Open sgofferj opened 2 years ago
@sgofferj did you ever get this working? I'm trying now, using
traefik-forward-auth:
image: thomseddon/traefik-forward-auth:2
environment:
- DEFAULT_PROVIDER=generic-oauth
- PROVIDERS_GENERIC_OAUTH_AUTH_URL=https://..../apps/oauth2/authorize
- PROVIDERS_GENERIC_OAUTH_TOKEN_URL=https://..../apps/oauth2/api/v1/token
- PROVIDERS_GENERIC_OAUTH_USER_URL=https://..../ocs/v2.php/cloud/user?format=json
- PROVIDERS_GENERIC_OAUTH_CLIENT_ID=....
- PROVIDERS_GENERIC_OAUTH_CLIENT_SECRET=....
- SECRET=....
# - INSECURE_COOKIE=true # Example assumes no https, do not use in production
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik-forward-auth.tls=true"
- "traefik.http.routers.traefik-forward-auth.rule=Host(`....`) && PathPrefix(`/someauth`)"
- "traefik.http.middlewares.traefik-forward-auth.forwardauth.address=http://traefik-forward-auth:4181"
- "traefik.http.middlewares.traefik-forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
- "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4181"
@r2evans Unfortunately not. Using Authentik since a while.
@sgofferj is that using NC as the provider, or did you convert NC to use Authentik as the provider?
Authentik is the backend now. For services that don't speak OIDC, I use the Authentik proxy worker instead of forward auth.
Not sure if that's a bug or if I'm missing anything. I have been trying to debug for hours... Without AUTH_HOST I can make it work fine but not with AUTH_HOST. I have set up the whoami example with AUTH_HOST and my nextcloud server. I'm using the :latest tagged docker image.
What happens is: Got to https://whoami.domain.com Nextcloud warning page about security - click OK Nextcloud grant access page - click Grant access Nextcloud grant access page again - click Grant access again Nextcloud page with "Access denied. State token does not match" message. Manually go to whoami.domain.com -> Authenticated, seeing all info.
Log:
docker-compose.yml:
Callback URL in NC OAUTH client settings: https://auth.domain.com/_oauth