search

thomseddon / traefik-forward-auth

Minimal forward authentication service that provides Google/OpenID oauth based login and authentication for the traefik reverse proxy
MIT License
2.13k stars 407 forks source link

Single sign out not working for subdomains #270

Open rizerzero opened 3 years ago

rizerzero commented 3 years ago

Hi guys, I'm opening an issue again because I still did not manage to make the single signout work.

I have a setup like this : staging.sub.app.domain.com => vue app staging.doc.app.domain.com => Mkdocs sso.domain.com => keycloak

The documentation is built with Mkdocs (static HTML). which I want to secure with traefik-forward-auth. with the configuration below, I can log in to staging.doc.app.domain.com and will be logged in staging.sub.app.domain.com too, but if I log out from my app (staging.sub.app.domain.com ), then I'm not logged out from the doc (staging.doc.app.domain.com ). it seems like the token is revoked remotely but locally it's still existing 

version: "2.4"
services:
  traefik:
    image: traefik
    restart: unless-stopped
    command:
      - --ping=true
      - --api=true
      - --api.dashboard=true
      - --api.debug=true
      - --global.checkNewVersion=false
      - --global.sendAnonymousUsage=false
      - --log=true
      - --log.level=INFO
      - --entryPoints.web.address=:80
      - --entryPoints.websecure.address=:443
      - --providers.docker=true
      - --providers.docker.network=web
      - --providers.docker.exposedbydefault=false
      - --certificatesResolvers.le.acme.httpChallenge=true
      - --certificatesResolvers.le.acme.httpChallenge.entryPoint=web
      - --certificatesresolvers.le.acme.tlschallenge=true
      - --certificatesresolvers.le.acme.email=${SSL_CONTACT_EMAIL}
      - --certificatesresolvers.le.acme.storage=/etc/traefik/acme/acme.json
    volumes:
      - ./configuration/proxy/cert/:/etc/traefik/acme/
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - web
    ports:
      - "80:80"
      - "443:443"
    labels:
      - traefik.enable=true
      - traefik.http.routers.default.tls.certresolver=le
      - traefik.http.routers.default.entrypoints=websecure
      - traefik.http.routers.default.rule=Host(`staging.traefik.app.domain.com`)
      - traefik.http.routers.default.service=api@internal
      - traefik.http.services.default.loadbalancer.passhostheader=true
      - traefik.http.services.default.loadbalancer.server.port=8080
      - traefik.http.routers.default.middlewares=authtraefik
      - traefik.http.middlewares.authtraefik.basicauth.users=${PROXY_DASHBOARD_CREDENTIALS}
      - traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)
      - traefik.http.routers.http-catchall.entrypoints=web
      - traefik.http.routers.http-catchall.middlewares=redirect-to-https
      - traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https

# ==============================================================================
# SECURITY
# ==============================================================================   

  traefik-forward-auth:
    image: thomseddon/traefik-forward-auth:2
    environment:
      - DEFAULT_PROVIDER=oidc
      - PROVIDERS_OIDC_ISSUER_URL=https://sso.domain.com/auth/realms/my-app
      - PROVIDERS_OIDC_CLIENT_ID=web
      - PROVIDERS_OIDC_CLIENT_SECRET=-----------
      - SECRET=reandom_string_not_sure_what_this_is_for
      - AUTH_HOST=https://sso.domain.com/auth/realms/my-app
      - COOKIE_DOMAIN=sso.domain.com
      - COOKIE_NAME=sso.domain.com
      - INSECURE_COOKIE=false
      - LOG_LEVEL=debug

    networks:
      - web
    labels:
      - "traefik.enable=true"  
      - "traefik.docker.network=web" 
      - "traefik.constraint-label=web" 
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.address=http://traefik-forward-auth:4181"
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
      - "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4181"

  app-frontend:
    image: containous/whoami
    restart: always
    networks:
      - web
    labels:
      - traefik.enable=true
      - traefik.docker.network=web
      - traefik.http.routers.appfrontend.tls=true
      - traefik.http.routers.appfrontend.tls.certresolver=le
      - traefik.http.routers.appfrontend.entrypoints=websecure
      - traefik.http.services.appfrontend.loadbalancer.server.port=80
      - traefik.http.routers.appfrontend.rule=Host(staging.sub.app.domain.com)

  #documentation
  documentation:
    image:  nginx  
    restart: always
    networks:
      - web
    labels:
      - traefik.enable=true
      - traefik.docker.network=web
      - traefik.http.routers.documentation.tls=true
      - traefik.http.routers.documentation.tls.certresolver=le
      - traefik.http.services.documentation.loadbalancer.server.port=8091
      - traefik.http.routers.documentation.service=documentation
      - traefik.http.routers.documentation.rule=Host(`staging.doc.app.domain.com`)
      - traefik.http.routers.documentation.middlewares=traefik-forward-auth

networks:
  web:
    external: true
  backend:
    external: false
  forwardauth-internal:
    external: false

I have noticed that in the cookie, the domain name for my vue app issso.domain.com but in the cookie of the documentation, is .staging.doc.app.domain.com I have set the env variable COOKIE_DOMAIN tosso.domain.com but this did not change anything the domain is always for.staging.doc.app.domain.com

image

Thank you.

arcastro commented 10 months ago

+1 on this.

Even when a user signs out of the identify provider, the subdomain sessions that had been previously authenticated with traefik-forward-auth remain active for the configured $LIFETIME (default of 43200 seconds)

@thomseddon, could you help clarify whether this is intended (possibly worth mentioning in the readme of the project).