// the find
greenpau/caddy-security
🔐 Authentication, Authorization, and Accounting (AAA) App and Plugin for Caddy v2. 💎 Implements Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0 (Github, Google, Facebook, Okta, etc.), SAML Authentication. MFA/2FA with App Authenticators and Yubico. 💎 Authorization with JWT/PASETO tokens. 🔐
A Caddy v2 plugin that adds a full authentication and authorization layer — local users, LDAP, OAuth2/OIDC, SAML, WebAuthn, TOTP, JWT/PASETO — all configured through Caddyfile directives. Targets self-hosters and small teams who want to put an auth wall in front of internal services without running a dedicated IdP like Keycloak.
The breadth of supported auth methods is real — OIDC, SAML, WebAuthn, Yubico, and PASETO are not common in a single plugin, and the Caddyfile DSL is well-thought-out with a proper adapt/resolve test suite. PASETO support instead of JWT-only is a legitimate security improvement: no algorithm confusion attacks. The separation of authn (portal) from authz (middleware) is architecturally sound — you can protect routes without running the full portal. Configuration examples and a dedicated external docs site (authcrunch.com) lower the getting-started cost considerably.
This is effectively a one-person project with 100 forks despite 2k stars — bus factor is one, and the issue tracker shows long response times. The Caddyfile config surface is enormous and has accreted over years; getting LDAP + OIDC + MFA right requires reading a lot of docs and trial-and-error, with cryptic errors when something is misconfigured. The underlying library (go-authcrunch) is a separate repo not vendored here, so debugging auth failures means tracing through two codebases. There's no real test coverage of the actual auth flows — the test suite only covers Caddyfile parsing, not the token issuance or OAuth callback logic.