Forwardauth + openid (keycloak)

How would i go on about implementing keycloak with Traefik v2?
in traefik 1.7 a intermediate (extra) container, per container, was required to handle the authentiation.

I was hoping with v2.0 i could forward the authentiation natively with traefik, without having the need of an extra container (double reverse proxy) per service.

It would be beautiful to have single signon with 2factor authentication for all my microservices, just configured by a few labels on my containers.

there is forward authentication middleware, but does it support keycloak / openid. I can't find anything about that in the documentation. If it does, i'd love a configuration example.

Or, if traefik doesn't support this, does anyone know of a container that can wrap the forward authenication of traefik to keycloak, without having to need to double reverse proxy the microservice. Just a single container to wrap the authentication.

2 Likes

Did you ever find a solution for this? I'm looking to do the same thing :slight_smile:

Take a look at https://geek-cookbook.funkypenguin.co.nz/ha-docker-swarm/traefik-forward-auth/

Traefik doesnt support it natively so you need an additional container, but based on what I've read this is the best way.

Another possibility that gets you the same result but isn't exactly openid is https://www.authelia.com/

1 Like

I tried with the tutorial you mentioned, but didn't work with Traefik v2, results in an error "Too many redirects loop".

Edit :

  • Keycloak instance is on sso.domain.tld
  • Traefik Web UI is on proxy.domain.tld
  • Keycloak Proxy is on auth.domain.tld

The goal here is to protect the web UI of Traefik, here are some details about my config :

docker-compose.yml

version: "3.5"
services:
  traefik:
    container_name: traefik
    image: traefik:v2.0
    environment:
      - CF_API_EMAIL=xxx@xxx.xx
      - CF_API_KEY=xxxxxxxx
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./dynamic/:/dynamic/
      - ./static/:/etc/traefik/
      - ./log:/log
      - /var/run/docker.sock:/var/run/docker.sock
    networks:
      - internal_network
    labels:
      traefik.enable: true
      traefik.http.routers.proxy.entrypoints: web-secure
      traefik.http.routers.proxy.rule: Host("proxy.domain.tld")
      traefik.http.routers.proxy.tls: true
      traefik.http.routers.proxy.tls.certresolver: cloudflare
      traefik.http.services.proxy.loadbalancer.server.port: 8080
      traefik.http.routers.proxy.middlewares: keycloak@file  # protect Web UI access
    restart: always

  traefik-auth:
    container_name: traefik-auth
    image: funkypenguin/traefik-forward-auth
    environment:
      - CLIENT_ID=traefik-auth
      - CLIENT_SECRET=<secret_from_keycloak>
      - OIDC_ISSUER=https://sso.domain.tld/auth/realms/internal-network
      - SECRET=<random_secret>
      - AUTH_HOST=auth.domain.tld
      - COOKIE_DOMAINS=domain.tld
    networks:
      - internal_network
    labels:
      traefik.enable: true
      traefik.http.routers.auth.entrypoints: web-secure
      traefik.http.routers.auth.rule: Host("auth.domain.tld")
      traefik.http.services.auth.loadbalancer.server.port: 4181
      traefik.http.routers.auth.tls: true
      traefik.http.routers.auth.tls.certresolver: cloudflare
    restart: always

networks:
  internal_network:
    name: internal_network
    driver: bridge

In /dynamic/global.yml I have the "keycloak" auth middleware :

http:
  middlewares:
    keycloak:
      forwardAuth:
        address: "http://traefik-auth:4181"
        trustForwardHeader: true
        authResponseHeaders:
          - "X-Forwarded-User"

My keycloak instance has the client declared : https:// ibb. co/mXXKgmW

The middleware is apply when I access proxy.domain.tld (it redirect to sso.domain.tld) : https:// ibb .co/zRXYG9C

When successfully login into sso.domain.tld, it redirect to auth.domain.tld, and here is the error "too many redirects" : https://ibb.co/SRL3zjT

Here are the console logs of the Chrome :

If someone know where is the mistake...

