1

Traefik includes a forward-auth middleware, but there is also an OIDC-specific middleware in Traefik Enterprise Edition https://traefik.io/glossary/openid-connect-everything-you-need-to-know/

Is it possible to achieve OIDC auth with just the free forward-auth middleware in Traefik proxy? I want to secure an example service using Keycloak on Rancher Kubernetes. The forward-auth documentation isn't clear as to what the auth server can be.

Also, this GitHub project seemingly supports OIDC, https://github.com/thomseddon/traefik-forward-auth but I am a little confused with the similar names. Is it the same or different from Traefik's forward-auth? Can I use this in a production setup?

  • UPDATE 1: I think the way to go is to use Traefik forward auth to forward the auth request to either gogatekeeper or oauth2-proxy. These proxies work with OIDC providers in the backend and return 2XX or 4XX codes depending on the authentication result.
devin
  • 1,078
  • 1
  • 9
  • 23

1 Answers1

2

yes, it's possible to achieve the OIDC auth with the forward-auth middleware but you need also an external service like https://github.com/thomseddon/traefik-forward-auth.

I'm still working on it to create a production ready service, i found this interesting project that do the work https://oauth2-proxy.github.io/oauth2-proxy/ instead of thomseddon container.

I suggest this example project, made on top of docker, it explain well the behavior of the system https://github.com/BlackBeltTechnology/traefik-keycloak-sso-reverse-proxy

There is also this well documented site https://geek-cookbook.funkypenguin.co.nz/docker-swarm/traefik-forward-auth/keycloak/

Deebster
  • 2,829
  • 1
  • 26
  • 26
Andrea
  • 71
  • 6
  • Thanks, I actually got it working with oauth2-proxy and nginx ingress controller already. – devin Feb 06 '23 at 21:54