Grafana behind forward-auth0:2.0-rc1 throws errors

dniel / traefik-forward-auth0

A backend for performing forward authentication with Auth0 using the Traefik reverse proxy.

GNU General Public License v3.0

85 stars 15 forks source link

Grafana behind forward-auth0:2.0-rc1 throws errors #260

Closed jasperroel closed 4 years ago

jasperroel commented 4 years ago

I'm trying to run the Grafana container behind the new 2.0 middleware, but as soon as I enable that, Grafana throws the following error:

{"message":"Invalid API key"}

I assume that is because forward-auth adds the Authorization header going to Grafana.

Grafana seems to interpret this as a way to authenticate against it with an API key, which fails (because the Header created with forward-auth has nothing to do with Grafana.

This seems to be similar to issues like this: https://github.com/containous/traefik/issues/6528

Is there a way to stop the forward-auth middleware from forwarding the Authorization header to the container?

jasperroel commented 4 years ago

My compose file, in case that helps at all:

version: "3.6"

services:
  grafana:
    image: grafana/grafana 
    restart: on-failure
    networks:
      - traefik-proxy
    labels:
      traefik.enable: true
      traefik.hostname: grafana
      traefik.http.routers.grafana.middlewares: secured@file
      traefik.http.routers.grafana.tls: true
      traefik.http.routers.grafana.tls.certResolver: letsencrypt-digitalocean
      traefik.http.routers.grafana.entrypoints: https
    env_file: env
    volumes:
      - type: volume
        source: grafana-storage
        target: /var/lib/grafana

networks:
  traefik-proxy:
    external: true

volumes:
  grafana-storage:

dniel commented 4 years ago

unfortunately its not possible right now to disable right now, but I could easily add a configuration option to disable adding the header. Right now the token is always added for the authenticated user.

Do you use version 2.0-rc1 of forwardauth?

jasperroel commented 4 years ago

Yes, using image: dniel/forwardauth:2.0-rc1 for the middleware.

An option would be great. Would that be per container or for everything (I'm okay with either - I don't use the header currently).

dniel commented 4 years ago

probably something per application I think.

dniel commented 4 years ago

or maybe, in your Traefik configuration for forwardauth authentication you have something like https://docs.traefik.io/middlewares/forwardauth/#authresponseheaders

Something like this for the File provider maybe, the authResponseHeaders field is the headers that will be forwarded after authentication by Traefik. If you remove that Authorization from authResponseHeaders that header I think Traefik will ignore it.

http:
  middlewares:
    test-auth:
      forwardAuth:
        address: "https://example.com/auth"
        authResponseHeaders:
          - "Authorization"

jasperroel commented 4 years ago

Ah yeah, that already works indeed. I forgot about that part of the config!

So, I now have:

middlewares:
    forward-auth:
      forwardAuth:
        address: http://traefik-forward-auth:8080/authorize
        trustForwardHeader: true
        authResponseHeaders:
  #        - authorization
          - x-forwardauth-nickname
          - x-forwardauth-family-name
          - x-forwardauth-given-name
          - x-forwardauth-name
          - x-forwardauth-sub
          - x-forwardauth-email

That works.

Thanks for that suggestion!

dniel commented 4 years ago

perfect, glad to hear. :+1: close this issue if you are satisfied with the solution.