caddy-security: breakfix: Access token set without expiry, still gets 401, and doesn't redirect to provided auth url

Describe the issue

After logging in at https://auth.MYDOMAIN.com, the auth portal sets a cookie without a Max-Age or expires attribute set, meaning it only lives as long as the session. Example set-cookie header in the response of /oauth2/github/authorization-code-callback?code=OAUTH_CODE... after logging in with github:

set-cookie: access_token=eyJhbGciOiJI....; Domain=MYDOMAIN.com; Path=/; Secure; HttpOnly;

Also, the access token itself doesn’t seem to work at all with my current configuration, and I get a 401 on the example domain of this config https://sonarr.MYDOMAIN.com, with error logs like:

{"level":"debug","ts":1642792571.8178122,"logger":"security","msg":"token validation error","session_id":"cO9Fu3cuNuNg5ufIugXgZphXU5MSzEFhfByBX0ojPb8","request_id":"26a2f6a9-51fb-4be8-92ac-85f40eefbfd5","error":"token validator: invalid token: keystore: failed to parse token"}
{"level":"error","ts":1642792571.8178322,"logger":"http.handlers.authentication","msg":"auth provider returned error","provider":"authorizer","error":"user authorization failed"}

and it just redirects to https://sonarr.MYDOMAIN.com/?redirect_url=https%3A%2F%2Fsonarr.MYDOMAIN.com%2F, rather than redirecting to https://auth.MYDOMAIN.com as I’d expect.

My very very similar config previously using caddy-authorize and caddy-auth-portal worked fine, I’ve basically just moved around the attributes to be inline with how the new config format looks, and I used the jumpcloud config as my example.

Configuration

{
        debug
        order authorize before basicauth
        email {$CF_EMAIL}
        auto_https ignore_loaded_certs

        security {
                authentication portal mainportal {
                        crypto default token lifetime 2419200
                        crypto key sign-verify {$CADDY_AUTH_TOKEN_SECRET}
                        cookie domain {$DOMAIN}
                        backend local {$CADDY_AUTH_USERS_PATH} local
                        backend github {$CADDY_GITHUB_OAUTH_CLIENT_ID} {$CADDY_GITHUB_OAUTH_CLIENT_SECRET}
                        transform user {
                                exact match sub github.com/johnpyp
                                action add role authp/admin
                                action add role superadmin
                        }
                        transform user {
                                match email webadmin@localdomain.local

                                action add role authp/admin
                                action add role superadmin
                        }
                }

                authorization policy mainpolicy {
                        set auth url https://auth.{$DOMAIN}
                        allow roles admin superadmin authp/admin
                        crypto key verify {$CADDY_AUTH_TOKEN_SECRET}
                }
        }
}

(cf_tls) {
        tls {
                issuer zerossl {
                        resolvers 1.1.1.1
                        dns cloudflare {$CF_API_TOKEN}
                }
        }
}

auth.{$DOMAIN} {
        import cf_tls
        route {
                authenticate * with mainportal
        }
}

(protected_route) {
        {args.0}.{$DOMAIN} {
                import cf_tls
                authorize with mainpolicy
                route {
                        reverse_proxy {args.1}
                }
        }
}

import protected_route sonarr sonarr:8989
// ...

Version Information

Should be latest everything, just pulled a few minutes ago with this docker image:

FROM caddy:2-builder AS builder

RUN xcaddy build \
    --with github.com/greenpau/caddy-security \
    --with github.com/caddy-dns/cloudflare

FROM caddy:2

COPY --from=builder /usr/bin/caddy /usr/bin/caddy