SSO with traefik forward auth with Google Oauth2

funkypenguin · July 6, 2022, 4:54am

Traefik Forward Auth is incredibly useful to secure services with an additional layer of authentication, provided by an OIDC-compatible provider. The simplest possible provider is a self-hosted instance of Dex, configured with a static username and password. This is not much use if you want to provide "normies" access to your services though - a better solution would be to validate their credentials against an existing trusted public source.

This is a companion discussion topic for the original entry at https://geek-cookbook.funkypenguin.co.nz/docker-swarm/traefik-forward-auth/google/

belroth · January 21, 2023, 6:30pm

funkypenguin:

Prepare environment

Create /var/data/config/traefik-forward-auth/traefik-forward-auth.env as per the following example:

PROVIDERS_GOOGLE_CLIENT_ID=<your client id>
PROVIDERS_GOOGLE_CLIENT_SECRET=<your client secret>
SECRET=<a random string, make it up>
# comment out AUTH_HOST if you'd rather use individual redirect_uris (slightly less complicated but more work)
AUTH_HOST=auth.example.com
COOKIE_DOMAINS=example.com
[email protected], [email protected]

When utilizing “WHITELIST” the comma separated value list cannot have spaces. Took me awhile to figure out why “[email protected]” wouldn’t authorize and realized I had " [email protected]" (notice the leading space).

funkypenguin · January 21, 2023, 6:30pm