Announcing Traefik Enterprise 2.7 | Traefik Labs

With OAuth 2.0 client credentials, PKCE support for OIDC, and API Portal enhancements.

The past month has been extremely busy here at Traefik Labs with one announcement coming after the other! In case you missed it, last month we announced our partnership with HashiCorp, launched the beta version of our new product, Traefik Hub, and just last week, we released the latest version of Traefik Proxy (2.8).

And we are proud to say that we have no intention of slowing down! Today, we come to you with yet another announcement — We are excited to present the latest version of Traefik Enterprise.

Traefik Enterprise 2.7 shipped with important new features and enhancements for authentication, Windows support, and API Portal. Let’s dig in and explore all the new features one by one.

Secure, manage, & scale all your APIs.See how Traefik Enterprise simplifies, automates, and centralizes API management and security with one easy-to-use solution.Learn More

OAuth 2.0 client credentials

There are certain use cases where machine-to-machine (M2M) tokens are used internally with the intention of opening APIs to external partners (B2B) while continuing to use one identity provider as the single OAuth2 authorization service.

With the 2.7 version, Traefik Enterprise now accepts credentials from the external client and then calls the identity provider (client_credentials flow) to obtain the access token. The credentials accepted are in the form of a clientId and a clientSecret. Traefik Enterprise caches those tokens and attaches them when forwarding the request upstream while all subsequent requests from the same external client re-use the same cached access token until it expires.

Having privacy and cost issues in mind when implementing this solution, we made sure that:

  • External partners will not be aware of and concerned with which identity provider an organization is using.
  • External partners will not be able to excessively request new M2M tokens resulting in additional costs, as some identity providers charge for the number of M2M tokens issued.

Let’s take a look at the steps you need to follow to use this feature.

  1. Declare your authentication server address and your KV Store in the Static Configuration:
    # Authentication Source
# Consul K/V Store
    # the value has to match one of the possible
    # kv store types (consul, etcd, zookeeper, and redis).
      keyPrefix: traefikee
        - 'localhost:8500'
  1. Configure your middleware in the Dynamic Configuration:
kind: Middleware
  name: test-client-creds
	# Authentication Source to use
      source: clientCredsSource
	# KV Store
      store: consulStore

PKCE support for OIDC

Proof-Key for Code Exchange (PKCE) prevents authorization code injection and adds an extra layer of security to the authorization code flow and helps mitigate a number of security threats, making it very useful for all OAuth clients. With the release of Traefik Enterprise 2.7, the OIDC middleware now supports PKCE.

The regular authorization code flow and the auth code flow with PKCE are very similar, but in the latter, PKCE is added to a couple of steps within the flow. The process is automatically generated by Traefik Enterprise and evaluated by the Identity Provider — the user is not required to take any action:

  1. The user sends the request to Traefik Enterprise.
  2. Traefik Enterprise generates the PKCE code verifier and challenge and then redirects the user to the Identity Provider sign-in page. This redirect includes the code challenge.
  3. The user authenticates.
  4. The authorization server redirects back to Traefik Enterprise with an authorization code.
  5. Traefik Enterprise sends the authorization code to the Identity Provider, including the code verifier that was generated in the second step.
  6. The Identity Provider evaluates the PKCE code and returns access and ID tokens.
  7. Traefik Enterprise uses these tokens to call the resource server on behalf of the user.
  8. The user sends the request with the new session to Traefik Enterprise which validates the request and sends it to the application.

The diagram below summarizes these steps.

Up until now, it hasn’t been possible to deploy Enterprise on Windows machines. Neither the CLI nor the nodes have worked on Windows machines. By popular demand, we now made it possible to deploy a Traefik Enterprise cluster on Windows machines.

This feature brings global Windows support for both the cluster and the CLI.

To manage your cluster on Windows, install teectl and start your journey just like you would on a Linux machine.

Test APIs from the API Portal

With Traefik Enterprise 2.7, you are now able to test your API shown in the API Portal directly from the browser, eliminating the need for a client.

The short video below demonstrates how to use this feature with the API Portal in Traefik Enterprise.

Next steps

This Traefik Enterprise release brings a lot of important features that tackle some real-life production challenges. And, as always, we are not stopping there — we have a lot more planned for future releases!

Currently, we are actively working on more API Portal updates, improving our integration with HashiCorp Vault namespaces (first introduced in Traefik Enterprise 2.6), and last but not least, we are working on even more improvements and enhancements for the OIDC middleware, more specifically, adding support for distributed claims. So, stay tuned!

In the meantime, if you’re new to Traefik Enterprise and want to learn more, don’t hesitate to reach out to request a demo or put your skills into action with a free, 30-day trial. And for more information, feel free to dig into our documentation.

Secure, manage, & scale all your APIs.Want to simplify API management and security? Request a demo today and see Traefik Enterprise in action.Request a demo

This is a companion discussion topic for the original entry at