1. The problem I’m having:
I am testing Caddyfile Security configuration with Vault OIDC. Judging from the logs I am authenticated and authorized successfully but UI does not reflect configured links. Regardless of the links set in Caddyfile I am only receiving dialog confirming that I am logged in as the user and no other links present.
2. Error messages and/or full log output:
milosh@gianni bin % ./caddy_darwin_arm64_custom run
2025/05/13 11:23:48.459 INFO maxprocs: Leaving GOMAXPROCS=11: CPU quota undefined
2025/05/13 11:23:48.459 INFO GOMEMLIMIT is updated {"package": "github.com/KimMachineGun/automemlimit/memlimit", "GOMEMLIMIT": 17394617548, "previous": 9223372036854775807}
2025/05/13 11:23:48.460 INFO using adjacent Caddyfile
2025/05/13 11:23:48.460 INFO adapted config to JSON {"adapter": "caddyfile"}
2025/05/13 11:23:48.460 WARN Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies {"adapter": "caddyfile", "file": "Caddyfile", "line": 3}
2025/05/13 11:23:48.462 INFO admin admin endpoint started {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2025/05/13 11:23:48.462 WARN http.auto_https server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server {"server_name": "srv0", "http_port": 8080}
2025/05/13 11:23:48.462 DEBUG http.auto_https adjusted config {"tls": {"automation":{"policies":[{}]}}, "http": {"http_port":8080,"servers":{"srv0":{"listen":[":8080"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"vars","root":"{env.HOME}/www"},{"handler":"authentication","providers":{"authorizer":{"gatekeeper_name":"mypolicy","route_matcher":"*"}}},{"handler":"file_server","hide":["./Caddyfile"]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"authenticator","portal_name":"myportal","route_matcher":"*"}]}]}],"match":[{"path":["*"]}]}]}],"terminal":true}],"automatic_https":{"disable":true},"logs":{"logger_names":{"assetq.myfiosgateway.com":["log1"],"auth.myfiosgateway.com":["log0"]}}}}}}
2025/05/13 11:23:48.462 INFO security provisioning app instance {"app": "security"}
2025/05/13 11:23:48.462 INFO tls.cache.maintenance started background certificate maintenance {"cache": "0x140001b6480"}
2025/05/13 11:23:48.463 DEBUG security fetchMetadataURL succeeded {"identity_provider_name": "laza", "metadata": {"authorization_endpoint":"http://127.0.0.1:8200/ui/vault/identity/oidc/provider/laza/authorize","claims_supported":[],"grant_types_supported":["authorization_code"],"id_token_signing_alg_values_supported":["RS256","RS384","RS512","ES256","ES384","ES512","EdDSA"],"issuer":"http://127.0.0.1:8200/v1/identity/oidc/provider/laza","jwks_uri":"http://127.0.0.1:8200/v1/identity/oidc/provider/laza/.well-known/keys","request_parameter_supported":false,"request_uri_parameter_supported":false,"response_types_supported":["code"],"scopes_supported":["email","groups","user","openid"],"subject_types_supported":["public"],"token_endpoint":"http://127.0.0.1:8200/v1/identity/oidc/provider/laza/token","token_endpoint_auth_methods_supported":["none","client_secret_basic","client_secret_post"],"userinfo_endpoint":"http://127.0.0.1:8200/v1/identity/oidc/provider/laza/userinfo"}, "userinfo_endpoint": "http://127.0.0.1:8200/v1/identity/oidc/provider/laza/userinfo"}
2025/05/13 11:23:48.464 INFO security successfully configured OAuth 2.0 identity provider {"provider": "generic", "client_id": "6y63zahYsM1WCw60rei43i8QkO0jKZAy", "server_id": "", "domain_name": "", "metadata": {"authorization_endpoint":"http://127.0.0.1:8200/ui/vault/identity/oidc/provider/laza/authorize","claims_supported":[],"grant_types_supported":["authorization_code"],"id_token_signing_alg_values_supported":["RS256","RS384","RS512","ES256","ES384","ES512","EdDSA"],"issuer":"http://127.0.0.1:8200/v1/identity/oidc/provider/laza","jwks_uri":"http://127.0.0.1:8200/v1/identity/oidc/provider/laza/.well-known/keys","request_parameter_supported":false,"request_uri_parameter_supported":false,"response_types_supported":["code"],"scopes_supported":["email","groups","user","openid"],"subject_types_supported":["public"],"token_endpoint":"http://127.0.0.1:8200/v1/identity/oidc/provider/laza/token","token_endpoint_auth_methods_supported":["none","client_secret_basic","client_secret_post"],"userinfo_endpoint":"http://127.0.0.1:8200/v1/identity/oidc/provider/laza/userinfo"}, "jwks_keys": {"6df293cd-587a-2e1a-d617-709012e0eed7":{"alg":"RS256","e":"AQAB","kid":"6df293cd-587a-2e1a-d617-709012e0eed7","kty":"RSA","n":"9O-b2uCZ2uCMj4xPTpvPSWMvz2gnyQHgDy9eAwvCpCErOuFFYSwcwGv5zWfvqZXZEyAnqguAjd1-INRaCHNwRlbrBwU9d2pr8vJMdYzQldModKTRpySuUJ4GPsanyqvaxSXzsNR-39TIZmS28eMD_shEx6VprRIpZRXS-2zLEaR1Sn5C4GSwBGzM7nfKsSSBAhrhXRYCLnNK2CbjyVn6G646TiYO_ZRPAwOjntW4eWeSs1EnIWSpclwkqEwc56iHRotwSdo_EzUWIymmUVmnprJlpJkzYi8SG0hmlKPjOYTCnsOVxn8gbB80s2eOmFHqAUEkwpA1tNEC-kfLlRs2ow==","use":"sig"},"8311753b-f52d-9c20-0ddd-38528b014d9c":{"alg":"RS256","e":"AQAB","kid":"8311753b-f52d-9c20-0ddd-38528b014d9c","kty":"RSA","n":"ssoIrGhQiirYEy20kozzcPDGPtyfBbFL6p0SuqJDVXKcF5VEiFDu_oH8YDMFjxiwRQFk8YEs7t6DZMoDcFV6ZxZaWdxuVlbW0urow_cRM6fpPaPsnoZDD3916HNWufe6PUSJyOrq1vIpYjV-1qewabt8QmSQRpWKwTWwYqZ6GJEWJMdItIrE43q1YfeqaUQmzjCeQX17oFPVaxOeIM1EQV-C4Wy_emwEtdYkwsjwpCJlCP09ZV53a8kYqZO-HNq2LDKmn292CNrtUuvEMC4CZykRfNeUMINo3_Wg0W8Hi57grge7qL_yO3jYuaey4hJFZIhDUN9spqRmR4DlCLxNZQ==","use":"sig"},"8b940c48-f4b9-aa96-fb73-35a536e70497":{"alg":"RS256","e":"AQAB","kid":"8b940c48-f4b9-aa96-fb73-35a536e70497","kty":"RSA","n":"wR5Sg2y9EJFEQclg-bKvlj1u0aiE3vDKRFaV6qTIiDBda6HGfuTh96BbPrJwCOAFcZXfyPO4zK0YQchkxbL7iZdfzyemlvO8ApnWGeW8LE0Q_WKQsnc9D6UxIdblPH29_rPq6_tPieOrKUVOFrZJIW_OiMj-GUnPwHyczO3Q_ERDWZfKv3_XxmqGyt9zWUykH71Ay1ItqaTFup4T1Kz_tPyq3IOAeGpMy07AOsn1lYbJrHu0LgXCEwNevnqHkm9BRNlAONX6ErdVAcfSYLl4MlF2U40-mMGVW97YcCnqFFmFuDc0gUCIE4Ru0H7Tew4bhKcNnkl1ZlEvctL93lOctQ==","use":"sig"},"e070aff1-8a55-39d3-2ab1-0f116342a85e":{"alg":"RS256","e":"AQAB","kid":"e070aff1-8a55-39d3-2ab1-0f116342a85e","kty":"RSA","n":"wQGRo18ThQ3n01NrsPEF4VVPBKhmA9xBm32DGLec4cv7hen8FQsdOYIt3GE62E0Nk0U5dgo57zoCuat2gYiM3rkwGPhvcf0zT34eEfOoRuVDLv45Q33r1VpLu_iYn0TPcliRIzY3EA8TlRT0mgWQ3TCjCRMAMwYxzEiDCxxFgFgoYZiFBREivveaKZUaLPFJyRlVLoLoRvYS6LRy-vkKXVwYleT4CBY0TaMUrh3fzpya1H19Wc1CbZSV90K8QjXmKt6qOh48nkGCxg8VXpmHnVnXud8eqUjJ49agVu71djxiLGfN587JXM3OwU89mdcMqWCT9K-tDdwmowcdCvVwmQ==","use":"sig"}}, "required_token_fields": ["access_token", "id_token"], "delayed_by": 0, "retry_attempts": 0, "retry_interval": 0, "scopes": ["openid", "email", "user", "groups"], "login_icon": {"class_name":"lab la-codepen la-2x","color":"white","background_color":"#324960","text_color":"#37474f"}}
2025/05/13 11:23:48.464 DEBUG security Configuring caching {"portal_name": "myportal", "portal_id": "991915c4-0099-4702-b6b7-e351c607ccca"}
2025/05/13 11:23:48.464 DEBUG security Configuring cookie parameters {"portal_name": "myportal", "cookie_config": {"domains":{"myfiosgateway.com":{"seq":1,"domain":"myfiosgateway.com"}}}}
2025/05/13 11:23:48.464 DEBUG security Configuring default portal user roles {"portal_name": "myportal", "portal_admin_roles": {"authp/admin":true}, "portal_user_roles": {"authp/user":true}, "portal_guest_roles": {"authp/guest":true}, "portal_admin_role_patterns": [], "portal_user_role_patterns": [], "portal_guest_role_patterns": []}
2025/05/13 11:23:48.464 DEBUG security Configuring authentication ACL {"portal_name": "myportal", "portal_id": "991915c4-0099-4702-b6b7-e351c607ccca", "access_list_configs": [{"comment":"admin role name match","conditions":["match role authp/admin"],"action":"allow stop"},{"comment":"user role name match","conditions":["match role authp/user"],"action":"allow stop"},{"comment":"guest role name match","conditions":["match role authp/guest"],"action":"allow stop"}]}
