Thanks to visit codestin.com
Credit goes to github.com

Skip to content

breakfix: jwt "token not found" #490

Open
Open
breakfix: jwt "token not found"#490
Assignees
greenpau
Labels
api key authauthorizationbreakfix
@axi92

Description

@axi92
axi92
opened on May 8, 2026

Describe the issue

I upgraded caddy including the security plugin, I did not realized it right away but the api calls are not working anymore.
I am sure I am doing something wrong, but I can't figure out what.
At the bottom I added the logs where the token is visible both, on query and header request.

My curl looks like that:

echo "header:"
curl -L -X 'GET' \
  'https://api.domain.com/api2/users' \
  -H 'accept: */*' \
  -H "api_token: ${TOKEN}"

echo "
query:"
curl -X 'GET' \
  "https://api.domain.com/api2/users?api_token=${TOKEN}" \
  -H 'accept: */*'
echo ""

Configuration

Paste full Caddyfile below:

{
	email [email protected]
	debug

	order authenticate before respond
	order authorize before basicauth

	security {
		oauth identity provider keycloak {
			driver generic
			realm keycloak
			client_id {env.KEYCLOAK_CLIENT_ID}
			client_secret {env.KEYCLOAK_CLIENT_SECRET}
			scopes openid email profile
			metadata_url https://keycloak.domain.com/realms/master/.well-known/openid-configuration
		}

		authentication portal myportal {
			crypto default token lifetime 3600
			crypto key sign-verify {env.JWT_SHARED_KEY}
			enable identity provider keycloak
			cookie domain domain.com
			ui {
				links {
					"My Identity" "/whoami" icon "las la-user"
				}
			}
			transform user {
				match origin keycloak
				action add role authp/user
			}
			transform user {
				match origin local
				action add role authp/user
				ui link "Portal Settings" /settings icon "las la-cog"
			}
		}

		authorization policy mypolicy {
			set auth url https://auth.domain.com/
			allow roles authp/admin authp/user
			crypto key verify {env.JWT_SHARED_KEY}
			bypass uri prefix /docs/
		}
		authorization policy apipolicy {
			set token sources header query
			crypto key verify from directory /home/user/proxy/jwt-public-keys/api
			crypto key token name api_token
			allow roles default-roles-master consumer
			acl default deny
			validate path acl
		}
		authorization policy monitoring {
			set auth url https://auth.domain.com/
			allow email [email protected]
			crypto key verify {env.JWT_SHARED_KEY}
		}
	}
}
(letls) {
	tls {
		issuer acme {
			disable_http_challenge
			disable_tlsalpn_challenge
			propagation_delay 30s
			resolvers 127.0.0.1
			dns digitalocean {env.DNS_API_TOKEN}
		}
	}
}

auth.domain.com {
	authenticate with myportal
	import letls
}

api.domain.com {
	import letls
	route /api1/* {
		reverse_proxy http://10.64.192.146:8889
	}
	route /api2/* {
		reverse_proxy http://10.64.192.146:8888
	}
	authorize with apipolicy
}

Version Information

Provide output of caddy list-modules --versions | grep -E "(auth|security)" below:

http.authentication.hashes.argon2id v2.11.2
http.authentication.hashes.bcrypt v2.11.2
http.authentication.providers.http_basic v2.11.2
http.handlers.authentication v2.11.2
tls.client_auth.verifier.leaf v2.11.2
http.authentication.providers.authorizer v1.1.62
http.handlers.authenticator v1.1.62
security v1.1.62

Expected behavior

The token should be found and validated.

Additional context

Debug Log:

