Gitlab OAuth provider

1. Caddy version (caddy version):

docker image caddy:2.3.0

2. How I run Caddy:

docker-compose.yml

  caddy:
    image: caddy:2.3.0
    container_name: caddy
    ports:
      - "80:80"
      - "443:443"
      - "3000:3000"
      - "9090:9090"
      - "9093:9093"
      - "9091:9091"
    volumes:
      - ./caddy:/etc/caddy
      - caddy_data:/data
    env_file:
      ./.env
    environment:
      - ADMIN_USER=${ADMIN_USER:-admin}
      - ADMIN_PASSWORD=${ADMIN_PASSWORD:-admin}
      - ADMIN_PASSWORD_HASH=${ADMIN_PASSWORD_HASH:-JDJhJDE0JE91S1FrN0Z0VEsyWmhrQVpON1VzdHVLSDkyWHdsN0xNbEZYdnNIZm1pb2d1blg4Y09mL0ZP}
    restart: unless-stopped
    networks:
      - monitor-net
    labels:
      org.label-schema.group: "monitoring"

a. System environment:

$ docker-compose --version
docker-compose version 1.25.5, build unknown
$ uname -a
Linux <mydomain>.com 4.15.0-143-generic #147-Ubuntu SMP Wed Apr 14 16:10:11 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

b. Command:

sudo docker restart caddy

c. Service/unit/compose file:

  caddy:
    image: caddy:2.3.0
    container_name: caddy
    ports:
      - "80:80"
      - "443:443"
      - "3000:3000"
      - "9090:9090"
      - "9093:9093"
      - "9091:9091"
    volumes:
      - ./caddy:/etc/caddy
      - caddy_data:/data
    env_file:
      ./.env
    environment:
      - ADMIN_USER=${ADMIN_USER:-admin}
      - ADMIN_PASSWORD=${ADMIN_PASSWORD:-admin}
      - ADMIN_PASSWORD_HASH=${ADMIN_PASSWORD_HASH:-JDJhJDE0JE91S1FrN0Z0VEsyWmhrQVpON1VzdHVLSDkyWHdsN0xNbEZYdnNIZm1pb2d1blg4Y09mL0ZP}
    restart: unless-stopped
    networks:
      - monitor-net
    labels:
      org.label-schema.group: "monitoring"

  prometheus:
    image: prom/prometheus:v2.26.0
    container_name: prometheus
    volumes:
      - ./prometheus:/etc/prometheus
      - prometheus_data:/prometheus
    command:
      - '--config.file=/etc/prometheus/prometheus.yml'
      - '--storage.tsdb.path=/prometheus'
      - '--web.console.libraries=/etc/prometheus/console_libraries'
      - '--web.console.templates=/etc/prometheus/consoles'
      - '--storage.tsdb.retention.time=200h'
      - '--web.enable-lifecycle'
      - '--web.external-url=http://<mydomain>:9090/'
    restart: unless-stopped
    expose:
      - 9090
    networks:
      - monitor-net
    labels:
      org.label-schema.group: "monitoring"

d. My complete Caddyfile or JSON config:

current:

{
    # email to use on Let's Encrypt
    email email@domain.com

    # Uncomment for debug
    #acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
    #debug
}

(basic-auth) {
       basicauth {
           {$ADMIN_USER} {$ADMIN_PASSWORD_HASH}
       }
}

prometheus.jump.<domain>.com {
    import basic-auth
    reverse_proxy prometheus:9090
}

alertmanager.jump.<domain>.com {
    import basic-auth
    reverse_proxy alertmanager:9093
}

pushgateway.jump.<domain>.com {
    import basic-auth
    reverse_proxy pushgateway:9091
}

grafana.jump.<domain>.com {
    reverse_proxy grafana:3000
}

jump.<domain>.com

3. The problem I’m having:

Gitlab provides me with the following information when I set up an “application” to provide OAuth parameters, in order to use them in external applications :

• Application ID : generated by gitlab
• Secret : generated by gitlab
• Callback URL : https://grafana.jump..com/login/gitlab

For instance, I configured this in grafana by adding the following environment variables :

      - GF_AUTH_GITLAB_ENABLED=true
      - GF_AUTH_GITLAB_ALLOW_SIGNUP=true
      - GF_AUTH_GITLAB_CLIENT_ID=<redacted>
      - GF_AUTH_GITLAB_CLIENT_SECRET=<redacted>
      - GF_AUTH_GITLAB_SCOPES=read_user,read_api
      - GF_AUTH_GITLAB_ALLOWED_GROUPS=<redacted>

I am trying to understand how to modify my Caddyfile in order to make use of the HTTP.Login provider published as supporting Gitlab OAuth here : Http.login v1.3.0: adds Gitlab OAuth provider, updates Google OAuth Endpoints

but I can’t even find the documentation of this http.login plugin.

