Google OAuth Set CSRF cookie and redirected to provider login url

[rea11st]

Hi, Im using traefik-forward-auth to manage access for my services. When I try to open the service, I am redirected to https://auth.gprq.ru/_oauth?state=b0ca327b773893d93bda829b969fe217%3Agoogle%3Ahttps%3A%2F%2Fcode.gprq.ru%2F&code=4%2F0AWgavde6ZhqfsnXkNVxeMkqfJvFzAhSybycmfRXWROUeNQK6lZCc-FfrLMhTn0lidcpBDA&scope=email+profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+openid&authuser=0&prompt=consent

and 404 not found

in my auth service logs:

 time="2023-01-15T20:53:34Z" level=debug msg="Authenticating request" cookies="[_forward_auth_csrf_74543d=74543d96ba7c3e56058b913dda07b4be _forward_auth_csrf_4d4f74=4d4f74454168a8638cdb44c64dddb3cb _forward_auth_csrf_e6e741=e6e74196e655dd2224b64b1e8be0d187 _forward_auth_csrf_45db78=45db78b97b0746fe4800f7b2170ac52e _forward_auth_csrf_803437=8034374a22d1f937c82041e06a962997 _forward_auth_csrf_60ed2d=60ed2d4e31a2cf786985afdae34a9ac6 _forward_auth_csrf_32b240=32b2404affa96adf52fba2e16e1ee65a]" handler=Auth host=code.gprq.ru method=GET proto=https rule=default source_ip=109.252.183.113 uri=/
> 

> time="2023-01-15T20:53:34Z" level=debug msg="Set CSRF cookie and redirected to provider login url" csrf_cookie="_forward_auth_csrf_b0ca32=b0ca327b773893d93bda829b969fe217; Path=/; Domain=gprq.ru; Expires=Sun, 15 Jan 2023 21:53:34 GMT; HttpOnly; Secure" handler=Auth host=code.gprq.ru login_url="https://accounts.google.com/o/oauth2/auth?client_id=159610333411-l46von33rjk50ddc8425lg7p3i8567lk.apps.googleusercontent.com&prompt=select_account&redirect_uri=https%3A%2F%2Fauth.gprq.ru%2F_oauth&response_type=code&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&state=b0ca327b773893d93bda829b969fe217%3Agoogle%3Ahttps%3A%2F%2Fcode.gprq.ru%2F" method=GET proto=https rule=default source_ip=109.252.183.113 uri=/

this is my main.yml

version: "3.9"
services:
  traefik:
    image: "traefik:latest"
    container_name: traefik
    command:
      - --certificatesresolvers.leresolver.acme.email=my@mail.com #Set your email address here, is for the generation of SSL certificates with Let's Encrypt. 
      - --entrypoints.web.address=:80
      - --entrypoints.web.forwardedHeaders.insecure=true
      - --entrypoints.websecure.forwardedHeaders.insecure=true
      - --entrypoints.websecure.address=:443
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --log.level=INFO
      - --certificatesresolvers.leresolver.acme.httpchallenge=true
      - --certificatesresolvers.leresolver.acme.storage=/acme.json
      - --certificatesresolvers.leresolver.acme.httpchallenge.entrypoint=web
      - --entrypoints.web.http.redirections.entryPoint.to=websecure
      - --entrypoints.web.http.redirections.entryPoint.scheme=https
      - --metrics.prometheus=true
      - --api.dashboard=true

    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./acme.json:/acme.json"
    networks:
      - intranet
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=https"
      - "traefik.docker.network=intranet"
      - "traefik.http.routers.gprq.tls.domains[0].main=gprq.ru"
      - "traefik.http.routers.gprq.tls.domains[0].sans=*.gprq.ru"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.rule=Host(`traefik.gprq.ru`)"
      - "traefik.http.routers.traefik-insecure.rule=Host(`traefik.gprq.ru`)"
      - "traefik.http.routers.traefik.tls=true"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.routers.traefik.tls.certresolver=leresolver"
      - "traefik.http.services.traefik.loadbalancer.server.port=8080"
      - "traefik.http.routers.http-catchall.entrypoints=http"
      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.entrypoints=web"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
      - "traefik.http.routers.traefik.middlewares=traefik-forward-auth@docker"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"

portainer:
    image: portainer/portainer-ce:latest
    container_name: portainer
    command: -H unix:///var/run/docker.sock
    restart: always
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - portainer_data:/data
    networks:
      - intranet
    labels:
      # Frontend
      - "traefik.enable=true"
      - "traefik.http.routers.frontend.rule=Host(`portainer.gprq.ru`)"
      - "traefik.http.routers.frontend.entrypoints=websecure"
      - "traefik.http.services.frontend.loadbalancer.server.port=9000"
      - "traefik.http.routers.frontend.service=frontend"
      - "traefik.http.routers.frontend.tls.certresolver=leresolver"

      # Edge
      - "traefik.http.routers.edge.rule=Host(`edge.gprq.ru`)"
      - "traefik.http.routers.edge.entrypoints=websecure"
      - "traefik.http.services.edge.loadbalancer.server.port=8000"
      - "traefik.http.routers.edge.service=edge"
      - "traefik.http.routers.edge.tls.certresolver=leresolver"

  whoami:
    image: containous/whoami
    container_name: whoami
    networks:
      - intranet
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=intranet"
      - "traefik.http.routers.whoami.rule=Host(`gprq.ru`)"
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.tls=true"
      - "traefik.http.routers.whoami.tls.certresolver=leresolver"
      - "traefik.http.routers.whoami.middlewares=traefik-forward-auth@docker"

volumes:
  portainer_data:

networks:
  intranet:
    name: intranet

and this is my auth.yml

version: '3.9'

networks:
  intranet:
    external: true

volumes:
  keycloakdata:
    name: keycloakdata

services:
  forwardauth:
    image: thomseddon/traefik-forward-auth
    container_name: forwardauth
    restart: always
    networks:
      - intranet
    env_file:
      traefik-forward-auth.env
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=intranet"
      - "traefik.http.routers.auth.tls=true"
      - "traefik.http.routers.auth.service=forwardauth"
      - "traefik.http.services.forwardauth.loadbalancer.server.port=4181"
      - "traefik.http.routers.auth.entrypoints=web"
      - "traefik.http.routers.auth.rule=Host(`auth.gprq.ru`)"
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.address=http://forwardauth:4181"
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User, X-Forwarded-JWT"
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.trustForwardHeader=true"
      - "traefik.http.routers.auth.tls.certresolver=leresolver"

in traefik service logs: level=error msg="middleware \"traefik-forward-auth@docker\" does not exist" entryPointName=websecure routerName=whoami@docker

Any ideas?

[vojtechvelkjop]

and how it looks your middleware configuration ? ie on kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: azuread
spec:
  forwardAuth:
    address: http://traefik-sso.<namespace>.svc:4181
    authResponseHeaders:
    - X-Forwarded-User
    trustForwardHeader: true

[rea11st]

and how it looks your middleware configuration ? ie on kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: azuread
spec:
  forwardAuth:
    address: http://traefik-sso.<namespace>.svc:4181
    authResponseHeaders:
    - X-Forwarded-User
    trustForwardHeader: true

it's not a k8, just a docker

[cyc1e]

hi, i have the same issue, did you solve it?

[rea11st]

i solved my problem by just adding this lable - "traefik.http.routers.auth.entrypoints=websecure" to the forwardauth service.