While the Traefik Forward Auth recipe demonstrated a quick way to protect a set of explicitly-specified URLs using OIDC credentials from a Google account, this recipe will illustrate how to use your own KeyCloak instance to secure any URLs within your DNS domain.
Hi there!
First of all, thanks for your wonderful recipes!
Second, I have been trying, but without success, to configure a traefik-forward-auth to work with my existing traefik and keycloak, but I always get 307 to the googleapis.
It’s been 3 days and I can’t find the issue.
Would you be able to pin point the problem?
My guess (from the somewhat strange hostname) is you’re running Keycloak on a 127.0.0.1 address - that won’t work inside a container. It must listen to a non-local IP (e.g in a non-public range like 172.16/12 or 192.168/16)
what settings do you have for your My-traefik-forward-auth in your keycloak client admin page?
what is your settings for your auth container settings
are you with cloudflare? letsencrypt SSL?
your whoami container traefik labels looks way too complex for testing…
you should be able to get away with
I answered my own question… I made a typo for COOKIE_DOMAINS. I forgot to add a S (despite the instructions are very clear, I have been confused by the original repository where this option was without S).
Now it works fine.
Thanks for this fine recipe. Works great on my end.
One question though: The client app does not get a cookie containing the jwt.
It seems like i only get the email address. Is there a way to get the full jwt cookie?
Please not that you can’t run this with Nextcloud when you want to login into the Android app even if you allow your Nextcloud domain. The Nextcloud Android app does an http HEAD method to /remote.php/webdav/ which gets blocked by forward auth.
I’m having a problem getting the traefik-forward-auth service to start.
The container just dies after about 2 seconds with this error:
level=fatal msg=“failed to get oidc parametere from oidc connect”
Traefik is working and I can protect services with it, including the Keycloak Service.
Keycloak seems to be working and I have created a client and set things up according to the article.
From what I can tell the error that is happening is when it tries to create the URI for the OIDC connection which should come from the environment statements for the traefik-forward-auth service.
My settings in keycloak look like this:
Realm:
Name: master
Hostname: keycloak.domain.us
Client:
Client ID: forward-auth
Client Protocol: openid-connect
Access Type: confidential
Root URL: https://domain.us
Valid Redirect URIs: https://domain.us/*
Admin URL: https://domain.us
Web Origens: https://domain.us
(last 3 settings were automatic when I built the client and included the Root URL)
I can get it going with the Google OAUTH provider and the original traefik-forward-auth that was forked for this. I just can’t get it running with KeyCloak.
New error is like this:
panic: interface conversion: interface {} is nil, not string
Have this up and running and have even used the --white-list option to restrict a couple of endpoints to specific users in keycloak. However, wondered whether anyone had a way to easily map specific containers to keycloak groups/roles? I think having traefik-fwd-authentication as a single point is great but how to extend for URI route authorization restrictions easily?