4At5cwCkdqdGz", "sandbox_partition": "", "checkpoints": [{"name":"Authenticate with password","type":"password"}]}
2022/08/17 09:52:04.649	DEBUG	security	next user authorization checkpoint	{"session_id": "Hfud5lZvAEdDw1UK0DSRwJtAAXO7Cnb3uzUBBbTrARtC", "request_id": "f9c0536e-57c1-418d-b598-736ea25bb1b8", "data": {"action":"auth","title":"Authentication","view":"password_auth"}}
2022/08/17 09:52:19.135	DEBUG	security	user authorization sandbox	{"sandbox_id": "Y5kVlwcakPJQoDJtJ7oI9kdEBBQsegiaHfAxJsNEYLRO0", "sandbox_secret": "5id9Ah4L1XBWQZbrEduaIXg4At5cwCkdqdGz", "sandbox_partition": "password-auth", "checkpoints": [{"name":"Authenticate with password","type":"password"}]}
2022/08/17 09:52:19.254	WARN	security	password authentication failed	{"session_id": "Hfud5lZvAEdDw1UK0DSRwJtAAXO7Cnb3uzUBBbTrARtC", "request_id": "3c3a0529-46b6-4049-bc74-c64c834559d9", "checkpoint_id": 0, "src_ip": "IP", "src_conn_ip": "IP", "checkpoint_name": "Authenticate with password", "checkpoint_type": "password"}
2022/08/17 09:52:19.254	WARN	security	user authorization checkpoint failed	{"session_id": "Hfud5lZvAEdDw1UK0DSRwJtAAXO7Cnb3uzUBBbTrARtC", "request_id": "3c3a0529-46b6-4049-bc74-c64c834559d9", "error": "Password authentication failed. Please retry"}

5. What I already tried:

I have take a look into the {$HOME}/.local/caddy/registrations.json file if the users are there and they are there.

6. Links to relevant resources:

2

FYI @greenpau

1 Like
3

Please open an issue in caddy-security.

1 Like
4

Have it now created breakfix: password-authentication-failed · Issue #149 · greenpau/caddy-security · GitHub

1 Like
5

This topic was automatically closed after 30 days. New replies are no longer allowed.