2025/05/13 11:23:48.464 DEBUG security Configured validator ACL {"portal_name": "myportal", "portal_id": "991915c4-0099-4702-b6b7-e351c607ccca", "token_validator_options": {"validate_bearer_header":true}, "token_grantor_options": {}}
2025/05/13 11:23:48.464 DEBUG security Configuring identity provider login options {"portal_name": "myportal", "portal_id": "991915c4-0099-4702-b6b7-e351c607ccca", "identity_provider_count": 1}
2025/05/13 11:23:48.464 DEBUG security Provisioned login options {"portal_name": "myportal", "portal_id": "991915c4-0099-4702-b6b7-e351c607ccca", "options": {"authenticators":[{"background_color":"#324960","class_name":"lab la-codepen la-2x","color":"white","endpoint":"oauth2/laza","realm":"laza","text":"LAZA","text_color":"#37474f"}],"authenticators_required":"yes","default_realm":"laza","form_required":"no","hide_contact_support_link":"yes","hide_forgot_username_link":"yes","hide_links":"yes","hide_register_link":"yes","identity_required":"no","realm_dropdown_required":"no"}, "identity_store_count": 0, "identity_provider_count": 1}
2025/05/13 11:23:48.464 DEBUG security Configuring user interface {"portal_name": "myportal", "portal_id": "991915c4-0099-4702-b6b7-e351c607ccca"}
2025/05/13 11:23:48.464 DEBUG security Configuring default authentication user interface templates {"portal_name": "myportal", "template_theme": "basic", "template_name": "whoami"}
2025/05/13 11:23:48.464 DEBUG security Configuring default authentication user interface templates {"portal_name": "myportal", "template_theme": "basic", "template_name": "login"}
2025/05/13 11:23:48.464 DEBUG security Configuring default authentication user interface templates {"portal_name": "myportal", "template_theme": "basic", "template_name": "portal"}
2025/05/13 11:23:48.464 DEBUG security Configuring default authentication user interface templates {"portal_name": "myportal", "template_theme": "basic", "template_name": "register"}
2025/05/13 11:23:48.464 DEBUG security Configuring default authentication user interface templates {"portal_name": "myportal", "template_theme": "basic", "template_name": "generic"}
2025/05/13 11:23:48.464 DEBUG security Configuring default authentication user interface templates {"portal_name": "myportal", "template_theme": "basic", "template_name": "settings"}
2025/05/13 11:23:48.465 DEBUG security Configuring default authentication user interface templates {"portal_name": "myportal", "template_theme": "basic", "template_name": "sandbox"}
2025/05/13 11:23:48.465 DEBUG security Configuring default authentication user interface templates {"portal_name": "myportal", "template_theme": "basic", "template_name": "apps_sso"}
2025/05/13 11:23:48.465 DEBUG security Configuring default authentication user interface templates {"portal_name": "myportal", "template_theme": "basic", "template_name": "apps_mobile_access"}
2025/05/13 11:23:48.465 DEBUG security Configured user interface {"portal_name": "myportal", "portal_id": "991915c4-0099-4702-b6b7-e351c607ccca", "title": "Sign In", "logo_url": "https://caddyserver.com/old/resources/images/caddy-logo.svg", "logo_description": "Caddy", "action_endpoint": "", "private_links": [{"link":"http://assetq.myfiosgateway.com:8888/","title":"File Server","icon_name":"las la-star","icon_enabled":true}], "realms": [], "theme": "basic"}
2025/05/13 11:23:48.465 DEBUG security Configuring user transforms {"portal_name": "myportal", "portal_id": "991915c4-0099-4702-b6b7-e351c607ccca"}
2025/05/13 11:23:48.465 DEBUG security Configured user transforms {"portal_name": "myportal", "portal_id": "991915c4-0099-4702-b6b7-e351c607ccca", "transforms": [{"matchers":["exact match realm laza"],"actions":["action add role authp/user","ui link \"My Identity\" /auth/whoami icon \"las la-id-badge\"","ui link \"My Profile\" /auth/profile/ icon \"las la-use\""]},{"matchers":["exact match realm laza","exact match email vault@hashicorp.com"],"actions":["action add role authp/admin"]}]}
