I’m having fun during quarantine by writing an OAuth2 module for Caddy 2!
I have the module implementing both
caddyauth.Authenticator (which gets the current authenticated user) and
caddyhttp.Middleware (which takes care of the OAuth flow, from login page that provides links to OAuth2 providers, to the OAuth2 redirect callback for access token exchange).
However, having a single module implement both doesn’t seem to be currently possible.
caddyhttp.Authentication module gets executed first, which implements
caddyhttp.Middleware. When it calls my module’s
Authenticate, I’m happily able to check if the user’s session cookie is set and return it the user from that.
However, if the user is not logged in, and I return
caddyhttp.Authentication kills chain with 401 Forbidden. If I have my
true with an empty User,
caddyhttp.Authentication is happy – but my module’s ServeHTTP is never called. I’m guessing that’s because I’m using the
http.authentication.providers.oauth2 for my module, and Middleware is only registered under
I can’t have my module’s
Authenticate perform any redirects/page rendering, unless I want to make the main Caddy ServeHTTP angry with “headers already sent” errors.
So how is an OAuth2 flow possible in Caddy2, while leveraging
http.authentication.providers, because it’s certainly possible if I go the Middleware-only route.