I stumbled upon GitHub - greenpau/caddy-authorize: Authorization Plugin for Caddy v2 (JWT/PASETO) too, but I can’t make sens of how the few parameters gitlab provides me matches what is required with this plugin.
I found Docker Caddy v2 and Google oAuth - #9 by francislavoie (btw, would be useful in a general documentation on how to use plugins), but the OAuth part is even more blurry with this other plugin.

Any help or pointers would be appreciated !

Thanks in advance !

4. Error messages and/or full log output:

N/A

5. What I already tried:

N/A

6. Links to relevant resources:

/cc @greenpau

Hello @francislavoie , and thanks for pinging @greenpau. I had a look at Paul’s devs but couldn’t figure out my solution from the public repos unfortunately.

In summary, I could reformulate my questions like this…

• Question 1 : where is the http.login documentation for gitlab OAuth ?
• Question 2 : can I use the same OAuth “gitlab application” (at the group level) to configure OAuth at prometheus, and alertmanager and pushgateway, than the one I already configured for grafana (this one works properly, but this is handled directly at the application level, not at the webserver level) or should I create 1 per subdomain ? (i.e. 1 OAuth provider per subdomain prometheus.jump.<domain>.com another for alertmanager.jump.<domain>.com, etc.)
• Question 3 : how should i modify the Caddyfile to make use of the ApplicationID, Secret and Callback URL generated by gitlab.com for authentication applications.

Any help or pointers would be appreciated !

Thanks in advance !

@copolycube , see the following 2 example:

General config: GitHub - greenpau/caddy-auth-portal: Authentication Plugin for Caddy v2 implementing Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0 (Github, Google, Facebook, Okta, etc.), SAML Authentication. MFA with App Authenticators and Yubico.
OAuth config: GitHub - greenpau/caddy-auth-portal: Authentication Plugin for Caddy v2 implementing Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0 (Github, Google, Facebook, Okta, etc.), SAML Authentication. MFA with App Authenticators and Yubico.

Hello @greenpau , if I understand your examples, does that means that I should perform the following steps :

• Step 1 : I should replace my reference to the caddy docker image to a locally generated one (using this Docker Caddy v2 and Google oAuth - #9 by francislavoie )

• Step 2 : generate gitlab credentials (Configure GitLab as an OAuth 2.0 authentication identity provider | GitLab )

• Step 3 : add generic OAuth in my Caddyfile (will be used by all my endpoints locally)

127.0.0.1, localhost {
  route /auth* {
    authp {
      backends {
        generic_oauth2_backend {
          method oauth2
          realm generic
          provider generic
          client_id <gitla application ID>
          client_secret <gitlab application secret>
          scopes openid email profile
        }
  route /sso/oauth2/generic* {
    jwt {
      auth_url /auth/oauth2/generic
    }
    respond * "generic oauth2 sso" 200
  }

• Step 4 : modify my enpoints like this :

prometheus.jump.<domain>.com {
        jwt {
      primary yes
      trusted_tokens {
        static_secret {
          token_name access_token
          token_secret <????>
        }
      }
      auth_url /auth
      allow roles anonymous guest admin
      allow roles superadmin
    }
    reverse_proxy prometheus:9090
}

alertmanager.jump.<domain>.com {
    jwt
    reverse_proxy alertmanager:9093
}

=> What value should I use for the token_secret ?
=> Where should I specify witch gitlab groups I am accepting to log in ? (I remember so kind of parameter like this when implementing grafana OAuth).

I feel like I’m missing something… :-/

Thanks in advance for your help !

Hello @greenpau , could you confirm that I am following the correct logic and what the token_secret parameter should correspond to ?

Thanks in advance for your help

Hello @greenpau / @francislavoie,

as I understand, token_secret must be generated from the generated certificate, but from what I understood the certificate is automatically handled by Caddy & let’sencrypt . I didn’t found in the suggested docs how to proceed with this, would you have some suggestions ?