Take a look here: https://docs.traefik.io/migration/v1-to-v2/#dashboard
I don't think you've set up your labels on traefik properly. You should be using the api@internal service. But this might not be the main issue.

It looks like you have a redirect loop from sso.* to auth.* but I think you should never actually get any redirects... traefik should just server the sso login page, then when you login there and traefik again forwards the request, the sso responds with a 200 and traefik lets you in... Maybe your keycloak setup is wrong?

You should check the logs from the auth container and from keycloak to see what's happening.

Thanks for helping.

I modified the traefik labels as you mentioned, but effectively it's not the main issue.

The traefik container labels are now :

labels:
      traefik.enable: true
      traefik.http.routers.api.entrypoints: web-secure
      traefik.http.routers.api.rule: Host("proxy.domain.tld")
      traefik.http.routers.api.tls: true
      traefik.http.routers.api.tls.certresolver: cloudflare
      traefik.http.routers.api.service: api@internal
      traefik.http.services.api.loadbalancer.healthcheck.path: /ping
      traefik.http.routers.api.middlewares: keycloak@file

I have checked the logs but no errors appears.

Here are the logs of the Keycloak instance :

09:44:21,489 INFO  [org.keycloak.events] (default task-187) type=LOGIN, realmId=Internal Network, clientId=traefik-auth, userId=65cdf049-bf3d-459e-9be9-58d365024781, ipAddress=10.1.0.3, auth_method=openid-connect, auth_type=code, redirect_uri=https://auth.domain.tld/_oauth, consent=no_consent_required, code_id=6f35f292-a396-4354-8c69-d1d2cb839925, username=benjamin, authSessionParentId=6f35f292-a396-4354-8c69-d1d2cb839925, authSessionTabId=bCtO18Mpnsg
09:44:21,524 INFO  [org.keycloak.events] (default task-187) type=LOGIN, realmId=Internal Network, clientId=traefik-auth, userId=65cdf049-bf3d-459e-9be9-58d365024781, ipAddress=10.1.0.3, auth_method=openid-connect, auth_type=code, response_type=code, redirect_uri=https://auth.domain.tld/_oauth, consent=no_consent_required, code_id=6f35f292-a396-4354-8c69-d1d2cb839925, response_mode=query, username=benjamin, authSessionParentId=6f35f292-a396-4354-8c69-d1d2cb839925, authSessionTabId=tJcmG8fnYlg
09:44:21,550 INFO  [org.keycloak.events] (default task-187) type=LOGIN, realmId=Internal Network, clientId=traefik-auth, userId=65cdf049-bf3d-459e-9be9-58d365024781, ipAddress=10.1.0.3, auth_method=openid-connect, auth_type=code, response_type=code, redirect_uri=https://auth.domain.tld/_oauth, consent=no_consent_required, code_id=6f35f292-a396-4354-8c69-d1d2cb839925, response_mode=query, username=benjamin, authSessionParentId=6f35f292-a396-4354-8c69-d1d2cb839925, authSessionTabId=Q4WMXLivAME
09:44:21,580 INFO  [org.keycloak.events] (default task-187) type=LOGIN, realmId=Internal Network, clientId=traefik-auth, userId=65cdf049-bf3d-459e-9be9-58d365024781, ipAddress=10.1.0.3, auth_method=openid-connect, auth_type=code, response_type=code, redirect_uri=https://auth.domain.tld/_oauth, consent=no_consent_required, code_id=6f35f292-a396-4354-8c69-d1d2cb839925, response_mode=query, username=benjamin, authSessionParentId=6f35f292-a396-4354-8c69-d1d2cb839925, authSessionTabId=N5f0gkxKVOs