2025/05/13 11:23:48.465 DEBUG security Logout redirect URI configuration not present
2025/05/13 11:23:48.465 DEBUG security Configured gatekeeper {"gatekeeper_name": "mypolicy", "gatekeeper_id": "e3a313cc-d8bb-4e41-8f30-bc8697f1d9f9", "auth_url_path": "http://auth.myfiosgateway.com:8080/oauth2/laza", "token_sources": "cookie header query", "token_validator_options": {"validate_bearer_header":true}, "access_list_rules": [{"conditions":["match roles authp/admin authp/user"],"action":"allow log debug"}], "forbidden_path": ""}
2025/05/13 11:23:48.465 INFO security provisioned app instance {"app": "security"}
2025/05/13 11:23:48.465 DEBUG http starting server loop {"address": "[::]:8080", "tls": false, "http3": false}
2025/05/13 11:23:48.465 WARN http HTTP/2 skipped because it requires TLS {"network": "tcp", "addr": ":8080"}
2025/05/13 11:23:48.465 WARN http HTTP/3 skipped because it requires TLS {"network": "tcp", "addr": ":8080"}
2025/05/13 11:23:48.465 INFO http.log server running {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2025/05/13 11:23:48.465 DEBUG security started app instance {"app": "security"}
2025/05/13 11:23:48.465 DEBUG events event {"name": "started", "id": "e2afa524-83a1-419b-8a26-55cf1aee671f", "origin": "", "data": null}
2025/05/13 11:23:48.465 INFO autosaved config (load with --resume flag) {"file": "/Users/milosh/Library/Application Support/Caddy/autosave.json"}
2025/05/13 11:23:48.465 INFO serving initial configuration
2025/05/13 11:23:48.469 INFO tls storage cleaning happened too recently; skipping for now {"storage": "FileStorage:/Users/milosh/Library/Application Support/Caddy", "instance": "3d61d9ce-8319-4e51-8eb6-98a2c79a151c", "try_again": "2025/05/14 11:23:48.469", "try_again_in": 86399.999999708}
2025/05/13 11:23:48.470 INFO tls finished cleaning storage units
2025/05/13 11:24:10.943 DEBUG security token validation error {"session_id": "", "request_id": "7283cfcd-db50-455b-976d-58d3e5f2a0ee", "error": "no token found"}
2025/05/13 11:24:10.943 DEBUG security redirecting unauthorized user {"session_id": "", "request_id": "7283cfcd-db50-455b-976d-58d3e5f2a0ee", "method": "location"}
2025/05/13 11:24:10.943 ERROR http.handlers.authentication auth provider returned error {"provider": "authorizer", "error": "user authorization failed: src_ip=127.0.0.1, src_conn_ip=127.0.0.1, reason: no token found"}
2025/05/13 11:24:10.943 DEBUG http.log.error.log1 not authenticated {"request": {"remote_ip": "127.0.0.1", "remote_port": "59589", "client_ip": "127.0.0.1", "proto": "HTTP/1.1", "method": "GET", "host": "assetq.myfiosgateway.com:8080", "uri": "/", "headers": {"Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"], "Accept-Encoding": ["gzip, deflate"], "Accept-Language": ["en-GB,en;q=0.9"], "Connection": ["keep-alive"], "Cache-Control": ["max-age=0"], "Upgrade-Insecure-Requests": ["1"], "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36"]}}, "duration": 0.000303584, "status": 401, "err_id": "n77jxr533", "err_trace": "caddyauth.Authentication.ServeHTTP (caddyauth.go:98)"}
2025/05/13 11:24:13.358 DEBUG security redirect recorded {"session_id": "2Ys98vmSOSbw6Age9nSzqD5apZrLNyOxBghM5", "request_id": "355426f2-c57c-4a36-bd6e-e380e30808ad", "redirect_url": "AUTHP_REDIRECT_URL=http://assetq.myfiosgateway.com:8080/; Domain=myfiosgateway.com; Path=/; Secure; HttpOnly;"}
2025/05/13 11:24:13.358 DEBUG security External login requested {"session_id": "2Ys98vmSOSbw6Age9nSzqD5apZrLNyOxBghM5", "request_id": "355426f2-c57c-4a36-bd6e-e380e30808ad", "base_url": "http://auth.myfiosgateway.com:8080", "base_path": "/", "auth_method": "oauth2", "auth_realm": "laza", "request_path": "/oauth2/laza"}