{"level":"debug","ts":1778241916.1855297,"logger":"events","msg":"event","name":"tls_get_certificate","id":"1d25b481-204a-45c5-b4c4-6267a100c8f9","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"ServerName":"api.domain.com","SupportedCurves":[29,23,30,25,24,256,257,258,259,260],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,769,770,1026,1282,1538],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"10.200.8.110","Port":57504,"Zone":""},"LocalAddr":{"IP":"172.16.2.11","Port":443,"Zone":""}}}}
{"level":"debug","ts":1778241916.1856217,"logger":"tls.handshake","msg":"choosing certificate","identifier":"api.domain.com","num_choices":1}
{"level":"debug","ts":1778241916.1856284,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"api.domain.com","subjects":["api.domain.com"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"eadaf8b2c8c60ecef4fa9ab5b6febe7443a2c805c02da81e4fcb34b6734a20dc"}
{"level":"debug","ts":1778241916.1856363,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"10.200.8.110","remote_port":"57504","subjects":["api.domain.com"],"managed":true,"expiration":1780938839,"hash":"eadaf8b2c8c60ecef4fa9ab5b6febe7443a2c805c02da81e4fcb34b6734a20dc"}
{"level":"debug","ts":1778241916.2168078,"logger":"security","msg":"token validation error","session_id":"","request_id":"59417a7f-c26a-4cf4-a2b7-b1d1646a0839","error":"no token found"}
{"level":"debug","ts":1778241916.2168446,"logger":"security","msg":"redirecting unauthorized user","session_id":"","request_id":"59417a7f-c26a-4cf4-a2b7-b1d1646a0839","method":"location"}
{"level":"error","ts":1778241916.2168713,"logger":"http.handlers.authentication","msg":"auth provider returned error","provider":"authorizer","error":"user authorization failed: src_ip=10.200.8.110, src_conn_ip=10.200.8.110, reason: no token found"}
{"level":"debug","ts":1778241916.216919,"logger":"http.log.error","msg":"not authenticated","request":{"remote_ip":"10.200.8.110","remote_port":"57504","client_ip":"10.200.8.110","proto":"HTTP/2.0","method":"GET","host":"api.domain.com","uri":"/api2/users","headers":{"User-Agent":["curl/8.5.0"],"Accept":["*/*"],"Api_token":["eyJ0eXAiOiA...REDACTED"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"api.domain.com","ech":false}},"duration":0.000200436,"status":401,"err_id":"mmqjgbrwi","err_trace":"caddyauth.Authentication.ServeHTTP (caddyauth.go:99)"}
{"level":"debug","ts":1778241916.2284865,"logger":"security","msg":"token validation error","session_id":"","request_id":"1fc0345f-e5ea-4170-947a-cdf600c10c84","error":"no token found"}
{"level":"debug","ts":1778241916.2285159,"logger":"security","msg":"redirecting unauthorized user","session_id":"","request_id":"1fc0345f-e5ea-4170-947a-cdf600c10c84","method":"location"}
{"level":"error","ts":1778241916.2285302,"logger":"http.handlers.authentication","msg":"auth provider returned error","provider":"authorizer","error":"user authorization failed: src_ip=10.200.8.110, src_conn_ip=10.200.8.110, reason: no token found"}
{"level":"debug","ts":1778241916.2285697,"logger":"http.log.error","msg":"not authenticated","request":{"remote_ip":"10.200.8.110","remote_port":"57504","client_ip":"10.200.8.110","proto":"HTTP/2.0","method":"GET","host":"api.domain.com","uri":"/auth?redirect_url=https%3A%2F%2Fapi.domain.com%2Fapi2%2Fusers","headers":{"User-Agent":["curl/8.5.0"],"Accept":["*/*"],"Api_token":["eyJ0eXAiOiA...REDACTED"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"api.domain.com","ech":false}},"duration":0.000187446,"status":401,"err_id":"9hzkjrag0","err_trace":"caddyauth.Authentication.ServeHTTP (caddyauth.go:99)"}
{"level":"debug","ts":1778241916.270234,"logger":"events","msg":"event","name":"tls_get_certificate","id":"d079a79f-26d1-49ee-b810-566d75c93413","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"ServerName":"api.domain.com","SupportedCurves":[29,23,30,25,24,256,257,258,259,260],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,769,770,1026,1282,1538],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"10.200.8.110","Port":57512,"Zone":""},"LocalAddr":{"IP":"172.16.2.11","Port":443,"Zone":""}}}}
{"level":"debug","ts":1778241916.2703373,"logger":"tls.handshake","msg":"choosing certificate","identifier":"api.domain.com","num_choices":1}
{"level":"debug","ts":1778241916.2703478,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"api.domain.com","subjects":["api.domain.com"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"eadaf8b2c8c60ecef4fa9ab5b6febe7443a2c805c02da81e4fcb34b6734a20dc"}
{"level":"debug","ts":1778241916.2703586,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"10.200.8.110","remote_port":"57512","subjects":["api.domain.com"],"managed":true,"expiration":1780938839,"hash":"eadaf8b2c8c60ecef4fa9ab5b6febe7443a2c805c02da81e4fcb34b6734a20dc"}
{"level":"debug","ts":1778241916.3023055,"logger":"security","msg":"token validation error","session_id":"","request_id":"b71fa4c4-62d1-4aa1-8271-870e8f958a1f","error":"no token found"}
{"level":"debug","ts":1778241916.3023324,"logger":"security","msg":"redirecting unauthorized user","session_id":"","request_id":"b71fa4c4-62d1-4aa1-8271-870e8f958a1f","method":"location"}
{"level":"error","ts":1778241916.3023489,"logger":"http.handlers.authentication","msg":"auth provider returned error","provider":"authorizer","error":"user authorization failed: src_ip=10.200.8.110, src_conn_ip=10.200.8.110, reason: no token found"}
{"level":"debug","ts":1778241916.3023806,"logger":"http.log.error","msg":"not authenticated","request":{"remote_ip":"10.200.8.110","remote_port":"57512","client_ip":"10.200.8.110","proto":"HTTP/2.0","method":"GET","host":"api.domain.com","uri":"/api2/users?api_token=eyJ0eXAiOiA...REDACTED","headers":{"User-Agent":["curl/8.5.0"],"Accept":["*/*"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"api.domain.com","ech":false}},"duration":0.000132105,"status":401,"err_id":"cx5hawbpc","err_trace":"caddyauth.Authentication.ServeHTTP (caddyauth.go:99)"}

Metadata

Metadata

Assignees

Labels

api key authauthorizationbreakfix

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions