@francislavoie
Thanks for the answer. Yes, I use caddy-security before Caddy adds forward auth. But there were so many refactorings and changes in caddy-security, where I need to refactor also my configurations, that I was happy just to use forward auth with Authelia.
For my problem/challenge now (to have a perfect homelab), where I now also need saml and unfortunately need to drop Authelia until it supports saml, I remembered caddy-security and spend nearly the whole weekend with caddy-security. But I guess there are some incompatibilities between Zitadel and caddy-security:
âserver initialization failed: failed configuring identity provider: failed to fetch jwt keys for OAuth 2.0 authorization server: invalid jwks key: jwks unsupported key usageâ
Anyway, I have canceled caddy-security. Compared to this many changes in the past, caddy-security feels nowadays if development is a bit stalled.
Then I searched again for a solution and find your question in Hacker News. After the answer from Zitadel I felt struggled in a dead end street:
Zitadel donât want to have forward auth, Caddy donât want to have oauth/oidc.
Then I think again if I really do it the right way and if a reverse proxy is the right place for managing authentication for apps, that donât support oidc or saml (*). There are a lot of apps out there who supports oidc/saml directly and itâs only some old/âlegacyâ apps or apps from small projects, where there is something like a header based auth.
After my brainstorming I decided that the authentication process belongs to the app itself.
Then I have tried another peace of software (oauth2-proxy) and compared to caddy-security, it worked after 20min with Zitadel. So I will either prepend oauth2-proxy in the docker-compose for apps, that donât use Apache or use the oidc module in Apache. OIDC module for Apache need to be tested next days, but development and community looks good.
The only thing what could happen with oauth2-proxy are 2 IP addresses in x-forwarded-for and the app behind shows the âwrongâ IP in their log. Apache shouldnât be a problem.
Thanks for your input, where I find a suitable solution for me.
*) Itâs the same question I had in the past: do I use Caddy (or Apache/Nginx) for the webserver part too for some apps, when this instance of Caddy is just meant to be a reverse proxy or not?
I also decided here that a reverse proxy is a reverse proxy and not the webserver for an app, if an app requires a webserver (eg. LAMP stacks), because if the reverse proxy do the webserver part too, the app is too much âgluedâ to the reverse proxy.