2025/05/13 11:24:13.358 DEBUG security redirecting to OAuth 2.0 endpoint {"request_id": "355426f2-c57c-4a36-bd6e-e380e30808ad", "redirect_url": "http://127.0.0.1:8200/ui/vault/identity/oidc/provider/laza/authorize?client_id=6y63zahYsM1WCw60rei43i8QkO0jKZAy&nonce=1nOg9pq03HFHiAmgi9vUYoQoAsYM34uN&redirect_uri=http%3A%2F%2Fauth.myfiosgateway.com%3A8080%2Foauth2%2Flaza%2Fauthorization-code-callback&response_type=code&scope=openid+email+user+groups&state=a92aa9ed-98e1-4c0b-bf11-123cb805654c"}
2025/05/13 11:24:13.358 DEBUG security Redirect to authorization server {"session_id": "2Ys98vmSOSbw6Age9nSzqD5apZrLNyOxBghM5", "request_id": "355426f2-c57c-4a36-bd6e-e380e30808ad", "url": "http://127.0.0.1:8200/ui/vault/identity/oidc/provider/laza/authorize?client_id=6y63zahYsM1WCw60rei43i8QkO0jKZAy&nonce=1nOg9pq03HFHiAmgi9vUYoQoAsYM34uN&redirect_uri=http%3A%2F%2Fauth.myfiosgateway.com%3A8080%2Foauth2%2Flaza%2Fauthorization-code-callback&response_type=code&scope=openid+email+user+groups&state=a92aa9ed-98e1-4c0b-bf11-123cb805654c"}
2025/05/13 11:24:21.231 DEBUG security External login requested {"session_id": "AmyTysEmFCnAkS8OiL0SfQjWKdtDRWiudEKP4AugY", "request_id": "046cef9b-564b-4d69-8be5-9f3ecacdc144", "base_url": "http://auth.myfiosgateway.com:8080", "base_path": "/", "auth_method": "oauth2", "auth_realm": "laza", "request_path": "/oauth2/laza/authorization-code-callback"}
2025/05/13 11:24:21.231 DEBUG security received OAuth 2.0 response {"session_id": "AmyTysEmFCnAkS8OiL0SfQjWKdtDRWiudEKP4AugY", "request_id": "046cef9b-564b-4d69-8be5-9f3ecacdc144", "params": {"code":["hdUPYPHk4feqCnd1XRVMCo2B0C13zr3l"],"state":["a92aa9ed-98e1-4c0b-bf11-123cb805654c"]}}
2025/05/13 11:24:21.231 DEBUG security received OAuth 2.0 code and state from the authorization server {"session_id": "AmyTysEmFCnAkS8OiL0SfQjWKdtDRWiudEKP4AugY", "request_id": "046cef9b-564b-4d69-8be5-9f3ecacdc144", "state": "a92aa9ed-98e1-4c0b-bf11-123cb805654c", "code": "hdUPYPHk4feqCnd1XRVMCo2B0C13zr3l"}
2025/05/13 11:24:21.237 DEBUG security OAuth 2.0 access token response received {"body": "eyJhY2Nlc3NfdG9rZW4iOiJodmIuQUFBQUFRSVE3WTlucDB6MmNZdFdySXFhYktYNGZQWlVRdF9KRjFxN3B0R1BVdHNxd3h3NmxkNUJ3bDVZUVBpUnZEeWFxdThoc3RZVndnNEFZY2lPRzlmN21xaFFGSHZNQnUtRmN1NGNNQ29KX0hKRktoNUJHWTdzb1p3YUxoTVE4YmdWQzVhakloOXJXd3hBakptV0JUNTdicS1FSDJWZ2N6aF9FSFNFcFF5bUVxTmxZY0tZajNjMEJOQXQ1RGRDaGdzQm5zT3VuUi11czJ1T2xGUVpSLXd1X3IzQnNCYWdNVXVDZldzdDB5eV9aRXdNLUJLZnRCMEE0OGdFWGE0Uy1oSDVhdDRmLVJpNXNjbDNidldCQS1lWjl4SW5lU2RTTWlCWDhLU1BBdGRKQ2Vtd3pvaWJOVTM4dUxlWjRGUFJSQm9UN1RaUnRFdmhEb3ZwaDkyR1I3WlJQc09qS1VEVmR1LWMySDhzd3dLb0JONjlvZkdxM2hrQWI2SmxTQmkySmhaSTNxVWxHekFDZVFtNU90TW8tSE5vYXN4R0ZKX3NCYVVqeHdaZU10bjVOcFk1am9PaktFMTN0OEUiLCJleHBpcmVzX2luIjozNjAwLCJpZF90b2tlbiI6ImV5SmhiR2NpT2lKU1V6STFOaUlzSW10cFpDSTZJamd6TVRFM05UTmlMV1kxTW1RdE9XTXlNQzB3WkdSa0xUTTROVEk0WWpBeE5HUTVZeUo5LmV5SmhkRjlvWVhOb0lqb2lSbVZvU1MxTE4wNXRka05oV1RCTlQyeHhhemh3UVNJc0ltRjFaQ0k2SWpaNU5qTjZZV2haYzAweFYwTjNOakJ5WldrME0yazRVV3RQTUdwTFdrRjVJaXdpWTE5b1lYTm9Jam9pT1dGeVVEbHNhMDE1TTNVdFVDMDVPRzV4V0ROemR5SXNJbU52Ym5SaFkzUWlPbnNpWlcxaGFXd2lPaUoyWVhWc2RFQm9ZWE5vYVdOdmNuQXVZMjl0SWl3aWNHaHZibVZmYm5WdFltVnlJam9pTVRJekxUUTFOaTAzT0Rrd0luMHNJbVZ0WVdsc0lqb2lkbUYxYkhSQWFHRnphR2xqYjNKd0xtTnZiU0lzSW1WNGNDSTZNVGMwTnpFek56STJNU3dpWjNKdmRYQnpJanBiSW1WdVoybHVaV1Z5YVc1bklsMHNJbWxoZENJNk1UYzBOekV6TlRRMk1Td2lhWE56SWpvaWFIUjBjRG92THpFeU55NHdMakF1TVRvNE1qQXdMM1l4TDJsa1pXNTBhWFI1TDI5cFpHTXZjSEp2ZG1sa1pYSXZiR0Y2WVNJc0ltNWhiV1Z6Y0dGalpTSTZJbkp2YjNRaUxDSnViMjVqWlNJNklqRnVUMmM1Y0hFd00waEdTR2xCYldkcE9YWlZXVzlSYjBGeldVMHpOSFZPSWl3aWMzVmlJam9pTnpBMlpqUTFNR0V0TVRFNU1DMDFOVGd3TFRObU9XUXRPR0ZsT1daaFptVTJZV1EzSWl3aWRYTmxjbTVoYldVaU9pSnNZWHBoSW4wLkdFWHJBWEFBRG1VS1