While the Traefik Forward Auth recipe demonstrated a quick way to protect a set of explicitly-specified URLs using OIDC credentials from a Google account, this recipe will illustrate how to use your own KeyCloak instance to secure any URLs within your DNS domain.
Hi there!
First of all, thanks for your wonderful recipes!
Second, I have been trying, but without success, to configure a traefik-forward-auth to work with my existing traefik and keycloak, but I always get 307 to the googleapis.
It’s been 3 days and I can’t find the issue.
Would you be able to pin point the problem?
Swap to this container - Docker Hub
The one in the compose doesn’t actually support anything other than Google.
IT’S ALIVE! ALIVE!!!
Thanks!!
The “official” image will be updated with generic OIDC support in due course 
failed to get oidc parametere from oidc connect…
Any help here?
CLIENT_ID=Forward-auth
CLIENT_SECRET=9ca3050f-954b-4859-b007-da93kd00d
OIDC_ISSUER=https://keycloak.127.0.0.1.xip.io/auth/realms/master
SECRET=elfgj04
AUTH_HOST=auth.127.0.01.xip.io
COOKIE_DOMAINS=127.0.0.1.xip.io
traefik-forward-auth:
image: funkypenguin/traefik-forward-auth
env_file: ./assets/traefik.env
networks:
- web
- internal
labels:
- traefik.port=4181
- traefik.frontend.rule=Host:auth.127.0.0.1.xip.io
- traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181
- traefik.frontend.auth.forward.trustForwardHeader=true
If you exec into the traefik-forward-auth container, can you curl the OIDC issuer URL?
My guess (from the somewhat strange hostname) is you’re running Keycloak on a 127.0.0.1 address - that won’t work inside a container. It must listen to a non-local IP (e.g in a non-public range like 172.16/12 or 192.168/16)
I edited the ip to 127.0.0.1 for privacy reasons.
Container exits before I can exec : traefik-forward-auth_1 exited with code 1
I am having the same issue as @thebetterjort
level=fatal msg=“failed to get oidc parametere from oidc connect”
which to me feels like its working up to traefik-forward-auth/main.go at 6d516ec16d93ce26654f18aff22de331935fe6ba · geek-cookbook/traefik-forward-auth · GitHub
EDIT: I am an idiot… somehow my traefik_public network was down… getting it back and now the container is stable
Is it possible to run one instance of this over a variety of applications with different permissions?
Either by configuring OIDC_ISSUER as an label on the other application, configuring it based on the redirect host, or other means.
Or do I need to duplicate this container for each realm?
Hello,
I followed your setup but when I try to access whoami, I am redirected to KeyCloak web interface with an error “Invalid parameter: redirect_uri”
When checking the full URL, I noticed the following:
From my understanding, it should be redirected to auth, not whoami ? Any idea ?
I confirm I have AUTH_HOST configured as explained, and here is how I deploy whoami (currently in same stack than traefik):
whoami:
image: emilevauge/whoami
networks:
- traefik_public
deploy:
labels:
- traefik.enable=true
# - traefik.backend=whoami
- traefik.frontend.rule=Host:whoami.mydomain.com
- traefik.port=80
- traefik.tags=traefik_public
- traefik.docker.network=traefik_public
# Traefik service that listens to HTTP
- traefik.redirectorservice.frontend.entryPoints=http
- traefik.redirectorservice.frontend.redirect.entryPoint=https
# Traefik service that listens to HTTPS
- traefik.webservice.frontend.entryPoints=https
- traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181
- traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
- traefik.frontend.auth.forward.trustForwardHeader=true
what settings do you have for your My-traefik-forward-auth in your keycloak client admin page?
what is your settings for your auth container settings
are you with cloudflare? letsencrypt SSL?
