Skip to content

swisscom/traefik-forward-auth

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

138 Commits

.github/workflows

.github/workflows

 
 

cmd

cmd

 
 

examples

examples

 
 

hack

hack

 
 

internal

internal

 
 

test

test

 
 

.dockerignore

.dockerignore

 
 

.travis.yml

.travis.yml

 
 

Dockerfile

Dockerfile

 
 

LICENSE.thomseddon.md

LICENSE.thomseddon.md

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

go.mod

go.mod

 
 

go.sum

go.sum

 
 

Repository files navigation

Traefik Forward Auth

The original thomseddon/traefik-forward-auth is a "minimal forward authentication service that provides Google oauth based login and authentication for the traefik reverse proxy/load balancer."

This is a partial rewrite to support generic OIDC Providers that provide OpenID Provider Issuer Discovery but may not support the UserInfo endpoint.

noelcatt/traefik-forward-auth and funkypenguin/traefik-forward-auth also made thomseddon/traefik-forward-auth apply to generic OIDC, but they are now based on an older version which does not support rules and also require the UserInfo endpoint to be supported.

This version optionally implements RBAC within Kuberbetes by using ClusterRole and ClusterRoleBinding. It extends from the original Kubernetes usage as it also allows specifying full URLs (including a scheme and domain) within nonResourceURLs attribute of ClusterRole. And unlike the original behavior, * wildcard character matches within one path component only. There is a special globstar ** to match within multiple paths (inspired by Bash, Python and JS libraries).

The raw id-token received from OIDC provider can optionally be passed upstream via a custom header.

Differences to the original

The instructions for thomseddon/traefik-forward-auth are useful, keeping in mind that this version:

  • Does not support legacy configuration (cookie-domains, cookie-secret, cookie-secure, prompt).
  • Does not support Google-specific configuration (providers, providers.google.client-id, providers.google.client-secret, providers.google.prompt).
  • Does support provider-uri, client-id, client-secret configuration.
  • Uses an OIDC Discovery endpoint to find authorization and token endpoints.
  • Does not require the OIDC Provider to support the optional UserInfo endpoint.
  • Returns 401 rather than redirect to OIDC Login if an unauthenticated request is not for HTML (e.g. AJAX calls, images).
  • Sends a username cookie as well
  • If auth-host is set and cookie-domains is not set, traefik-forward-auth will redirect any requests using other hostnames to auth-host. Set auth-host to the OIDC redirect host to ensure that use of the IP or other DNS names will be redirected and get a suitable cookie.

Upgrading from 2.x version to 3.0 (Breaking Changes):

  • config session-key (SESSION_KEY env) is now called encryption-key (ENCRYPTION_KEY env) and is REQUIRED
  • config groups-session-name (GROUPS_SESSION_NAME) is deprecated as both email and groups are part of the single cookie cookie-name (COOKIE_NAME env)
  • character * in existing RBAC rules now works within one path component only, so a single * has to be replaced with ** to match the previous behavior (whether to use * or ** is up to the person writing those rules)

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages 1

 

Languages

  • Go 99.4%
  • Other 0.6%