RaWkNLY1F2MVVrVDRBOTlMck5iYXpOWTVwZ0x3aHljSVItTjlQTGdhTFM3QmRTemowTVZ1c3p3LTlxUVpTdXRNMzZyQXZYckV0ZGxpNzNxS25BcHk4anBaM2ItaW91THJtVi04QzAwbWRYMzFwUjF1aXR1YTNBaXo3eWp4ZWlJWjVwSUtlZDlDV2RmYnAyTW5PYzJKRWJjWTNRQmNJX3A5NnVsbjBlbDgtWGVwSm00LUpCWG9ZanVNOU5BTWhHb0RPMkZxUDBNVFU5c1dUTEtBMFBkandjeHdwVWJBYmptS2l4NUdvNWNpZ1lkanR6YnQzTXlndFdqUlJ6VWJFajlNZUpIMnE1ek9XcGpyQnRRck9qRUo0NGxCVDFiMmQwWGNHN1Q1WDlRU1pDX3FZOTBnck43RkkxTHg3cndqdXlvNWxxcHlucTJudyIsInRva2VuX3R5cGUiOiJCZWFyZXIifQ==", "redirect_uri": "http://auth.myfiosgateway.com:8080/oauth2/laza/authorization-code-callback"}
2025/05/13 11:24:21.237 DEBUG security OAuth 2.0 access token response decoded {"body": {"access_token":"hvb.AAAAAQIQ7Y9np0z2cYtWrIqabKX4fPZUQt_JF1q7ptGPUtsqwxw6ld5Bwl5YQPiRvDyaqu8hstYVwg4AYciOG9f7mqhQFHvMBu-Fcu4cMCoJ_HJFKh5BGY7soZwaLhMQ8bgVC5ajIh9rWwxAjJmWBT57bq-EH2Vgczh_EHSEpQymEqNlYcKYj3c0BNAt5DdChgsBnsOunR-us2uOlFQZR-wu_r3BsBagMUuCfWst0yy_ZEwM-BKftB0A48gEXa4S-hH5at4f-Ri5scl3bvWBA-eZ9xIneSdSMiBX8KSPAtdJCemwzoibNU38uLeZ4FPRRBoT7TZRtEvhDovph92GR7ZRPsOjKUDVdu-c2H8swwKoBN69ofGq3hkAb6JlSBi2JhZI3qUlGzACeQm5OtMo-HNoasxGFJ_sBaUjxwZeMtn5NpY5joOjKE13t8E","expires_in":3600,"id_token":"eyJhbGciOiJSUzI1NiIsImtpZCI6IjgzMTE3NTNiLWY1MmQtOWMyMC0wZGRkLTM4NTI4YjAxNGQ5YyJ9.eyJhdF9oYXNoIjoiRmVoSS1LN05tdkNhWTBNT2xxazhwQSIsImF1ZCI6IjZ5NjN6YWhZc00xV0N3NjByZWk0M2k4UWtPMGpLWkF5IiwiY19oYXNoIjoiOWFyUDlsa015M3UtUC05OG5xWDNzdyIsImNvbnRhY3QiOnsiZW1haWwiOiJ2YXVsdEBoYXNoaWNvcnAuY29tIiwicGhvbmVfbnVtYmVyIjoiMTIzLTQ1Ni03ODkwIn0sImVtYWlsIjoidmF1bHRAaGFzaGljb3JwLmNvbSIsImV4cCI6MTc0NzEzNzI2MSwiZ3JvdXBzIjpbImVuZ2luZWVyaW5nIl0sImlhdCI6MTc0NzEzNTQ2MSwiaXNzIjoiaHR0cDovLzEyNy4wLjAuMTo4MjAwL3YxL2lkZW50aXR5L29pZGMvcHJvdmlkZXIvbGF6YSIsIm5hbWVzcGFjZSI6InJvb3QiLCJub25jZSI6IjFuT2c5cHEwM0hGSGlBbWdpOXZVWW9Rb0FzWU0zNHVOIiwic3ViIjoiNzA2ZjQ1MGEtMTE5MC01NTgwLTNmOWQtOGFlOWZhZmU2YWQ3IiwidXNlcm5hbWUiOiJsYXphIn0.GEXrAXAADmUKTZZCKcQv1UkT4A99LrNbazNY5pgLwhycIR-N9PLgaLS7BdSzj0MVuszw-9qQZSutM36rAvXrEtdli73qKnApy8jpZ3b-iouLrmV-8C00mdX31pR1uitua3Aiz7yjxeiIZ5pIKed9CWdfbp2MnOc2JEbcY3QBcI_p96uln0el8-XepJm4-JBXoYjuM9NAMhGoDO2FqP0MTU9sWTLKA0PdjwcxwpUbAbjmKix5Go5cigYdjtzbt3MygtWjRRzUbEj9MeJH2q5zOWpjrBtQrOjEJ44lBT1b2d0XcG7T5X9QSZC_qY90grN7FI1Lx7rwjuyo5lqpynq2nw","token_type":"Bearer"}}
2025/05/13 11:24:21.237 DEBUG security received OAuth 2.0 authorization server access token {"request_id": "046cef9b-564b-4d69-8be5-9f3ecacdc144", "token": {"access_token":"hvb.AAAAAQIQ7Y9np0z2cYtWrIqabKX4fPZUQt_JF1q7ptGPUtsqwxw6ld5Bwl5YQPiRvDyaqu8hstYVwg4AYciOG9f7mqhQFHvMBu-Fcu4cMCoJ_HJFKh5BGY7soZwaLhMQ8bgVC5ajIh9rWwxAjJmWBT57bq-EH2Vgczh_EHSEpQymEqNlYcKYj3c0BNAt5DdChgsBnsOunR-us2uOlFQZR-wu_r3BsBagMUuCfWst0yy_ZEwM-BKftB0A48gEXa4S-hH5at4f-Ri5scl3bvWBA-eZ9xIneSdSMiBX8KSPAtdJCemwzoibNU38uLeZ4FPRRBoT7TZRtEvhDovph92GR7ZRPsOjKUDVdu-c2H8swwKoBN69ofGq3hkAb6JlSBi2JhZI3qUlGzACeQm5OtMo-HNoasxGFJ_sBaUjxwZeMtn5NpY5joOjKE13t8E","expires_in":3600,"id_token":"eyJhbGciOiJSUzI1NiIsImtpZCI6IjgzMTE3NTNiLWY1MmQtOWMyMC0wZGRkLTM4NTI4YjAxNGQ5YyJ9.eyJhdF9oYXNoIjoiRmVoSS1LN05tdkNhWTBNT2xxazhwQSIsImF1ZCI6IjZ5NjN6YWhZc00xV0N3NjByZWk0M2k4UWtPMGpLWkF5IiwiY19oYXNoIjoiOWFyUDlsa015M3UtUC05OG5xWDNzdyIsImNvbnRhY3QiOnsiZW1haWwiOiJ2YXVsdEBoYXNoaWNvcnAuY29tIiwicGhvbmVfbnVtYmVyIjoiMTIzLTQ1Ni03ODkwIn0sImVtYWlsIjoidmF1bHRAaGFzaGljb3JwLmNvbSIsImV4cCI6MTc0NzEzNzI2MSwiZ3JvdXBzIjpbImVuZ2luZWVyaW5nIl0sImlhdCI6MTc0NzEzNTQ2MSwiaXNzIjoiaHR0cDovLzEyNy4wLjAuMTo4MjAwL3YxL2lkZW50aXR5L29pZGMvcHJvdmlkZXIvbGF6YSIsIm5hbWVzcGFjZSI6InJvb3QiLCJub25jZSI6IjFuT2c5cHEwM0hGSGlBbWdpOXZVWW9Rb0FzWU0zNHVOIiwic3ViIjoiNzA2ZjQ1MGEtMTE5MC01NTgwLTNmOWQtOGFlOWZhZmU2YWQ3IiwidXNlcm5hbWUiOiJsYXphIn0.GEXrAXAADmUKTZZCKcQv1UkT4A99LrNbazNY5pgLwhycIR-N9PLgaLS7BdSzj0MVuszw-9qQZSutM36rAvXrEtdli73qKnApy8jpZ3b-iouLrmV-8C00mdX31pR1uitua3Aiz7yjxeiIZ5pIKed9CWdfbp2MnOc2JEbcY3QBcI_p96uln0el8-XepJm4-JBXoYjuM9NAMhGoDO2FqP0MTU9sWTLKA0PdjwcxwpUbAbjmKix5Go5cigYdjtzbt3MygtWjRRzUbEj9MeJH2q5zOWpjrBtQrOjEJ44lBT1b2d0XcG7T5X9QSZC_qY90grN7FI1Lx7rwjuyo5lqpynq2nw","token_type":"Bearer"}}
