Forward-Auth question


I'm considering using Forward-Auth in order to create a custom authentication service that uses JWT to authenticate requests.

From what I see in samples, the services should be on a public URL but in my case I would need it to be a local service that takes requests forward by Traefik but wouldn't be on a public URL. Is this possible?

Eg: as an ingress, Traefik would first forward the request to some Kubernetes service for authentication.


Hello @adascalu and thanks for your interest in Traefik,

The ForwardAuth address is not required to be public. The only requirement is that the configured address must be accessible to Traefik.

As you said it's possible to forward the request to some private Kubernetes service for authentication and you can use the DNS feature from Kubernetes instead of using an IP.

Hope this helps!

@kevinpollet Thanks! That definitely clears it up.

1 Like

Have you already seen the forward Auth service (OAuth/ SSO) for Traefik? Here's the link to the repo: GitHub - thomseddon/traefik-forward-auth: Minimal forward authentication service that provides Google/OpenID oauth based login and authentication for the traefik reverse proxy

I tried it myself und was able to use it with all services within 20 Minutes of configuration (Docker Compose stack).