54 lines
1.1 KiB
Caddyfile
54 lines
1.1 KiB
Caddyfile
{
|
|
# Port to listen on
|
|
http_port 80
|
|
|
|
# Configure caddy-security.
|
|
order authenticate before respond
|
|
security {
|
|
oauth identity provider generic {
|
|
delay_start 3
|
|
realm generic
|
|
driver generic
|
|
client_id {env.OAUTH_CLIENT_ID} # Replace with your own client ID
|
|
client_secret {env.OAUTH_CLIENT_SECRET} # Replace with your own client secret
|
|
scopes openid email profile
|
|
base_auth_url http://pocket-id
|
|
metadata_url http://pocket-id/.well-known/openid-configuration
|
|
}
|
|
|
|
authentication portal myportal {
|
|
crypto default token lifetime 3600 # Seconds until you have to re-authenticate
|
|
enable identity provider generic
|
|
cookie insecure off # Set to "on" if you're not using HTTPS
|
|
|
|
transform user {
|
|
match realm generic
|
|
action add role user
|
|
}
|
|
}
|
|
|
|
authorization policy mypolicy {
|
|
set auth url /caddy-security/oauth2/generic
|
|
allow roles user
|
|
inject headers with claims
|
|
}
|
|
}
|
|
}
|
|
|
|
http://localhost {
|
|
@auth {
|
|
path /caddy-security/*
|
|
}
|
|
|
|
route @auth {
|
|
authenticate with myportal
|
|
}
|
|
|
|
route /* {
|
|
authorize with mypolicy
|
|
root * /app
|
|
file_server
|
|
}
|
|
}
|
|
|