Closed ds-sebastian closed 2 weeks ago
Hello @ds-sebastian, thank you for providing this feature request! We will put that on our roadmap.
--
I just released version v3.0.0-alpha.1
.
It includes the X-Forwarded-User
header filled with the sub from the jwt token.
Could you please check if it is also working for you?
I did try, but I can't seem to get the right configuration as it's a pretty weird one lol
I have one server with Traefik and this middleware (and KanIDM):
# docker-compose.yml
services:
oidc-forward-auth-middleware:
image: ghcr.io/espresso-lab/oidc-forward-auth-middleware:3.0.0-alpha.1
container_name: oidc-forward-auth-middleware
expose:
- "3000"
networks:
- "remote-net"
environment:
- OIDC_PROVIDER_0_HOSTNAME=oa2p.domain.com
- OIDC_PROVIDER_0_ISSUER_URL=https://idm.domain.com/oauth2/openid/oauth2-proxy
- OIDC_PROVIDER_0_CLIENT_ID=oauth2-proxy
- OIDC_PROVIDER_0_CLIENT_SECRET=<SECRET>
- OIDC_PROVIDER_0_SCOPES=email groups openid profile
- OIDC_PROVIDER_0_AUDIENCE=oauth2-proxy
#- RUST_LOG=info
- DISABLE_ENHANCED_SECURITY=true
labels:
- "traefik.enable=true"
- "traefik.http.routers.oauth2-proxy.entrypoints=https"
- "traefik.http.routers.oauth2-proxy.rule=Host(`oa2p.domain.com`)"
- "traefik.http.services.oauth2-proxy.loadbalancer.server.port=3000"
- "traefik.http.routers.oauth2-proxy.service=oauth2-proxy"
I have another server and another instance of Traefik with the following middleware on Frigate:
# fileConfig.yml
http:
middlewares:
oidc-auth:
forwardAuth:
address: "https://oa2p.domain.com/verify"
trustForwardHeader: true
authResponseHeaders:
- "Set-Cookie"
- "Location"
- "X-Forwarded-User"
authRequestHeaders:
- "Accept"
- "Cookie"
...
routers:
frigate:
rule: Host(`frigate.domain.com`)
service: frigate_service
entryPoints:
- https
middlewares:
- oidc-auth
This results in the following logs:
oidc-forward-auth-middleware | 2024-08-30T01:16:28.719275Z INFO oidc_forward_auth_middleware: Enhanced security is disabled.
oidc-forward-auth-middleware | 2024-08-30T01:16:28.720151Z INFO salvo_core::server: listening [HTTP/1.1] on http://0.0.0.0:3000
oidc-forward-auth-middleware | 2024-08-30T01:16:37.716026Z INFO Request{remote_addr=socket://172.20.0.5:33586 version=HTTP/1.1 method=GET path=/verify}: oidc_forward_auth_middleware::oidc_providers: Starting to initialize OIDC providers.
oidc-forward-auth-middleware | 2024-08-30T01:16:37.903437Z INFO Request{remote_addr=socket://172.20.0.5:33586 version=HTTP/1.1 method=GET path=/verify}: oidc_forward_auth_middleware::oidc_providers: Added OIDC provider: oa2p.domain.com -> https://idm.domain.com/oauth2/openid/oauth2-proxy
oidc-forward-auth-middleware | 2024-08-30T01:16:37.903615Z INFO Request{remote_addr=socket://172.20.0.5:33586 version=HTTP/1.1 method=GET path=/verify}: oidc_forward_auth_middleware::oidc_providers: Initialized 1 OIDC providers.
oidc-forward-auth-middleware | 2024-08-30T01:16:37.962249Z INFO Request{remote_addr=socket://172.20.0.5:33586 version=HTTP/1.1 method=GET path=/verify}: salvo_extra::logging: Response status=307 Temporary Redirect duration=246.373307ms
oidc-forward-auth-middleware | 2024-08-30T01:16:41.129324Z INFO Request{remote_addr=socket://172.20.0.5:33586 version=HTTP/1.1 method=GET path=/auth_callback?state=-UB6zeNChlZ3gIoVxhNNyw&code=gAAAAA.....WYlD6E%3D}: salvo_extra::logging: Response status=404 Not Found duration=280ns
oidc-forward-auth-middleware | 2024-08-30T01:16:41.206364Z INFO Request{remote_addr=socket://172.20.0.5:33586 version=HTTP/1.1 method=GET path=/favicon.ico}: salvo_extra::logging: Response status=404 Not Found duration=280ns
Hi @ds-sebastian,
it looks like you are accessing port 3000 directly with your browser. As this is a forwordauth-handler and not a proxy, this should not be the case. You should access your service directly and traefik will handle the sub request port 3000.
Have a look at the configuration here: https://github.com/espresso-lab/oidc-forward-auth-middleware/blob/main/docker-compose.yml#L28
ghcr.io/espresso-lab/oidc-forward-auth-middleware:3.0.0-alpha.1
.I just moved the middleware container to my main server with Frigate (instead of trying to expose it), used local IPs like in your example, and it works! Even with alpha-2
Thanks for this solution! OAuth2-Proxy has issues with Traefik, and other middlewares don't yet support PKCE which is default in KanIDM
Great! Thank you for testing and the feedback.
Can you consider implementing handling for the
X-Forwarded-User
header to allow for user identity to be passed?Use Case
Enables Traefik middleware configuration:
Main use case for me is Frigate which currently only supports ForwardAuth https://docs.frigate.video/configuration/authentication