Gitlab OAuth provider

1. Caddy version (caddy version):

docker image caddy:2.3.0

2. How I run Caddy:

docker-compose.yml


  caddy:
    image: caddy:2.3.0
    container_name: caddy
    ports:
      - "80:80"
      - "443:443"
      - "3000:3000"
      - "9090:9090"
      - "9093:9093"
      - "9091:9091"
    volumes:
      - ./caddy:/etc/caddy
      - caddy_data:/data
    env_file:
      ./.env
    environment:
      - ADMIN_USER=${ADMIN_USER:-admin}
      - ADMIN_PASSWORD=${ADMIN_PASSWORD:-admin}
      - ADMIN_PASSWORD_HASH=${ADMIN_PASSWORD_HASH:-JDJhJDE0JE91S1FrN0Z0VEsyWmhrQVpON1VzdHVLSDkyWHdsN0xNbEZYdnNIZm1pb2d1blg4Y09mL0ZP}
    restart: unless-stopped
    networks:
      - monitor-net
    labels:
      org.label-schema.group: "monitoring"

a. System environment:

$ docker-compose --version
docker-compose version 1.25.5, build unknown
$ uname -a
Linux <mydomain>.com 4.15.0-143-generic #147-Ubuntu SMP Wed Apr 14 16:10:11 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

b. Command:

sudo docker restart caddy

c. Service/unit/compose file:

  caddy:
    image: caddy:2.3.0
    container_name: caddy
    ports:
      - "80:80"
      - "443:443"
      - "3000:3000"
      - "9090:9090"
      - "9093:9093"
      - "9091:9091"
    volumes:
      - ./caddy:/etc/caddy
      - caddy_data:/data
    env_file:
      ./.env
    environment:
      - ADMIN_USER=${ADMIN_USER:-admin}
      - ADMIN_PASSWORD=${ADMIN_PASSWORD:-admin}
      - ADMIN_PASSWORD_HASH=${ADMIN_PASSWORD_HASH:-JDJhJDE0JE91S1FrN0Z0VEsyWmhrQVpON1VzdHVLSDkyWHdsN0xNbEZYdnNIZm1pb2d1blg4Y09mL0ZP}
    restart: unless-stopped
    networks:
      - monitor-net
    labels:
      org.label-schema.group: "monitoring"

  prometheus:
    image: prom/prometheus:v2.26.0
    container_name: prometheus
    volumes:
      - ./prometheus:/etc/prometheus
      - prometheus_data:/prometheus
    command:
      - '--config.file=/etc/prometheus/prometheus.yml'
      - '--storage.tsdb.path=/prometheus'
      - '--web.console.libraries=/etc/prometheus/console_libraries'
      - '--web.console.templates=/etc/prometheus/consoles'
      - '--storage.tsdb.retention.time=200h'
      - '--web.enable-lifecycle'
      - '--web.external-url=http://<mydomain>:9090/'
    restart: unless-stopped
    expose:
      - 9090
    networks:
      - monitor-net
    labels:
      org.label-schema.group: "monitoring"

d. My complete Caddyfile or JSON config:

current:

{
    # email to use on Let's Encrypt
    email email@domain.com

    # Uncomment for debug
    #acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
    #debug
}

(basic-auth) {
       basicauth {
           {$ADMIN_USER} {$ADMIN_PASSWORD_HASH}
       }
}

prometheus.jump.<domain>.com {
    import basic-auth
    reverse_proxy prometheus:9090
}

alertmanager.jump.<domain>.com {
    import basic-auth
    reverse_proxy alertmanager:9093
}

pushgateway.jump.<domain>.com {
    import basic-auth
    reverse_proxy pushgateway:9091
}

grafana.jump.<domain>.com {
    reverse_proxy grafana:3000
}

jump.<domain>.com

3. The problem I’m having:

Gitlab provides me with the following information when I set up an “application” to provide OAuth parameters, in order to use them in external applications :

