Giter Site home page Giter Site logo

traefikoidc's Introduction

Traefik OIDC middleware

This middleware is under active development - things should NOT break, but they might. This middleware is supposed to replace the need for the forward-auth and oauth2-proxy when using traefik as a reverse proxy to support the OIDC authentication.

Configuration options

Middleware currently supports following scenarios:

  • Setting custom callback and logout URLs via callbackURL and logoutURL
  • Allowing for access only from the listed domains if allowedUserDomains is set, otherwise it relies entirely on the OIDC provider
  • Using excluded URLs which do NOT require the OIDC authentication
  • Rate limiting requests to prevent the bruteforce attacks

Docker compose example

docker-compose.yaml

version: "3.7"

services:
  traefik:
    image: traefik:v3.0.1
    command:
      - "--experimental.plugins.traefikoidc.modulename=github.com/lukaszraczylo/traefikoidc"
      - "--experimental.plugins.traefikoidc.version=v0.2.1"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./traefik-config/traefik.yml:/etc/traefik/traefik.yml
      - ./traefik-config/dynamic-configuration.yml:/etc/traefik/dynamic-configuration.yml
    labels:
      - "traefik.http.routers.dash.rule=Host(`dash.localhost`)"
      - "traefik.http.routers.dash.service=api@internal"

    ports:
      - "80:80"

  hello:
    image: containous/whoami
    labels:
      - traefik.enable=true
      - traefik.http.routers.hello.entrypoints=http
      - traefik.http.routers.hello.rule=Host(`hello.localhost`)
      - traefik.http.services.hello.loadbalancer.server.port=80
      - traefik.http.routers.hello.middlewares=my-plugin@file

  whoami:
    image: jwilder/whoami
    labels:
      - traefik.enable=true
      - traefik.http.routers.whoami.entrypoints=http
      - traefik.http.routers.whoami.rule=Host(`whoami.localhost`)
      - traefik.http.services.whoami.loadbalancer.server.port=8000
      - traefik.http.routers.whoami.middlewares=my-plugin@file

traefik-config/traefik.yaml

log:
  level: INFO

experimental:
  localPlugins:
    traefikoidc:
      moduleName: github.com/lukaszraczylo/traefikoidc

# API and dashboard configuration
api:
  dashboard: true
  insecure: true

entryPoints:
  http:
    address: ":80"
    forwardedHeaders:
      insecure: true

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /etc/traefik/dynamic-configuration.yml

traefik-config/dynamic-configuration.yaml

http:
  middlewares:
    my-plugin:
      plugin:
        traefikoidc:
          providerURL: https://accounts.google.com
          clientID: 1234567890.apps.googleusercontent.com
          clientSecret: secret
          callbackURL: /oauth2/callback
          logoutURL: /oauth2/logout
          scopes: # If not provided, default scopes will be used (openid, email, profile)
            - openid
            - email
            - profile
          allowedUserDomains: # If not provided - will rely entirely on the OIDC yes/no
            - raczylo.com
          sessionEncryptionKey: potato-secret
          forceHTTPS: false
          logLevel: debug # debug, info, warn, error
          rateLimit: 100 # Simple rate limiter to prevent brute force attacks
          excludedURLs: # Determines the list of URLs which are NOT a subject to authentication
            - /login # covers /login, /login/me, /login/reminder etc.
            - /my-public-data

traefikoidc's People

Contributors

lukaszraczylo avatar gjirm avatar

Stargazers

Asoji avatar Storm avatar natalie avatar avatar

Watchers

avatar avatar

Forkers

gjirm

traefikoidc's Issues

[Traefik Plugin Catalog] Plugin Analyzer has detected a problem.

The plugin was not imported into Traefik Plugin Catalog.

Cause:

failed to run the plugin with Yaegi: the load of the plugin takes too much time(10s), or an error, inside the plugin, occurs during the load: 1:21: import "github.com/lukaszraczylo/traefikoidc" error: /tmp/traefik-plugin-gop3025944321/src/github.com/lukaszraczylo/traefikoidc/helpers.go:7:2: import "github.com/lukaszraczylo/go-oidc/v3/oidc" error: /tmp/traefik-plugin-gop3025944321/src/github.com/lukaszraczylo/traefikoidc/vendor/github.com/lukaszraczylo/go-oidc/v3/oidc/jwks.go:16:2: import "github.com/go-jose/go-jose/v3" error: /tmp/traefik-plugin-gop3025944321/src/github.com/lukaszraczylo/traefikoidc/vendor/github.com/go-jose/go-jose/v3/asymmetric.go:33:2: import "github.com/go-jose/go-jose/v3/json" error: /tmp/traefik-plugin-gop3025944321/src/github.com/lukaszraczylo/traefikoidc/vendor/github.com/go-jose/go-jose/v3/json/encode.go:650:48: cannot use type *json.encodeState as type io.Writer

Traefik Plugin Analyzer will restart when you will close this issue.

