Traefik Forward Auth
The original thomseddon/traefik-forward-auth
is a "minimal forward authentication service that provides Google oauth based login and authentication for the traefik reverse proxy/load balancer."
This is a partial rewrite to support generic OIDC Providers that provide OpenID Provider Issuer Discovery but may not support the UserInfo
endpoint.
noelcatt/traefik-forward-auth
and funkypenguin/traefik-forward-auth
also made thomseddon/traefik-forward-auth
apply to generic OIDC, but they are now based on an older version which does not support rules and also require the UserInfo endpoint to be supported.
This version optionally implements RBAC within Kuberbetes by using ClusterRole
and ClusterRoleBinding
. It extends from the original Kubernetes usage as it also allows specifying full URLs (including a scheme and domain) within nonResourceURLs
attribute of ClusterRole
. And unlike the original behavior, *
wildcard character matches within one path component only. There is a special globstar **
to match within multiple paths (inspired by Bash, Python and JS libraries).
The raw id-token received from OIDC provider can optionally be passed upstream via a custom header.
Differences to the original
The instructions for thomseddon/traefik-forward-auth
are useful, keeping in mind that this version:
- Does not support legacy configuration (
cookie-domains
,cookie-secret
,cookie-secure
,prompt
). - Does not support Google-specific configuration (
providers
,providers.google.client-id
,providers.google.client-secret
,providers.google.prompt
). - Does support
provider-uri
,client-id
,client-secret
configuration. - Uses an OIDC Discovery endpoint to find authorization and token endpoints.
- Does not require the OIDC Provider to support the optional UserInfo endpoint.
- Returns 401 rather than redirect to OIDC Login if an unauthenticated request is not for HTML (e.g. AJAX calls, images).
- Sends a username cookie as well
- If
auth-host
is set andcookie-domains
is not set, traefik-forward-auth will redirect any requests using other hostnames toauth-host
. Setauth-host
to the OIDC redirect host to ensure that use of the IP or other DNS names will be redirected and get a suitable cookie.
Upgrading from 2.x version to 3.0 (Breaking Changes):
- config
session-key
(SESSION_KEY
env) is now calledencryption-key
(ENCRYPTION_KEY
env) and isREQUIRED
- config
groups-session-name
(GROUPS_SESSION_NAME
) is deprecated as both email and groups are part of the single cookiecookie-name
(COOKIE_NAME
env) - character
*
in existing RBAC rules now works within one path component only, so a single*
has to be replaced with**
to match the previous behavior (whether to use*
or**
is up to the person writing those rules)