{"componentChunkName":"component---src-templates-blog-post-js","path":"/blog/securing-internal-services-behind-oauth2-with-caddy","result":{"data":{"allGhostPost":{"edges":[{"node":{"title":"Securing Internal Services Behind an OAuth2 Provider with Caddy","html":"
Last updated on Mar. 1, 2019
\nIn the video above, you can see that secret.int.localtest.me
β is secured behind a Google OAuth2 login. Unauthenticated requests are redirected to a login portal, auth.int.localtest.me
, which asks the user to log in using Google. With this, we are able to authenticate once for all sites under int.localtest.me
.
β localtest.me
as well as any of its subdomains resolve to 127.0.0.1
. This makes testing local services much easier.
β Note: This post applies to Caddy 1 which was discontinued around mid-2020. Do not follow this if you are using Caddy 2.
\nBehind the scenes, authentication is handled using JWT Tokens set as cookies on the int.localtest.me
hostname, making them available to all subdomains. The JWT token is checked on every request to authenticated URLs. This is handled by the http.jwt
plugin.
The login portal is served using the http.loginsrv
plugin, which is a Caddy binding to tarent/loginsrv.
βΉοΈ UPDATE Mar. 1, 2019 Due to Google+ being deprecated, it's no longer necesary to enable its API and OAuth scopes. I've removed the sections relating to that below.
\nWe will assume the following:
\n*.int.domain.tld
login.int.domain.tld
We will start with an internal service, publicly accessible:
\nCaddyfile
secret.int.domain.tld {\n ...\n}\n
\nππΌ I prefer to run Caddy inside a Docker container. But, you don't have to! You can skip this section, but make sure that your Caddy binary has the http.jwt
and http.login
plugins compiled. You can either compile the binary yourself or download a pre-built binary from Caddy's website making sure to include the plugins I mentioned.
The abiosoft/caddy
image doesn't include the http.jwt
and http.login
plugins, so we will need to build our own image. To do that, run:
docker build -t caddy-jwt-login --build-arg plugins="jwt,login" github.com/abiosoft/caddy-docker.git\n
\nMake sure to include any other plugins you might need if you are hosting other sites on the same Caddy instance. Replace caddy-jwt-login
with a different tag if it makes sense for you.
This will be the image that we will base our Caddy container on, instead of abiosoft/caddy
.
π I've built and published an image that you can use, but I can't promise that it will always be up to date! kamaln7/caddy-jwt-login
. As of right now, the latest version is kamaln7/caddy-jwt-login:0.11.0
.
In order to be able to use Google as an OAuth2 provider, we'll need to create a project in the Developers Console and add an OAuth2 service to it. Start by creating a new project here.
\nThen, browse to the developer console. Make sure your project is selected in the top-left corner.
\nGo to the Credentials page, accessible from the left sidebar. Click on the "Oauth consent screen" tab and fill in "Application name".
\nScroll down to "Authorized domains" and enter your top-level domain name in the field (domain.tld
). Save and return to the Credentials page.
In the Credentials tab, click on the blue Create credentials button and select OAuth client ID.
\n\nThe Application type will be Web application. Name it whatever you want, and add https://auth.int.domain.tld/login/google
to the Authorized redirect URIs list. Don't click Create right after filling out the field. Click anywhere else on the page to add it to the list and then click Create. Dumb UX, I know. But it's necessary.
On the following page, you will get a popup with your Client ID and secret. Save those somewhere because we will need them later.
\nAdd the following to your Caddy config. Replace YOURCLIENTID
with your Client ID and YOURCLIENTSECRET
with the secret.
auth.int.domain.tld {\n tls your@email.address\n redir 302 {\n if {path} is /\n / /login\n }\n\n login {\n google client_id=YOURCLIENTID,client_secret=YOURCLIENTSECRET\n redirect_check_referer false\n redirect_host_file /redirect_hosts.txt\n cookie_domain int.domain.tld\n }\n}\n
\nThis will configure the http.login
plugin with the Google OAuth2 provider you just created, set the cookies on int.domain.tld
instead of auth.int.domain.tld
, and allow rediretion to hosts in the redirect_hosts.txt
file. More on redirections below.
β
Now, when you browse to https://auth.int.domain.tld
, you will be able to log in using your Google account. Note that anyone will be able to log in here, but not everyone will have access to the protected services. We will limit service access to specific email addresses in the following section.
All that is left is securing the internal service using the http.jwt
plugin. We will extract this config into its own snippet so we can easily re-use it with other services.
Caddyfile
(int-auth) {\n jwt {\n path /\n redirect https://auth.int.domain.tld/login?backTo=https%3A%2F%2F{host}{rewrite_uri_escaped}\n allow sub your@email.address\n allow sub otherpeson@gmail.com\n }\n}\n
\nThis will enable JWT auth on /
(every request) and redirect unauthenticated requests to our login portal. The backTo
parameter instructs the login portal to redirect back to the internal service on successful login. Repeat the allow sub ...
directives for each email address you want to allow access.
π Remember we talked about a redirect_hosts.txt
file? This is where it comes in. This file will contain a list of hosts that the login portal is allowed to redirect back to. By default, it won't allow any external URLs outside of auth.int.domain.tld
. By setting redirect_check_referer false
and providing a list of approved hosts, we are able to redirect users back to our internal services.
Create a file with each internal service on a line and add it to your Docker image or wherever Caddy is running. Just make sure to update the path to it in the Caddy config above (the login {}
block).
redirect_hosts.txt
secret.int.domain.tld\nanother-service.int.domain.tld\n
\n⨠Finally, import this snippet in the internal service config:
\nCaddyfile
secret.int.domain.tld {\n import int-auth\n ...\n}\n
\nThat's it! Your internal service(s) are secured using the login portal.
\nJWT tokens are signed using a secret. This allows the server to validate that the tokens weren't tampered with (by anyone who doesn't have access to the secret). http.login
looks for a secret stored in the JWT_SECRET
environment variable:
loginsrv
's default secret and updates the environment variable. The default secret is a randomly generated stringWhen validating requests, http.jwt
uses the JWT_SECRET
environment variable. This is all fine, because the default secret is randomly generated on startup and not a hard-coded string. However, this means that the secret changes when Caddy restarts, which causes all users to be logged out as their tokens become invalidated.
To make sessions persist across restarts, we need to set our own fixed secret. You can generate two random 16-character-long strings on random.org and put them together as a 32-character-long secret. (You need a paid random.org account to generate strings longer than 20 characters). Set the JWT_SECRET
environment variable to this token and make it available to Caddy.