search

thomseddon / traefik-forward-auth

Minimal forward authentication service that provides Google/OpenID oauth based login and authentication for the traefik reverse proxy
MIT License
2.12k stars 406 forks source link

Using multiple OIDC issuers or multiple client-id+secret? #44

Closed mdbraber closed 5 years ago

mdbraber commented 5 years ago

Hi!

First off - thanks for writing this excellent package! I'm successfully using a my own fork based on @funkypenguin's fork to allow using with my own OIDC provider (in this case dex).

As I've separated my LAN in to different VLAN segments (e.g. admin services and normal services), I'd like to use be able to give different user groups access to those different services. This would prevent e.g. a use that has access to say Radarr to also access Portainer. For this I guess I would need to set a different OIDC provide and/or different client_id+secret.

It's trivial to just use another instance of traefik-forward-auth with different credentials, but would it make sense to also try and do this with a single traefik-forward-auth instance (using different cookie-names as well, as I'm using the same domainname for all services)?

My questions:

Thanks!

thomseddon commented 5 years ago

Hi!

With tfa v0, the easiest fix would be multiple instances of tfa.

With tfa v2 you can pass credentials on a per-provider basis, however we still only support Google! OIDC support is being tracked in #47

I'm going to close this issue as there's a solution and path forwards tracked separately, but please feel free to re-open if you have any further questions!

michael-robbins commented 4 years ago

Hey @thomseddon just asking the same question as above, as I'm not sure we answered the 'multiple OIDC issuers', is it actually possible to create multiple OIDC providers within a single TFA instance?

Maybe like being able to set the issuer-url/etc on a per rule basis? Or would I need to run multiple TFA instances per OID issuer?

tepelbaum commented 1 year ago

Hi!

With tfa v0, the easiest fix would be multiple instances of tfa.

With tfa v2 you can pass credentials on a per-provider basis, however we still only support Google! OIDC support is being tracked in #47

I'm going to close this issue as there's a solution and path forwards tracked separately, but please feel free to re-open if you have any further questions!

Hi! First of all, thanks a lot for this awesome tool! I was wondering if by any chance there was documentation on the OP answer in the case of one tfa for multiple clients?

Thanks a lot!!