Our great sponsors
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
oauth2-proxy
A reverse proxy that provides authentication with Google, Azure, OpenID Connect and many more identity providers.
-
caddy-auth-portal
Discontinued Authentication Plugin for Caddy v2 implementing Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0 (Github, Google, Facebook, Okta, etc.), SAML Authentication. MFA with App Authenticators and Yubico.
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
thank you! this gave me an idea to look for something similar for nginx ... https://github.com/vouch/vouch-proxy
lots of my issues on authentication for various apps can perhaps be handled now!
Caddy comes with basic auth support because it's still useful for a lot of use cases.
IMO the biggest weakness of basicauth (when deployed over TLS) is the fact that most server configurations store the passwords in plaintext, usually in a config file. Caddy does not allow this, as you have to use a secure hash on the password before adding it to your config: https://caddyserver.com/docs/modules/http.authentication.pro...
Of course, password hashes are slow, so KDF'ing a plaintext string at every HTTP request can grind even powerful servers to a halt. So Caddy can optionally cache hash results in memory (we do expect memory to be safer than a config file -- and Go is a memory-safe language in this regard). And while this can introduce nuanced timing variances (fast if recently hashed), they do not necessarily correspond to correct passwords.
If you think this stuff is interesting and want to help make Caddy's basic auth even better, feel free to contribute or sponsor: https://github.com/caddyserver/caddy
Spend an hour to set up an OAuth2 Proxy (https://oauth2-proxy.github.io/oauth2-proxy/). You can use the one proxy for entire subdomains and an unlimited number of apps. No insecure plaintext passwords, scales nicely, uses open source software.
I am very happy with the this caddy extension: https://github.com/greenpau/caddy-auth-portal.
Sorts this precise use case for me, need for common login provider. Without the banality of basic auth.
I wrote this tiny wrapper Sauth[1] that has been a real life saver for delivering minor WIP stuff to clients who are not in the whole cloud ecosystem - just type in url and put in your credentials to see the latest files.
1 - https://github.com/Granitosaurus/sauth