Caddy-security: Portal UI links ignored

Help
2

The following Caddyfile solved the issue:

{
	debug

	http_port 8080
    https_port 8443

#	order authenticate before respond
#	order authorize before basicauth

	security {
		local identity store localdb {
			realm local
			path {$HOME}/.local/caddy/users.json
		}

		oauth identity provider laza {
			realm laza
			driver generic
			client_id {env.CLIENT_ID}
			client_secret {env.CLIENT_SECRET}
			scopes openid email user groups
			base_auth_url http://localhost:8200/v1/identity/oidc/provider/laza
			metadata_url http://localhost:8200/v1/identity/oidc/provider/laza/.well-known/openid-configuration
		}

		authentication portal myportal {
			#value is in seconds. This value is 3 months
			crypto default token lifetime 7884000
			crypto key sign-verify {env.JWS_SHARED_KEY}
#			enable identity store localdb
			enable identity provider laza
			cookie domain app.contoso.com
			# If you want session only (ie when browser closes they are gone), comment out the line below.
			# Keep cookie around for 3 months
			cookie lifetime 7884000

			ui {
				logo url "https://caddyserver.com/old/resources/images/caddy-logo.svg"
				logo description "Caddy"
				links {
					"My Identity" "/whoami" icon "las la-user"
                    "File Server" "https://app.contoso.com:8443/" icon "las la-star"
				}
			}

			transform user {
#				match origin local
				match realm laza
				action add role authp/user
                ui link "My Profile" "/auth/profile/" icon "las la-use"
			}

#			transform user {
#				match origin local
#				match email vault@hashicorp.com
#				action add role authp/admin
#			}
		}

		authorization policy users_policy {
			#Allow basic and api key auth
#			with basic auth portal myportal realm local
#			with api key auth portal myportal realm local

			#This url is set below. This is where Authcrunch will be
			set auth url https://auth.contoso.com:8443/
			allow roles authp/admin authp/user
			crypto key verify {env.JWS_SHARED_KEY}
			acl rule {
				comment allow users
				match role authp/user
				allow stop log info
			}
			acl rule {
				comment default deny
				match any
				deny log warn
			}
		}

	}
}

auth.contoso.com {
	tls internal

	route {
		authenticate with myportal
	}
}

app.contoso.com {
	tls internal

	route {
		authorize with users_policy
		root * {env.HOME}/www
		file_server
	}

	log {
		output file assets.log
	}		
}
2 Likes