09:44:21,605 INFO  [org.keycloak.events] (default task-187) type=LOGIN, realmId=Internal Network, clientId=traefik-auth, userId=65cdf049-bf3d-459e-9be9-58d365024781, ipAddress=10.1.0.3, auth_method=openid-connect, auth_type=code, response_type=code, redirect_uri=https://auth.domain.tld/_oauth, consent=no_consent_required, code_id=6f35f292-a396-4354-8c69-d1d2cb839925, response_mode=query, username=benjamin, authSessionParentId=6f35f292-a396-4354-8c69-d1d2cb839925, authSessionTabId=su9CDmJYENU
09:44:21,628 INFO  [org.keycloak.events] (default task-187) type=LOGIN, realmId=Internal Network, clientId=traefik-auth, userId=65cdf049-bf3d-459e-9be9-58d365024781, ipAddress=10.1.0.3, auth_method=openid-connect, auth_type=code, response_type=code, redirect_uri=https://auth.domain.tld/_oauth, consent=no_consent_required, code_id=6f35f292-a396-4354-8c69-d1d2cb839925, response_mode=query, username=benjamin, authSessionParentId=6f35f292-a396-4354-8c69-d1d2cb839925, authSessionTabId=F8CjgnNjAno
09:44:21,656 INFO  [org.keycloak.events] (default task-187) type=LOGIN, realmId=Internal Network, clientId=traefik-auth, userId=65cdf049-bf3d-459e-9be9-58d365024781, ipAddress=10.1.0.3, auth_method=openid-connect, auth_type=code, response_type=code, redirect_uri=https://auth.domain.tld/_oauth, consent=no_consent_required, code_id=6f35f292-a396-4354-8c69-d1d2cb839925, response_mode=query, username=benjamin, authSessionParentId=6f35f292-a396-4354-8c69-d1d2cb839925, authSessionTabId=NsgK9pnSzQk
09:44:21,682 INFO  [org.keycloak.events] (default task-187) type=LOGIN, realmId=Internal Network, clientId=traefik-auth, userId=65cdf049-bf3d-459e-9be9-58d365024781, ipAddress=10.1.0.3, auth_method=openid-connect, auth_type=code, response_type=code, redirect_uri=https://auth.domain.tld/_oauth, consent=no_consent_required, code_id=6f35f292-a396-4354-8c69-d1d2cb839925, response_mode=query, username=benjamin, authSessionParentId=6f35f292-a396-4354-8c69-d1d2cb839925, authSessionTabId=3bqfQFrbj3E
09:44:21,707 INFO  [org.keycloak.events] (default task-187) type=LOGIN, realmId=Internal Network, clientId=traefik-auth, userId=65cdf049-bf3d-459e-9be9-58d365024781, ipAddress=10.1.0.3, auth_method=openid-connect, auth_type=code, response_type=code, redirect_uri=https://auth.domain.tld/_oauth, consent=no_consent_required, code_id=6f35f292-a396-4354-8c69-d1d2cb839925, response_mode=query, username=benjamin, authSessionParentId=6f35f292-a396-4354-8c69-d1d2cb839925, authSessionTabId=C_vceHfQOzk
09:44:21,731 INFO  [org.keycloak.events] (default task-187) type=LOGIN, realmId=Internal Network, clientId=traefik-auth, userId=65cdf049-bf3d-459e-9be9-58d365024781, ipAddress=10.1.0.3, auth_method=openid-connect, auth_type=code, response_type=code, redirect_uri=https://auth.domain.tld/_oauth, consent=no_consent_required, code_id=6f35f292-a396-4354-8c69-d1d2cb839925, response_mode=query, username=benjamin, authSessionParentId=6f35f292-a396-4354-8c69-d1d2cb839925, authSessionTabId=ZVFaq1NmWx8

And for the traefik-auth container, here are the logs :