Thanks in advance

The certificate for validating JWTs is not the same as your TLS certificate. Those have totally different concerns.

I can’t really offer support for caddy-auth-jwt, I don’t use that plugin. You’ll need to wait until Paul has time to answer.

Hello @francislavoie,
I tried using the Dockerfile provided

• Dockerfile (full):

ARG image_ref
FROM $image_ref-builder AS builder

RUN xcaddy build \
    --with github.com/greenpau/caddy-auth-jwt \
    --with github.com/greenpau/caddy-auth-portal \
    --with github.com/greenpau/caddy-trace

FROM $image_ref

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

• docker-compose.yml (extract, initially adapted from dockprom docker-compose) :

  caddy:
    build:
        context : ./caddy
        dockerfile: Dockerfile
        args:
            image_ref : caddy:2.3.0
    container_name: caddy
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./caddy:/etc/caddy
      - caddy_data:/data
    env_file:
      ./.env
    environment:
      - ADMIN_USER=${ADMIN_USER:-admin}
      - ADMIN_PASSWORD=${ADMIN_PASSWORD:-admin}
      - ADMIN_PASSWORD_HASH=${ADMIN_PASSWORD_HASH:-JDJhJDE0JE91S1FrN0Z0VEsyWmhrQVpON1VzdHVLSDkyWHdsN0xNbEZYdnNIZm1pb2d1blg4Y09mL0ZP}
    restart: unless-stopped
    networks:
      - monitor-net
    labels:
      org.label-schema.group: "monitoring"

But this results in an error
github.com/greenpau/caddy-auth-jwt/pkg/claims: module github.com/greenpau/caddy-auth-jwt@latest found (v1.3.3), but does not contain package github.com/greenpau/caddy-auth-jwt/pkg/claims

$ sudo docker-compose build caddy
Building caddy
Step 1/5 : ARG image_ref
Step 2/5 : FROM $image_ref-builder AS builder
2.3.0-builder: Pulling from library/caddy
339de151aab4: Already exists
c22b54d2d434: Pull complete
a5898d3d0f1f: Pull complete
45645685a6b6: Pull complete
a26c0b7800df: Pull complete
e85f4d0dd62a: Pull complete
7033ff0a1e20: Pull complete
01ab79ec2ca7: Pull complete
Digest: sha256:cbe481eb0b302982196883be4696f9199487fbc6946ad492527a9d16959a726d
Status: Downloaded newer image for caddy:2.3.0-builder
 ---> 9a0815f636be
Step 3/5 : RUN xcaddy build     --with github.com/greenpau/caddy-auth-jwt     --with github.com/greenpau/caddy-auth-portal     --with github.com/greenpau/caddy-trace
[...]
caddy imports
	github.com/greenpau/caddy-auth-portal imports
	github.com/greenpau/caddy-auth-jwt/pkg/config: module github.com/greenpau/caddy-auth-jwt@latest found (v1.3.3), but does not contain package github.com/greenpau/caddy-auth-jwt/pkg/config
caddy imports
	github.com/greenpau/caddy-auth-portal imports
	github.com/greenpau/caddy-auth-portal/pkg/core imports
	github.com/greenpau/caddy-auth-jwt/pkg/claims: module github.com/greenpau/caddy-auth-jwt@latest found (v1.3.3), but does not contain package github.com/greenpau/caddy-auth-jwt/pkg/claims
2021/06/22 23:39:14 [INFO] Skipping cleanup as requested; leaving folder intact: /tmp/buildenv_2021-06-22-2338.595800206
2021/06/22 23:39:14 [FATAL] exit status 1
ERROR: Service 'caddy' failed to build: The command '/bin/sh -c xcaddy build     --with github.com/greenpau/caddy-auth-jwt     --with github.com/greenpau/caddy-auth-portal     --with github.com/greenpau/caddy-trace' returned a non-zero code: 1

@copolycube , please open an issue in github.com/greenpau/caddy-auth-portal and I will guide you through the setup. I am going to release a new versions that has breaking changes from current syntax.

Will promise to get you to the “end zone,” provided you are available to test things.

Hello @greenpau, thanks !

Do you want me to fill the issue with all the details provided here ?

This is not an urgent matter, but I will totally be able and willing to test things (not next week though…) since this will really help the adoption of the monitoring platform I’m setting up

==> https://github.com/greenpau/caddy-auth-portal/issues/140

This topic was automatically closed after 30 days. New replies are no longer allowed.