question: Having a hard time with authentication through Argo Tunnel

[TtheBC01]

Hi!

I'm trying to use the caddy security plugin to provide authentication for a browser-based IDE (Theia Framework) I'm setting up for remote development (full code available here: https://github.com/TtheBC01/browser-ide).

When I access the application locally, the auth plugin works great, but when I throw an argo tunnel in front of it and try to access remotely, after I give the username, I get an unauthorized page (401).

This setup used to work great for me with the previous auth plugin, caddy-auth-jwt, so I'm just trying to figure out what I'm missing
in trying to upgrade my setup to caddy-security. Thank you for any help you might offer.

[greenpau]

@TtheBC01 , what is the config? Please output /whoami contents.

[TtheBC01]

ok, if i got to /whoami after authenticating locally I get

{
  "addr": "172.31.0.1",
  "authenticated": true,
  "email": "admin@outlook.com",
  "exp": 1652814189,
  "expires_at_utc": "Tue May 17 19:03:09 UTC 2022",
  "iat": 1652810589,
  "iss": "http://localhost:8888/login",
  "issued_at_utc": "Tue May 17 18:03:09 UTC 2022",
  "jti": "BaTbQAfI76SzRaTCh4wQvMD4Lv6zv8Zr86X8UxzN6fCf",
  "nbf": 1652810529,
  "not_before_utc": "Tue May 17 18:02:09 UTC 2022",
  "origin": "local",
  "roles": [
    "authp/admin"
  ],
  "sub": "admin"
}

[greenpau]

@TtheBC01 , config?

[TtheBC01]

This is the Caddyfile: https://github.com/TtheBC01/browser-ide/blob/main/Caddyfile

[TtheBC01]

Sorry, is config different than Caddyfile?

[greenpau]

@TtheBC01 , try adding cookie insecure on. I don't see your HTTPS config, so I am assuming it is related to the cookies.

[TtheBC01]

Hmmm, that was a good idea, but still same problem. I guess I may have to live with the fact that anonymous tunnels won't work and I'll have to have a certificate configured for a specific domain? I also enabled the trace plugin to see if the logs gave anything interesting, but nothing super helpful:

2022/05/17 19:02:29.678 ERROR   http.log.access handled request {"request": {"remote_ip": "192.168.48.2", "remote_port": "56738", "proto": "HTTP/1.1", "method": "GET", "host": "tribute-moments-will-mixed.trycloudflare.com", "uri": "/sandbox/KAV5HTl22T7qskghIsHwFgbUlsear2n7n6uUEU", "headers": {"Sec-Ch-Ua": ["\" Not A;Brand\";v=\"99\", \"Chromium\";v=\"101\", \"Google Chrome\";v=\"101\""], "Sec-Ch-Ua-Mobile": ["?0"], "Sec-Ch-Ua-Platform": ["\"Windows\""], "Accept-Encoding": ["gzip"], "Cf-Connecting-Ip": ["99.31.208.210"], "Cf-Visitor": ["{\"scheme\":\"https\"}"], "Connection": ["keep-alive"], "Referer": ["https://tribute-moments-will-mixed.trycloudflare.com/login"], "Sec-Fetch-Mode": ["navigate"], "Sec-Fetch-User": ["?1"], "User-Agent": ["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36"], "Cache-Control": ["max-age=0"], "Cookie": [], "X-Forwarded-Proto": ["https"], "Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"], "Cdn-Loop": ["cloudflare"], "Cf-Warp-Tag-Id": ["717b0897-277e-4c06-b31e-d2b8602521dc"], "Sec-Fetch-Dest": ["document"], "X-Forwarded-For": ["99.31.208.210"], "Upgrade-Insecure-Requests": ["1"], "Accept-Language": ["en-US,en;q=0.9"], "Cf-Ipcountry": ["US"], "Cf-Ray": ["70ce9b96ca59943e-SJC"], "Sec-Fetch-Site": ["same-origin"]}}, "user_id": "", "duration": 0.0001135, "size": 2097, "status": 401, "resp_headers": {"Server": ["Caddy"], "Set-Cookie": [], "Cache-Control": ["no-store"], "Pragma": ["no-cache"], "Content-Type": ["text/html"]}}

[greenpau]

Hmmm, that was a good idea, but still same problem

@TtheBC01 , how about we get on the Google Meet at 5:30 EST today and I will take a look at your setup? It is hard to troubleshoot something like this in an issue.

[TtheBC01]

Absolutely!

[greenpau]

Absolutely!

Please send me an invite to greenpau|outlook.com

[TtheBC01]

Done

[TtheBC01]

Just wanted to come back to this thread and say that if you use Argo Tunnel authenticated against your Cloudflare account (instead of using an anonymous tunnel), then this issue does not arise. I was able get everything working properly by specifying a tunnel token with no changes to the Caddyfile.

[greenpau]

@TtheBC01 , good stuff! I am still adding the ability to strip domain from the token. Currently, working on UI changes. Then, I will jump to this one.

[greenpau]

@TtheBC01, I am looking to add testimonial sections to https://authcrunch.com. Could you please write one and send it to me at greenpau@outlook.com?

[TtheBC01]

done