search

thomseddon / traefik-forward-auth

Minimal forward authentication service that provides Google/OpenID oauth based login and authentication for the traefik reverse proxy
MIT License
2.16k stars 409 forks source link

Failed at /_oauth endpoint - problem with keycloak, path prefix and docker compose setup #313

Open redoy11 opened 2 years ago

redoy11 commented 2 years ago

I am trying to use the overlay mode and OAuth provider to connect with Keycloak using the following configuration on my docker-compose file. 

version: '3'

services:
  traefik:
    image: traefik:v2.2
    command:
      - --providers.docker
      - -api.insecure=true
      # This example uses "global authentication"
      - --entryPoints.http.address=:80
      - --entrypoints.http.http.middlewares=traefik-forward-auth
    ports:
      - "8085:80"
      - "8086:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock

  whoami:
    image: containous/whoami
    labels:
      - "traefik.http.routers.whoami.rule=PathPrefix(`/whoami`)"
      - "traefik.http.routers.whoami.middlewares=traefik-forward-auth"

  traefik-forward-auth:
    image: thomseddon/traefik-forward-auth:2
    environment:
      - DEFAULT_PROVIDER=generic-oauth
      - PROVIDERS_GENERIC_OAUTH_CLIENT_ID=<keycloak_client_id>
      - PROVIDERS_GENERIC_OAUTH_CLIENT_SECRET=<keycloak_client_secret>
      - PROVIDERS_GENERIC_OAUTH_AUTH_URL=http://localhost:8080/auth/realms/<realm_name>/protocol/openid-connect/auth
      - PROVIDERS_GENERIC_OAUTH_TOKEN_URL=http://localhost:8080/auth/realms/<realm_name>/protocol/openid-connect/token
      - PROVIDERS_GENERIC_OAUTH_USER_URL=http://localhost:8080/auth/realms/<realm_name>/protocol/openid-connect/userinfo
      - SECRET=something-random
      # INSECURE_COOKIE is required if not using a https entrypoint
      - INSECURE_COOKIE=true
      - LOG_LEVEL=debug
      - COOKIE_DOMAIN=localhost.com
      - AUTH_HOST=auth.localhost.com:8085
    labels:
      - "traefik.http.routers.traefik-forward-auth.rule=Host(`auth.localhost.com`)"
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.address=http://traefik-forward-auth:4181"
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
      - "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4181"

When I browse to /whoami, I get redirected to keycloak and once I provide the proper credentials, I get redirected back to /_oauth. At /_oauth, it gets stuck.

I will need to set up traefik-forward-auth with multiple containers using the path prefix. So any help or guideline will be appreciated.

Ahmad-Faizan commented 1 year ago

Hey @redoy11

I too am facing the same issue while setting this up on a k8s cluster. Were you able to get this working ?