caddy-security Unauthorized "no token found"

[jmadden91]

Reproduction steps

Hi, thanks again for the great work on this program. I've been tearing my hair out with this for hours now, I fully suspect the issue is with my caddy config rather than pocket-id, so I'm sorry if that is the case and this is not the right place for this issue.

I have set up caddy security and pocket id, created an OIDC client in pocket-id called caddy, with the callback URL set to: https://*.mydomain.com/auth/oauth2/generic/authorization-code-callback

When I go to the service I am trying to protect (whoami) I am redirected to pocket-id, I can successfully log in, but then I am redirected back to a generic authentication portal page that says Unauthorized.

The error in my caddy logs is {"level":"error","ts":1737419909.9818547,"logger":"http.handlers.authentication","msg":"auth provider returned error","provider":"authorizer","error":"user authorization failed: src_ip=192.168.1.15, src_conn_ip=192.168.1.15, reason: no token found"}

Here is my caddyfile:

# GLOBAL SETTINGS
{
    dynamic_dns {
        provider cloudflare {env.CLOUDFLARE_API_TOKEN}
        domains {
            {env.DOMAIN} @ *
        }
        check_interval 10m
        versions ipv4
    }
    ########### Configure caddy-security ################
    order authenticate before respond
    security {
        oauth identity provider generic {
            delay_start 3
            realm generic
            driver generic
            client_id 806ef239-c81f-4f56-8810-12882170239f
            client_secret nKLUM2m3xw6V0Mgl1naPBaopcNtHTpEp6BWcsYkxOToofojYfyDgPn7sfYwNEv7o
            scopes openid email profile
            base_auth_url https://pocket-id.{env.DOMAIN}
            metadata_url https://pocket-id.{env.DOMAIN}/.well-known/openid-configuration
        }
        authentication portal myportal {
            crypto default token lifetime 3600 # Seconds until you have to re-authenticate
            enable identity provider generic
            cookie insecure off # Set to "on" if you're not using HTTPS
            transform user {
                match realm generic
                action add role user
            }
        }
        authorization policy mypolicy {
            set auth url /auth/oauth2/generic
            allow roles user
            inject headers with claims
        }
    }
}
# WILDCARD Cert for all sites
*.{env.DOMAIN} {
    encode gzip
    log {
        level INFO
        output file /var/logs/caddy.log {
            roll_size 10MB
            roll_keep 10
        }
    }
    tls {
        dns cloudflare {env.CLOUDFLARE_API_TOKEN}
        resolvers 1.1.1.1 8.8.8.8
    }
    # pocket-id #this is my authentication portal
    @pocket-id host pocket-id.{env.DOMAIN}
    handle @pocket-id {
        reverse_proxy pocket-id:80
    }
    # whoami #unprotected
    @whoami-noauth host whoami-noauth.{env.DOMAIN}
    handle @whoami-noauth {
        reverse_proxy whoami:80
    }
    # whoami #service to be protected
    @whoami host whoami.{env.DOMAIN}
    handle @whoami {
        @auth {
            path /auth/oauth2/generic
            path /auth/oauth2/generic/authorization-code-callback
        }
        route @auth {
            authenticate with myportal
        }
        route /* {
            authorize with mypolicy
            reverse_proxy whoami:80
        }
    }
    # Handle unlisted subdomains
    handle {
        respond "This service is not available" 404
        #abort
    }
}

Expected behavior

It redirect back to my whoami page.

Actual Behavior

As above

[mdj20252025]

Try changing:

base_auth_url https://…
metadata_url https://…

to

base_auth_url http://…
metadata_url http://…

That’s how I fixed it.