Using One OAuth App for Multiple Virtual Hosts with Caddy Security

Published August 28, 2022

OAuth applications require exact callback URL matches — you can’t register auth.example.com and then redirect to app.example.com. But running separate OAuth apps for each service is tedious. Here’s how to use a single OAuth application with multiple virtual hosts using Caddy Security.

The Problem

Caddy Security is a plugin for Caddy that handles authentication via OAuth providers like GitHub. When you register an OAuth application, you specify a callback URL — typically https://auth.example.com/oauth2/callback.

The issue: if your auth portal runs on auth.example.com but you want to authenticate users for app1.example.com and app2.example.com, the identity provider rejects the authentication. The redirect URL doesn’t match the registered callback.

The Solution

Caddy Security supports server-side redirects after successful authentication. It stores the originating URL in a cookie, completes the OAuth flow on the auth domain, then redirects the user back to where they came from.

This feature is buried under “Miscellaneous” in the docs — not obvious if you’re searching for multi-vhost OAuth. Here’s how to use it:

{
  security {
    authentication portal myportal

    authorization policy mypolicy1 {
      set auth url https://auth.example.com/login?redirect_url=https://app1.example.com
    }

    authorization policy mypolicy2 {
      set auth url https://auth.example.com/login?redirect_url=https://app2.example.com
    }
  }
}

auth.example.com {
  authenticate with myportal
}

app1.example.com {
  authorize with mypolicy1
}

app2.example.com {
  authorize with mypolicy2
}

The key is the redirect_url parameter in each authorization policy. You need a separate policy per virtual host so each one knows where to redirect after authentication succeeds. The auth portal handles the OAuth flow, then the user lands back on the service they originally requested.

The Problem

The Solution

Comments