If you believe there is a problem with the Analyzer or this issue is the result of a false positive, please fill an issue on piceus repository.

[Traefik Plugin Catalog] Plugin Analyzer has detected a problem.

The plugin was not imported into Traefik Plugin Catalog.

Cause:

failed to run the plugin with Yaegi: the load of the plugin takes too much time(10s), or an error, inside the plugin, occurs during the load: 1:21: import "github.com/lukaszraczylo/traefikoidc" error: /tmp/traefik-plugin-gop400614426/src/github.com/lukaszraczylo/traefikoidc/helpers.go:6:2: import "github.com/coreos/go-oidc/v3/oidc" error: /tmp/traefik-plugin-gop400614426/src/github.com/lukaszraczylo/traefikoidc/vendor/github.com/coreos/go-oidc/v3/oidc/jose.go:3:8: import "github.com/go-jose/go-jose/v4" error: /tmp/traefik-plugin-gop400614426/src/github.com/lukaszraczylo/traefikoidc/vendor/github.com/go-jose/go-jose/v4/asymmetric.go:33:2: import "github.com/go-jose/go-jose/v4/json" error: /tmp/traefik-plugin-gop400614426/src/github.com/lukaszraczylo/traefikoidc/vendor/github.com/go-jose/go-jose/v4/json/encode.go:650:48: cannot use type *json.encodeState as type io.Writer

Traefik Plugin Analyzer will restart when you will close this issue.

If you believe there is a problem with the Analyzer or this issue is the result of a false positive, please fill an issue on piceus repository.

[Traefik Plugin Catalog] Plugin Analyzer has detected a problem.

The plugin was not imported into Traefik Plugin Catalog.

Cause:

failed to get the latest tag: invalid tag: 0.0.5 (this tag must be removed, see https://semver.org)

Traefik Plugin Analyzer will restart when you will close this issue.

If you believe there is a problem with the Analyzer or this issue is the result of a false positive, please fill an issue on piceus repository.

Failed to save session

Hey, I've configured this plugin to work with AWS cognito. It seems that the authentication itself is working, at least I'm getting redirected to the cognito auth page, but after I login the plugin fails to save the session:

DEBUG: TraefikOidcPlugin: 2024/08/02 10:27:51 Setting CSRF token: ee6306d8-65d1-4f24-a37d-22931ee18c6b
DEBUG: TraefikOidcPlugin: 2024/08/02 10:28:00 Cleaning up token cache
DEBUG: TraefikOidcPlugin: 2024/08/02 10:28:14 Setting CSRF token: 2001e6b6-8fca-49fc-97d5-728f45065182
DEBUG: TraefikOidcPlugin: 2024/08/02 10:28:35 Handling callback, URL: /_oauth?code=d7934238-6d06-47e0-b5dd-cf56b3210bf3&state=2001e6b6-8fca-49fc-97d5-728f45065182
DEBUG: TraefikOidcPlugin: 2024/08/02 10:28:35 Verifying token
ERROR: TraefikOidcPlugin: 2024/08/02 10:28:36 Failed to save session
DEBUG: TraefikOidcPlugin: 2024/08/02 10:28:36 Setting CSRF token: b3d0c0bb-f281-4c75-8b3e-36b4739e61c0

Any idea what can be the problem?

[Traefik Plugin Catalog] Plugin Analyzer has detected a problem.

The plugin was not imported into Traefik Plugin Catalog.

Cause:

failed to run the plugin with Yaegi: the load of the plugin takes too much time(10s), or an error, inside the plugin, occurs during the load: 1:21: import "github.com/lukaszraczylo/traefikoidc" error: /tmp/traefik-plugin-gop4160592626/src/github.com/lukaszraczylo/traefikoidc/helpers.go:90:17: undefined: assembleRedirectURL

Traefik Plugin Analyzer will restart when you will close this issue.

If you believe there is a problem with the Analyzer or this issue is the result of a false positive, please fill an issue on piceus repository.

[Traefik Plugin Catalog] Plugin Analyzer has detected a problem.

The plugin was not imported into Traefik Plugin Catalog.

Cause:

failed to load readme: failed to get the readme file: GET https://api.github.com/repos/lukaszraczylo/traefikoidc/readme?ref=v0.0.5: 404 Not Found []

Traefik Plugin Analyzer will restart when you will close this issue.

If you believe there is a problem with the Analyzer or this issue is the result of a false positive, please fill an issue on piceus repository.

[Traefik Plugin Catalog] Plugin Analyzer has detected a problem.

The plugin was not imported into Traefik Plugin Catalog.

Cause:

failed to get the latest tag: invalid tag: test-0.0.1 (this tag must be removed, see https://semver.org)

Traefik Plugin Analyzer will restart when you will close this issue.

If you believe there is a problem with the Analyzer or this issue is the result of a false positive, please fill an issue on piceus repository.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.