Provide user info in Remote-* headers. Caddy configuration improved.

caddy/Caddyfile

@@ -0,0 +1,30 @@
+localhost {
+	import auth/setup
+	# Only users with myapp:reports and auth admin permissions
+	handle_path /reports {
+		import auth/require perm=myapp:reports&perm=auth:admin
+		respond "Reports area (protected) for {http.request.header.remote-org-name}" 200
+	}
+	# Public paths (no auth)
+	@public path /favicon.ico /.well-known/*
+	handle @public {
+		reverse_proxy :3000
+	}
+	# Respond with user's display name
+	handle_path /hello {
+		import auth/require ""
+		respond "Hello, {http.request.header.remote-name}! Your permissions: {http.request.header.remote-groups}" 200
+	}
+	# Default route, requires authentication but no authorization
+	handle {
+		import auth/require ""
+		reverse_proxy :3000
+	}
+}
+
+localhost:4404 {
+	# Full site protected, /auth/ reserved for auth service
+	import auth/all perm=auth:admin {
+		reverse_proxy :3000
+	}
+}

caddy/auth/all

@@ -0,0 +1,6 @@
+# Enable auth site at /auth (setup) and require authentication on all paths
+import setup
+handle {
+    import require {args[0]}
+    {block}
+}

caddy/auth/require

@@ -0,0 +1,17 @@
+# Permission to use within your endpoints that need authentication/authorization, that
+# is different depending on the route (otherwise use auth/all).
+forward_auth {$AUTH_UPSTREAM:localhost:4401} {
+    uri /auth/api/forward?{args[0]}
+    copy_headers {
+        Remote-User
+        Remote-Name
+        Remote-Groups
+        Remote-Org
+        Remote-Org-Name
+        Remote-Role
+        Remote-Role-Name
+        Remote-Session-Expires
+        Remote-Session-Type
+        Remote-Credential
+    }
+}

caddy/auth/setup

@@ -0,0 +1,6 @@
+# Setup auth service at /auth/ and remove any Remote-* headers sent by client (for security)
+header -Remote-*
+@auth_api path /auth /auth/*
+handle @auth_api {
+    reverse_proxy {$AUTH_UPSTREAM:localhost:4401}
+}