caddyauth: Set authentication provider error in placeholder

[steffenbusch]

This PR introduces a new placeholder, {http.auth.<provider>.error}, which is set when an authentication provider returns an error from the authentication process.

This allows errors during Authenticate from specific authentication providers to be exposed and handled more effectively in the handle_errors directive. Since a non-succesful authentication results in just a 401 Unauhtorized, this new placeholder enables much more fine-grained error handling.

The following example demonstrates the flexibility of handling 401 Unauthorized errors from the caddy-jwt plugin (= provider jwt) using the new placeholder ({http.auth.jwt.error}) in a handle_errors 401 block:

:8080 {
	handle /jwt/* {
		jwtauth {
			sign_key {file.jwt-secret.txt}
			sign_alg HS256
			issuer_whitelist https://jwt.example.com
			audience_whitelist https://api.example.com
			user_claims sub
		}
		respond "behind jwt auth"
	}

	handle_errors 401 {
		@jwt_invalid_audience {
			vars {http.auth.jwt.error} "invalid audience"
		}

		@jwt_expired {
			vars {http.auth.jwt.error} `"exp" not satisfied`
		}

		route {
			# Transform the 401 error into a 403 Forbidden response.
			respond @jwt_invalid_audience "Access denied: The audience claim in the provided JWT is invalid or does not match the required audience." 403

			# Redirect to a login endpoint with an explanation that the JWT has expired.
			redir @jwt_expired https://auth.example.com/login?reason=expired

			# In all other cases, redirect to general login endpoint
			redir https://auth.example.com/login
		}
	}
}

[mholt]

LGTM! Thanks for the contribution.