your whoami container traefik labels looks way too complex for testing…
you should be able to get away with
labels:
- traefik.enable=true
- traefik.frontend.rule=Host:whoami.mydomain.com
- traefik.port=80
- traefik.docker.network=traefik_public
- traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181
- traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
- traefik.frontend.auth.forward.trustForwardHeader=true
My Config: (missing some bits as I just copied a the main section)
image: funkypenguin/traefik-forward-auth
env_file: /var/data/config/traefik/traefik-app.env
networks:
- networks_public
depends_on:
- traefik-app
deploy:
labels:
- traefik.port=4181
- traefik.enable=true
- traefik.frontend.rule=Host:auth.mydomain.com
- traefik.docker.network=traefik_public
- traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181
- traefik.frontend.auth.forward.trustForwardHeader=true
my traefik-app.env file (mix of traefik, traefik-forward-auth, and cert dumper settings)
TZ=Region/Place
PUID=999
PGID=999
# For cloudflare
CLOUDFLARE_EMAIL=$myemail
CLOUDFLARE_API_KEY=$apikey
CLIENT_ID=my-traefik-forward-auth
CLIENT_SECRET=$SECRETKEY
OIDC_ISSUER=https://keycloak.mydomain.com/auth/realms/master
SECRET=$ANOTHERSECRET
AUTH_HOST=auth.mydomain.com
COOKIE_DOMAINS=mydomain.com
LOG_LEVEL=error
I answered my own question… I made a typo for COOKIE_DOMAINS. I forgot to add a S (despite the instructions are very clear, I have been confused by the original repository where this option was without S).
Now it works fine.
Hey!
Thanks for this fine recipe. Works great on my end.
One question though: The client app does not get a cookie containing the jwt.
It seems like i only get the email address. Is there a way to get the full jwt cookie?
Please not that you can’t run this with Nextcloud when you want to login into the Android app even if you allow your Nextcloud domain. The Nextcloud Android app does an http HEAD method to /remote.php/webdav/ which gets blocked by forward auth.
I’m having a problem getting the traefik-forward-auth service to start.
The container just dies after about 2 seconds with this error:
level=fatal msg=“failed to get oidc parametere from oidc connect”
Traefik is working and I can protect services with it, including the Keycloak Service.
Keycloak seems to be working and I have created a client and set things up according to the article.
From what I can tell the error that is happening is when it tries to create the URI for the OIDC connection which should come from the environment statements for the traefik-forward-auth service.
CLIENT_ID=forward-auth
CLIENT_SECRET=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
OIDC_ISSUER=https://keycloak.domainname.us/auth/realms/master/
SECRET=sosecret
AUTH_HOST=auth.domainname.us
COOKIE_DOMAINS=domainname.us
My settings in keycloak look like this:
Realm:
Name: master
Hostname: keycloak.domain.us
Client:
Client ID: forward-auth
Client Protocol: openid-connect
Access Type: confidential
Root URL: https://domain.us
Valid Redirect URIs: https://domain.us/*
Admin URL: https://domain.us
Web Origens: https://domain.us
(last 3 settings were automatic when I built the client and included the Root URL)
keycloak service config:
services:
keycloak:
image: jboss/keycloak
env_file: /var/data/config/keycloak/keycloak.env
volumes:
- /etc/localtime:/etc/localtime:ro
networks:
- traefik_public
deploy:
labels:
- traefik.frontend.rule=Host:keycloak.domain.us
- traefik.port=8080
- traefik.docker.network=traefik_public
traefik-forward-auth config: (currently have env file commented out and put environment in yml to save some effort while troubleshooting)
traefik-forward-auth:
image: funkypenguin/traefik-forward-auth
#env_file: /var/data/config/traefik/traefik-forward-auth.env
networks:
- traefik_public
environment:
CLIENT_ID: forward-auth
CLIENT_SECRET: xxxxxxxx-xxxx-xxxx-xxxxxxxxxx
OIDC_ISSUER: https://keycloak.domain.us/auth/realms/master
SECRET: sosecret
AUTH_HOST: auth.domain.us
COOKIE_DOMAINS: domain.us
COOKIE_SECURE: “true”
LIFETIME: “2592000”
deploy:
labels:
- traefik.port=4181
- traefik.frontend.rule=Host:auth.domain.us
- traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181
- traefik.frontend.auth.forward.trustForwardHeader=true
I can get it going with the Google OAUTH provider and the original traefik-forward-auth that was forked for this. I just can’t get it running with KeyCloak.
New error is like this:
panic: interface conversion: interface {} is nil, not string
goroutine 1 [running]:
main.main()
/app/main.go:203 +0x146
Have this up and running and have even used the --white-list option to restrict a couple of endpoints to specific users in keycloak. However, wondered whether anyone had a way to easily map specific containers to keycloak groups/roles? I think having traefik-fwd-authentication as a single point is great but how to extend for URI route authorization restrictions easily?