2025/05/13 11:24:21.237 DEBUG security decoded claims from OAuth 2.0 authorization server access token {"request_id": "046cef9b-564b-4d69-8be5-9f3ecacdc144", "claims": {"email":"vault@hashicorp.com","exp":1747137261,"groups":["engineering"],"iat":1747135461,"iss":"http://127.0.0.1:8200/v1/identity/oidc/provider/laza","sub":"706f450a-1190-5580-3f9d-8ae9fafe6ad7"}}
2025/05/13 11:24:21.237 INFO security Successful login {"session_id": "AmyTysEmFCnAkS8OiL0SfQjWKdtDRWiudEKP4AugY", "request_id": "046cef9b-564b-4d69-8be5-9f3ecacdc144", "auth_method": "oauth2", "auth_realm": "laza", "user": {"email":"vault@hashicorp.com","exp":1747137261,"groups":["engineering"],"iat":1747135461,"iss":"http://127.0.0.1:8200/v1/identity/oidc/provider/laza","sub":"706f450a-1190-5580-3f9d-8ae9fafe6ad7"}}
2025/05/13 11:24:21.237 DEBUG security user transformation ended {"session_id": "AmyTysEmFCnAkS8OiL0SfQjWKdtDRWiudEKP4AugY", "request_id": "046cef9b-564b-4d69-8be5-9f3ecacdc144", "user": {"addr":"127.0.0.1","email":"vault@hashicorp.com","exp":1747139061,"frontend_links":["\"My Identity\" /auth/whoami icon \"las la-id-badge\"","\"My Profile\" /auth/profile/ icon \"las la-use\""],"iat":1747135461,"iss":"http://auth.myfiosgateway.com:8080/oauth2/laza/","jti":"AmyTysEmFCnAkS8OiL0SfQjWKdtDRWiudEKP4AugY","nbf":1747135401000,"origin":"laza","realm":"laza","roles":["engineering","authp/user","authp/admin"],"sub":"706f450a-1190-5580-3f9d-8ae9fafe6ad7"}}
2025/05/13 11:24:21.237 INFO security Successful login {"session_id": "AmyTysEmFCnAkS8OiL0SfQjWKdtDRWiudEKP4AugY", "request_id": "046cef9b-564b-4d69-8be5-9f3ecacdc144", "backend": {"name":"laza","realm":"laza","method":"oauth"}, "user": {"addr":"127.0.0.1","email":"vault@hashicorp.com","exp":1747139061,"frontend_links":["\"My Identity\" /auth/whoami icon \"las la-id-badge\"","\"My Profile\" /auth/profile/ icon \"las la-use\""],"iat":1747135461,"iss":"http://auth.myfiosgateway.com:8080/oauth2/laza/","jti":"AmyTysEmFCnAkS8OiL0SfQjWKdtDRWiudEKP4AugY","nbf":1747135401000,"origin":"laza","realm":"laza","roles":["engineering","authp/user","authp/admin"],"sub":"706f450a-1190-5580-3f9d-8ae9fafe6ad7"}}
2025/05/13 11:24:21.239 DEBUG security Redirect served {"session_id": "PeThcGt6PLwhV4BEzcBQz4WkVl4jR7pXtgyrLISt6Y0gA", "request_id": "a86be8e7-0483-41af-840a-68cb620811b2", "redirect_url": "http://auth.myfiosgateway.com:8080/login", "status_code": 302}
2025/05/13 11:24:21.253 DEBUG security static assets {"session_id": "WfitWgJGWasQH0VgjNNTFmKxhocu8aCIKZSKn3harWg", "request_id": "ef6e0b19-5609-4285-8721-6d204bdb9c4b", "url_path": "/assets/google-webfonts/roboto.css", "request": {"session_id":"WfitWgJGWasQH0VgjNNTFmKxhocu8aCIKZSKn3harWg","base_url":"http://auth.myfiosgateway.com:8080","base_path":"/","content_type":"text/css,*/*;q=0.1"}, "source_address": "127.0.0.1"}
2025/05/13 11:24:21.254 DEBUG security static assets {"session_id": "EdvfB5eCAfFHUGIHdhdGmYisUTGdh9bwXn3FKALuv", "request_id": "e3458a0f-fec5-4e8e-8516-1d7ca754bb59", "url_path": "/assets/css/login.css", "request": {"session_id":"EdvfB5eCAfFHUGIHdhdGmYisUTGdh9bwXn3FKALuv","base_url":"http://auth.myfiosgateway.com:8080","base_path":"/","content_type":"text/css,*/*;q=0.1"}, "source_address": "127.0.0.1"}
2025/05/13 11:24:21.254 DEBUG security static assets {"session_id": "hg5cdCC8UWcGwsGYRa9H6qJefp2gLruLSyhx", "request_id": "a15258df-cdc6-4535-b1d2-670a734d7f63", "url_path": "/assets/js/login.js", "request": {"session_id":"hg5cdCC8UWcGwsGYRa9H6qJefp2gLruLSyhx","base_url":"http://auth.myfiosgateway.com:8080","base_path":"/","content_type":"*/*"}, "source_address": "127.0.0.1"}
