How to set traefik with OAuth2 authentication

Question

I'm using traefik as a reverse proxy. I want to set OAuth2 authentication for a entry point. In the document, I found the Forward Authentication which I think may be useful for this. But the document is just too simple

This configuration will first forward the request to http://authserver.com/auth.

If the response code is 2XX, access is granted and the original request is performed. Otherwise, the response from the authentication server is returned.

I've no idea how can I achieve authentication OAuth2 within a forwarding? I've tried oauth2_proxy but didn't find a solution.
In this issue/comment guybrush provided a solution. But that, in fact, was a double reverse proxys.

Answer 1

I've recently built an app for this: https://github.com/thomseddon/traefik-forward-auth

It uses Forward Authentication, as you mentioned, and uses Google OAuth to authenticate users.

There's an example Docker Compose setup here: https://github.com/thomseddon/traefik-forward-auth/blob/master/examples/docker-compose.yml. See the traefik.toml file to see how Traefik is configured to point at the app.

Let me know if it is helpful!

Answer 2

Instead of trying to make Traefik support your case, let Traefik do what it does best and instead use Keycloak Gatekeeper for authentication (and potentially authorization).

This would change your setup from

Client -- Traefik -- Service

to

Client -- Traefik -- Gatekeeper -- Service

This means that both Traefik and Gatekeeper act as reverse proxy.

It's incredibly simple to model complex auth setups with this approach. One potential drawback is however the additional RP layer, so for high performance setups this may not be an ideal solution.

Note that Gatekeeper can work with any OIDC compatible IdP, so you don't have to run Keycloak to use it.