Caddy2: Redirect from within caddyauth.Authenticator

Greetings!

I’m having fun during quarantine by writing an OAuth2 module for Caddy 2!

I have the module implementing both caddyauth.Authenticator (which gets the current authenticated user) and caddyhttp.Middleware (which takes care of the OAuth flow, from login page that provides links to OAuth2 providers, to the OAuth2 redirect callback for access token exchange).

However, having a single module implement both doesn’t seem to be currently possible.

The built-in caddyhttp.Authentication module gets executed first, which implements caddyhttp.Middleware. When it calls my module’s Authenticate, I’m happily able to check if the user’s session cookie is set and return it the user from that.

However, if the user is not logged in, and I return false, caddyhttp.Authentication kills chain with 401 Forbidden. If I have my Authenticate return true with an empty User, caddyhttp.Authentication is happy – but my module’s ServeHTTP is never called. I’m guessing that’s because I’m using the http.authentication.providers.oauth2 for my module, and Middleware is only registered under http.handlers.*?

I can’t have my module’s Authenticate perform any redirects/page rendering, unless I want to make the main Caddy ServeHTTP angry with “headers already sent” errors.

So how is an OAuth2 flow possible in Caddy2, while leveraging http.authentication.providers, because it’s certainly possible if I go the Middleware-only route.

1 Like

Welcome, @tserkov!

Pinging @greenpau as he is also doing authentication work with Caddy 2. I want to be sure you two can coordinate your efforts.

That does sound like it, yeah. Your package can additionally register an http.handlers.* module if it needs to.

FWIW, this interface is still experimental, so we can change it, to make sure we can accommodate most of the different auth methods.

I’m also gonna rope @Mohammed90 in on this, since we were discussing this recently.

1 Like

2 posts were split to a new topic: Using oauth2 directive that comes with non-standard module

@tserkov, I think you can implement everything in the Authentication module. There is no need to have a middleware handler.

As soon as you intercept a request with Authenticate, you can write any content, including headers.

Please clarify the challenge here.

I am having a hard time finding docs on whether oauth redirect flow is still supported in caddy v2? in particular using Google as authenticatror.

Any hints where to look and how to configure?

I’ve the same question