  • Application ID : generated by gitlab
  • Secret : generated by gitlab
  • Callback URL : https://grafana.jump..com/login/gitlab

For instance, I configured this in grafana by adding the following environment variables :

      - GF_AUTH_GITLAB_ENABLED=true
      - GF_AUTH_GITLAB_ALLOW_SIGNUP=true
      - GF_AUTH_GITLAB_CLIENT_ID=<redacted>
      - GF_AUTH_GITLAB_CLIENT_SECRET=<redacted>
      - GF_AUTH_GITLAB_SCOPES=read_user,read_api
      - GF_AUTH_GITLAB_ALLOWED_GROUPS=<redacted>

I am trying to understand how to modify my Caddyfile in order to make use of the HTTP.Login provider published as supporting Gitlab OAuth here : Http.login v1.3.0: adds Gitlab OAuth provider, updates Google OAuth Endpoints

but I can’t even find the documentation of this http.login plugin.

I stumbled upon GitHub - greenpau/caddy-auth-jwt: JWT Authorization Plugin for Caddy v2 too, but I can’t make sens of how the few parameters gitlab provides me matches what is required with this plugin.
I found Docker Caddy v2 and Google oAuth - #9 by francislavoie (btw, would be useful in a general documentation on how to use plugins), but the OAuth part is even more blurry with this other plugin.

Any help or pointers would be appreciated !

Thanks in advance !

4. Error messages and/or full log output:

N/A

5. What I already tried:

N/A

6. Links to relevant resources:

/cc @greenpau

1 Like

Hello @francislavoie , and thanks for pinging @greenpau. I had a look at Paul’s devs but couldn’t figure out my solution from the public repos unfortunately.

In summary, I could reformulate my questions like this…

  • Question 1 : where is the http.login documentation for gitlab OAuth ?
  • Question 2 : can I use the same OAuth “gitlab application” (at the group level) to configure OAuth at prometheus, and alertmanager and pushgateway, than the one I already configured for grafana (this one works properly, but this is handled directly at the application level, not at the webserver level) or should I create 1 per subdomain ? (i.e. 1 OAuth provider per subdomain prometheus.jump.<domain>.com another for alertmanager.jump.<domain>.com, etc.)
  • Question 3 : how should i modify the Caddyfile to make use of the ApplicationID, Secret and Callback URL generated by gitlab.com for authentication applications.

Any help or pointers would be appreciated !

Thanks in advance !

@copolycube , see the following 2 example:

General config: GitHub - greenpau/caddy-auth-portal: Authentication Plugin for Caddy v2 implementing Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0 (Github, Google, Facebook, Okta, etc.), SAML Authentication
OAuth config: GitHub - greenpau/caddy-auth-portal: Authentication Plugin for Caddy v2 implementing Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0 (Github, Google, Facebook, Okta, etc.), SAML Authentication

1 Like

Hello @greenpau , if I understand your examples, does that means that I should perform the following steps :

127.0.0.1, localhost {
  route /auth* {
    authp {
      backends {
        generic_oauth2_backend {
          method oauth2
          realm generic
          provider generic
          client_id <gitla application ID>
          client_secret <gitlab application secret>
          scopes openid email profile
        }
  route /sso/oauth2/generic* {
    jwt {
      auth_url /auth/oauth2/generic
    }
    respond * "generic oauth2 sso" 200
  }
  • Step 4 : modify my enpoints like this :

prometheus.jump.<domain>.com {
        jwt {
      primary yes
      trusted_tokens {
        static_secret {
          token_name access_token
          token_secret <????>
        }
      }
      auth_url /auth
      allow roles anonymous guest admin
      allow roles superadmin
    }
    reverse_proxy prometheus:9090
}

alertmanager.jump.<domain>.com {
    jwt
    reverse_proxy alertmanager:9093
}

=> What value should I use for the token_secret ?
=> Where should I specify witch gitlab groups I am accepting to log in ? (I remember so kind of parameter like this when implementing grafana OAuth).

I feel like I’m missing something… :-/

Thanks in advance for your help !