question: How to use Microsoft Authentication?

[qxsch]

How to use Microsoft Authentication?

It seems, that the Microsoft AuthCrunch Guide is incomplete.
Also there is no exmaple for Microsoft at: https://github.com/authcrunch/authcrunch.github.io/tree/main/assets/conf/oauth

Goal

my goal:

• Just show any content to authenticated users
• expose username and group memberships to backend /api/* ( reverse_proxy )

what i have done

i have followed the instructions here:
https://docs.authcrunch.com/docs/authenticate/oauth/backend-oauth2-0006-microsoft

i get the following error message:

{"level":"info","ts":1728988529.621003,"msg":"using config from file","file":"/etc/caddy/Caddyfile"}
Error: adapting config using caddyfile: parsing caddyfile tokens for 'security': no portals and gatekeepers found

i have the below docker file:

FROM caddy:2.8-builder AS builder

RUN xcaddy build \
    --with github.com/caddyserver/transform-encoder \
    --with github.com/greenpau/caddy-security

FROM caddy:2.8

COPY Caddyfile /etc/caddy/Caddyfile
COPY --from=builder /usr/bin/caddy /usr/bin/caddy

and the caddy file looks like this:

{
    http_port 80
    https_port 443

    security {
        oauth identity provider azure {
            realm azure
            driver azure
            tenant_id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
            client_id yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy
            client_secret zzzzzzzzzzzz
            scopes openid email profile
        }
    }
}

admin.domain.tld {
    header {
        X-Content-Type-Options "nosniff"
        Referrer-Policy "same-origin"
    }
    log {
        format transform `{request>remote_ip} - {user_id} [{ts}] "{request>method} {request>uri} {request>proto}" {status} {size} "{request>headers>Referer>[0]}" "{request>headers>User-Agent>[0]}"` {
            time_format "02/Jan/2006:15:04:05 -0700"
        }
        output file /var/log/caddy/admin.log {
            roll_size 100MiB
            roll_keep 50
            roll_keep_for 2160h
            # roll_uncompressed
        }
    }
    file_server {
        root /srv/admin
        index index.html index.htm
    }
    handle_errors 404 {
        rewrite * /error.html
        file_server {
            root /srv/admin
        }
    }
    handle_path /api/* {
        reverse_proxy {
            to http://admin-a:8000
        }
    }
}

[greenpau]

@qxsch , you can only use authenticator with local auth.

[qxsch]

@greenpau i have a working setup now (using caddy security and Entra ID) :-)

i could share the configuration, that can be used as an example.

[greenpau]

@qxsch , great. Please do share.

[qxsch]

{
    http_port 80
    https_port 443

    security {
        oauth identity provider azure {
            realm azure
            driver azure
                      
            tenant_id tttttttt-tttt-tttt-tttt-tttttttttttt
            client_id cccccccc-cccc-cccc-cccc-cccccccccccc
            client_secret Please-Enter-Your-Client-Secret-Here
            scopes openid email profile
            enable id_token_cookie azure_token
        }

        authentication portal oauthportal {
            # RS512 is better
            crypto key key1 sign from file /etc/caddy/jwt/sign_key1.pem
            crypto key key1 verify from file /etc/caddy/jwt/verify_key1.pem
            crypto default token lifetime 36000
            enable identity provider azure
            cookie lifetime 36000
            cookie path /
            
            transform user {
                match realm azure
                action add role authp/user
            }
        }

        authorization policy oauthpolicy {
            # RS512 is better 
            crypto key key1 sign from file /etc/caddy/jwt/sign_key1.pem
            crypto key key1 verify from file /etc/caddy/jwt/verify_key1.pem
            allow roles authp/user
            validate bearer header
            inject headers with claims
        }

    }

}

www.domain.com {
    header {
        X-Content-Type-Options "nosniff"
        Referrer-Policy "same-origin"
    }

    route {
        authorize with oauthpolicy

        # path ends with html or htm -> cache conflicts with oauth
        @htmFiles {
            path *.html
            path *.htm
            path /
        }
        header @htmFiles {
            -Etag
            -Last-Modified
            -Expires
            Cache-Control: "no-store, no-cache, must-revalidate, max-age=0"
            defer
        }

        file_server {
            root /srv/admin
            index index.html index.htm
            precompressed zstd gzip
            #push /*.html  /css/style.css /js/script.js
        }

    }

    @authportal {
        path /portal
        path /auth
        path /portal/*
        path /auth/*
        path /logout
        path /logout/*
    }
    route @authportal {
        authenticate with oauthportal
    }
    

    handle_errors 404 {
        rewrite * /error.html
        file_server {
            root /srv/admin
        }
    }
    handle_path /api/* {
        reverse_proxy {
            to http://api-a:8000
        }
    }
}

[qxsch]

@greenpau is there any way to put information from the azure jwt into caddy's jwt (f.e. oid field).

i was playing around with transform user, but i could just set a static value to caddy's jwt.
( action add oid "static value" as string )

looking for something like action add oid "{azure_token.oid}" as string