caddy-security: breakfix: Token used before issued

Describe the issue

This is my first time using Caddy for any project. I am attempting to provide Google authentication to internal websites. I started a few days ago with caddy-auth-portal and today I converted it to caddy-security. However, on both versions, I randomly get the error:

“failed validating OAuth 2.0 access token: OAuth 2.0 failed to parse id_token: Token used before issued”

This results in an “Unauthorized” response from the login portal.

If you sign into the portal, and then click the “logout” button, when you sign in again it will often give you the error the second time.

Some Googling provides this link to a discussion about “clock skew”: https://github.com/dgrijalva/jwt-go/issues/383

Client and server are synchronized and no more than a fraction of a second different so I’m not sure if that is the problem.

Configuration

{
    debug
    order authorize before reverse_proxy
    order authenticate before authorize

	security {
		authentication portal myportal {
			backend google <redacted>.apps.googleusercontent.com <redacted>
			ui {
				links {
					"My Identity" "/auth/whoami" icon "las la-star"
				}
			}
			transform user {
				match origin google
				suffix match email @my.domain
				action add role authp/user
				ui link "Application" "https://app.my.domain/secure"
			}
			transform user {
#not sure if "exact match" is appropriate here, but was based on examples
				exact match origin google
				exact match email admin@my.domain
				action add role authp/admin
			}
			cookie domain my.domain
		}
		authorization policy mypolicy {
			set auth url /auth/oauth2/google
			allow roles authp/admin authp/user
		}		
	}
}

auth.my.domain {
	route /auth* {
		authenticate * with myportal
	}
}	

app.my.domain {
	route /secure* {
		authorize with mypolicy
		reverse_proxy https://app.mydomain
	}
	route {
		reverse_proxy https://app.mydomain
	}
}

Version Information

Windows version of Caddy built this morning from the download page with only caddy-security included.

Expected behavior

Should authenticate as normal without error.

Additional context

Caddy is running on Windows.

About this issue

  • Original URL
  • State: open
  • Created 2 years ago
  • Comments: 16 (9 by maintainers)

Most upvoted comments

I’ll see if there is anything that can be done to improve clock sync and continue to test.

@cceslick , it looks like it has nothing to do with your clock. It looks like Google provisions its keys ahead of time. If anything, it is I who needs to put a check that would recognize the “early provisioning.” At the moment, it will be in a backlog.

+1
greenpau on Jan 25, 2022
Read more comments on GitHub
← caddy-security: breakfix: Access token set without expiry, still gets 401, and doesn't redirect to provided auth url
gpdb: ERROR: could not compile PL/Python function →