2025/05/13 11:24:21.254 DEBUG security static assets {"session_id": "Kgv8dgmW68PYcxV70vXaGnhmfLmwXf8OyES9t8bn", "request_id": "6b271e77-6191-4348-9158-e02a28f7b707", "url_path": "/assets/line-awesome/line-awesome.css", "request": {"session_id":"Kgv8dgmW68PYcxV70vXaGnhmfLmwXf8OyES9t8bn","base_url":"http://auth.myfiosgateway.com:8080","base_path":"/","content_type":"text/css,*/*;q=0.1"}, "source_address": "127.0.0.1"}
2025/05/13 11:24:21.266 DEBUG security static assets {"session_id": "8tDpGYGQ8t8byS76HfxLkGKYf9WJ0Q7GHfgEsWY0", "request_id": "52c1d025-0321-4ce6-bd60-086256d70b76", "url_path": "/assets/line-awesome/fonts/la-solid-900.woff2", "request": {"session_id":"8tDpGYGQ8t8byS76HfxLkGKYf9WJ0Q7GHfgEsWY0","base_url":"http://auth.myfiosgateway.com:8080","base_path":"/","content_type":"*/*"}, "source_address": "127.0.0.1"}
2025/05/13 11:24:21.266 DEBUG security static assets {"session_id": "aJORJfbkVENowWQ5MqqIlxvmZckArEcZVay2J", "request_id": "d4b10273-2d56-42e6-af98-f00f7df118e4", "url_path": "/assets/line-awesome/fonts/la-brands-400.woff2", "request": {"session_id":"aJORJfbkVENowWQ5MqqIlxvmZckArEcZVay2J","base_url":"http://auth.myfiosgateway.com:8080","base_path":"/","content_type":"*/*"}, "source_address": "127.0.0.1"}
2025/05/13 11:24:21.895 DEBUG security static assets {"session_id": "phxdnAEyTIuy0QCkqjo8gqlFWgS7Yf2Jp9Y8makRr", "request_id": "a07d91ad-40fb-4e5c-8d02-4e3aa6fe5627", "url_path": "/assets/images/favicon.png", "request": {"session_id":"phxdnAEyTIuy0QCkqjo8gqlFWgS7Yf2Jp9Y8makRr","base_url":"http://auth.myfiosgateway.com:8080","base_path":"/","content_type":"image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8"}, "source_address": "127.0.0.1"}
3. Caddy version:
v2.10.0 h1:fonubSaQKF1YANl8TXqGcn4IbIRUDdfAkpcsfI/vX5U=
4. How I installed and ran Caddy:
Downloaded the official binary with greenpau/caddy-security module
Ran it from the shell with Caddyfile in the same folder
a. System environment:
Mac OS Arm64, Apple M3 Pro
b. Command:
./caddy_darwin_arm64_custom run
c. Service/unit/compose file:
None
d. My complete Caddy config:
{
http_port 8080
# https_port 8443
# auto_https disable_redirects
debug
order authenticate before respond
order authorize before basicauth
security {
oauth identity provider laza {
realm laza
driver generic
client_id {env.CLIENT_ID}
client_secret {env.CLIENT_SECRET}
scopes openid email user groups
base_auth_url http://localhost:8200/v1/identity/oidc/provider/laza
metadata_url http://localhost:8200/v1/identity/oidc/provider/laza/.well-known/openid-configuration
}
authentication portal myportal {
crypto default token lifetime 3600
crypto key sign-verify {env.JWS_SHARED_KEY}
# enable identity store localdb
enable identity provider laza
cookie domain myfiosgateway.com
ui {
logo url "https://caddyserver.com/old/resources/images/caddy-logo.svg"
logo description "Caddy"
links {
# "My Identity" "/whoami" icon "las la-user"
"File Server" "http://assetq.myfiosgateway.com:8888/" icon "las la-star"
}
}
transform user {
match realm laza
action add role authp/user
ui link "My Identity" "/auth/whoami" icon "las la-id-badge"
ui link "My Profile" "/auth/profile/" icon "las la-use"
}
transform user {
match realm laza
match email vault@hashicorp.com
action add role authp/admin
}
}
authorization policy mypolicy {
set auth url http://auth.myfiosgateway.com:8080/oauth2/laza
crypto key verify {env.JWS_SHARED_KEY}
allow roles authp/admin authp/user
validate bearer header
inject headers with claims
}
}
}
#(tls_config) {
# tls {$HOME}/.local/caddy/server.crt {$HOME}/.local/caddy/server.key
#}
http://auth.myfiosgateway.com {
#import tls_config
#tls internal
authenticate with myportal
log {
output file auth.log
}
}
http://assetq.myfiosgateway.com {
#import tls_config
#tls internal
authorize with mypolicy
root * {env.HOME}/www
file_server
log {
output file assets.log
}
}