Kamal Nasser

Securing Internal Services Behind an OAuth2 Provider with Caddy

In the video above, you can see that secret.int.localtest.me† is secured behind a Google OAuth2 login. Unauthenticated requests are redirected to a login portal, auth.int.localtest.me, which asks the user to log in using Google. With this, we are able to authenticate once for all sites under int.localtest.me.

localtest.me as well as any of its subdomains resolve to 127.0.0.1. This makes testing local services much easier.

🤔 How does this work?

Behind the scenes, authentication is handled using JWT Tokens set as cookies on the int.localtest.me hostname, making them available to all subdomains. The JWT token is checked on every request to authenticated URLs. This is handled by the http.jwt plugin.

The login portal is served using the http.loginsrv plugin, which is a Caddy binding to tarent/loginsrv.

🛠 How do I set this up?

We will assume the following:

  • All internal services are hosted on *.int.domain.tld
  • The login portal will be served on login.int.domain.tld
  • The OAuth2 provider is Google with a list of approved email addresses
  • Caddy is used as the front-facing proxy or webserver for all internal services

🔓 Base unsecured environment

We will start with an internal service, publicly accessible:

Caddyfile

secret.int.domain.tld {
    ...
}

📸 Build the Caddy Docker image

The abiosoft/caddy image doesn't include the http.jwt and http.login plugins, so we will need to build our own image. To do that, run:

docker build -t caddy-jwt-login --build-arg plugins="jwt,login" github.com/abiosoft/caddy-docker.git

Make sure to include any other plugins you might need if you are hosting other sites on the same Caddy instance. Replace caddy-jwt-login with a different tag if it makes sense for you.

This will be the image that we will base our Caddy container on, instead of abiosoft/caddy.

🌟 I've built and published an image that you can use, but I can't promise that it will always be up to date! kamaln7/caddy-jwt-login. As of right now, the latest version is kamaln7/caddy-jwt-login:0.11.0.

🔑 Set up the Google OAuth2 provider

In order to be able to use Google as an OAuth2 provider, we'll need to create a project in the Developers Console and add an OAuth2 service to it. Start by creating a new project here.

Then, browse to the developer console. Make sure your project is selected in the top-left corner. Click on the "Enable APIs and Services" button and enable the Google+ API.

screenshot
screenshot

Now, go to the Credentials page, accessible from the left sidebar. Click on the "Oauth consent screen" tab and fill in "Application name". Under "Scopes for Google APIs", click Add scope and add the "Google+ API email" scope. Scroll down to "Authorized domains" and enter your top-level domain name in the field (domain.tld). Save and return to the Credentials page.

screenshot

In the Credentials tab, click on the blue Create credentials button and select OAuth client ID.

screenshot

The Application type will be Web application. Name it whatever you want, and add https://auth.int.domain.tld/login/google to the Authorized redirect URIs list. Don't click Create right after filling out the field. Click anywhere else on the page to add it to the list (dumb UX, I know) and then click Create.

screenshot

On the following page, you will get a popup with your Client ID and secret. Save those somewhere because we will need them later.

🌐 Create the login portal

Add the following to your Caddy config. Replace YOURCLIENTID with your Client ID and YOURCLIENTSECRET with the secret.

auth.int.domain.tld {
        tls your@email.address
        redir 302 {
                if {path} is /
                / /login
        }

        login {
                google client_id=YOURCLIENTID,client_secret=YOURCLIENTSECRET,scope=https://www.googleapis.com/auth/userinfo.email
                redirect_check_referer false
                redirect_host_file /redirect_hosts.txt
                cookie_domain int.domain.tld
        }
}

This will configure the http.login plugin with the Google OAuth2 provider you just created, set the cookies on int.domain.tld instead of auth.int.domain.tld, and allow rediretion to hosts in the redirect_hosts.txt file. More on redirections below.

✅ Now, when you browse to https://auth.int.domain.tld, you will be able to log in using your Google account. Note that anyone will be able to log in here. We will limit access to specific email addresses in the following section.

🔐 Secure the internal service

All that is left is securing the internal service using the http.jwt plugin. We will extract this config into its own snippet so we can easily re-use it with other services.

Caddyfile

(int-auth) {
        jwt {
                path /
                redirect https://auth.int.domain.tld/login?backTo=https%3A%2F%2F{host}{rewrite_uri_escaped}
                allow sub your@email.address
                allow sub otherpeson@gmail.com
        }
}

This will enable JWT auth on / (every request) and redirect unauthenticated requests to our login portal. The backTo parameter instructs the login portal to redirect back to the internal service on successful login. Repeat the allow sub ... directives for each email address you want to allow access.

💭 Remember we talked about a redirect_hosts.txt file? This is where it comes in. This file will contain a list of hosts that the login portal is allowed to redirect back to. By default, it won't allow any external URLs outside of auth.int.domain.tld. By setting redirect_check_referer false and providing a list of approved hosts, we are able to redirect users back to our internal services.

Create a file with each internal service on a line and add it to your Docker image or wherever Caddy is running. Just make sure to update the path to it in the Caddy config above (the login {} block).

redirect_hosts.txt

secret.int.domain.tld
another-service.int.domain.tld

✨ Finally, import this snippet in the internal service config:

Caddyfile

secret.int.domain.tld {
    import int-auth
    ...
}

What now?

That's it! Your internal service(s) are secured using the login portal.

OPTIONAL ⚡ Session persistance across Caddy restarts

JWT tokens are signed using a secret. This allows the server to validate that the tokens weren't tampered with (by anyone who doesn't have access to the secret). http.login looks for a secret stored in the JWT_SECRET environment variable:

  • if it exists, it uses it
  • otherwise, it uses loginsrv's default secret and updates the environment variable. The default secret is a randomly generated string

When validating requests, http.jwt uses the JWT_SECRET environment variable. This is all fine, because the default secret is randomly generated on startup and not a hard-coded string. However, this means that the secret changes when Caddy restarts, which causes all users to be logged out as their tokens become invalidated.

To make sessions persist across restarts, we need to set our own fixed secret. You can generate two random 16-character-long strings on random.org and put them together as a 32-character-long secret. (You need a paid random.org account to generate strings longer than 20 characters). Set the JWT_SECRET environment variable to this token and make it available to Caddy.

📚 Resources