Greetings!
I’m having fun during quarantine by writing an OAuth2 module for Caddy 2!
I have the module implementing both caddyauth.Authenticator
(which gets the current authenticated user) and caddyhttp.Middleware
(which takes care of the OAuth flow, from login page that provides links to OAuth2 providers, to the OAuth2 redirect callback for access token exchange).
However, having a single module implement both doesn’t seem to be currently possible.
The built-in caddyhttp.Authentication
module gets executed first, which implements caddyhttp.Middleware
. When it calls my module’s Authenticate
, I’m happily able to check if the user’s session cookie is set and return it the user from that.
However, if the user is not logged in, and I return false
, caddyhttp.Authentication
kills chain with 401 Forbidden. If I have my Authenticate
return true
with an empty User, caddyhttp.Authentication
is happy – but my module’s ServeHTTP is never called. I’m guessing that’s because I’m using the http.authentication.providers.oauth2
for my module, and Middleware is only registered under http.handlers.*
?
I can’t have my module’s Authenticate
perform any redirects/page rendering, unless I want to make the main Caddy ServeHTTP angry with “headers already sent” errors.
So how is an OAuth2 flow possible in Caddy2, while leveraging http.authentication.providers
, because it’s certainly possible if I go the Middleware-only route.