time="2019-10-29T09:44:13Z" level=debug msg="Handling request" Headers="map[X-Forwarded-Host:[auth.domain.tld] Sec-Fetch-Site:[none] X-Forwarded-For:[192.168.32.1] Dnt:[1] Accept-Encoding:[gzip, deflate, br] Accept-Language:[fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7,it;q=0.6,pt;q=0.5,tr;q=0.4,de;q=0.3,da;q=0.2,la;q=0.1] Upgrade-Insecure-Requests:[1] X-Forwarded-Proto:[https] X-Forwarded-Server:[1f4d3f943287] Accept:[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3] X-Forwarded-Port:[443] X-Real-Ip:[192.168.32.1] User-Agent:[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.70 Safari/537.36] Sec-Fetch-Mode:[navigate]]" SourceIP=192.168.32.1
time="2019-10-29T09:44:13Z" level=debug msg="Set CSRF cookie and redirecting to oidc login" SourceIP=192.168.32.1
time="2019-10-29T09:44:13Z" level=debug msg="uri.Path was %s" SourceIP=192.168.32.1
time="2019-10-29T09:44:13Z" level=debug msg="fw.Path was %s/_oauth" SourceIP=192.168.32.1

time="2019-10-29T09:44:21Z" level=debug msg="Handling request" Headers="map[X-Forwarded-Server:[1f4d3f943287] Accept:[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3] Cache-Control:[max-age=0] X-Forwarded-Port:[443] Sec-Fetch-User:[?1] X-Forwarded-For:[192.168.32.1] X-Forwarded-Host:[auth.domain.tld] Upgrade-Insecure-Requests:[1] X-Forwarded-Proto:[https] X-Real-Ip:[192.168.32.1] Accept-Encoding:[gzip, deflate, br] Accept-Language:[fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7,it;q=0.6,pt;q=0.5,tr;q=0.4,de;q=0.3,da;q=0.2,la;q=0.1] Referer:[https://sso.domain.tld/auth/realms/internal-network/protocol/openid-connect/auth?client_id=traefik-auth&redirect_uri=https%3A%2F%2Fauth.domain.tld%2F_oauth&response_type=code&scope=openid+profile+email&state=75596501f9afe65d1b30060c6e49db4a%3Ahttps%3A%2F%2Fauth.domain.tld] Sec-Fetch-Mode:[navigate] Sec-Fetch-Site:[same-site] User-Agent:[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.70 Safari/537.36] Cookie:[_forward_auth_csrf=75596501f9afe65d1b30060c6e49db4a] Dnt:[1]]" SourceIP=192.168.32.1
time="2019-10-29T09:44:21Z" level=debug msg="Set CSRF cookie and redirecting to oidc login" SourceIP=192.168.32.1
time="2019-10-29T09:44:21Z" level=debug msg="uri.Path was %s" SourceIP=192.168.32.1
time="2019-10-29T09:44:21Z" level=debug msg="fw.Path was %s/_oauth" SourceIP=192.168.32.1

time="2019-10-29T09:44:21Z" level=debug msg="Handling request" Headers="map[Accept-Encoding:[gzip, deflate, br] Accept-Language:[fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7,it;q=0.6,pt;q=0.5,tr;q=0.4,de;q=0.3,da;q=0.2,la;q=0.1] Sec-Fetch-User:[?1] X-Forwarded-Server:[1f4d3f943287] Accept:[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3] Dnt:[1] Sec-Fetch-Mode:[navigate] Cookie:[_forward_auth_csrf=2f0abafce814a47ca9ab5a25fd365b7a] Cache-Control:[max-age=0] Referer:[https://sso.domain.tld/auth/realms/internal-network/protocol/openid-connect/auth?client_id=traefik-auth&redirect_uri=https%3A%2F%2Fauth.domain.tld%2F_oauth&response_type=code&scope=openid+profile+email&state=75596501f9afe65d1b30060c6e49db4a%3Ahttps%3A%2F%2Fauth.domain.tld] Sec-Fetch-Site:[same-site] Upgrade-Insecure-Requests:[1] X-Forwarded-Host:[auth.domain.tld] X-Forwarded-Port:[443] X-Real-Ip:[192.168.32.1] X-Forwarded-For:[192.168.32.1] X-Forwarded-Proto:[https] User-Agent:[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.70 Safari/537.36]]" SourceIP=192.168.32.1
time="2019-10-29T09:44:21Z" level=debug msg="Set CSRF cookie and redirecting to oidc login" SourceIP=192.168.32.1
time="2019-10-29T09:44:21Z" level=debug msg="uri.Path was %s" SourceIP=192.168.32.1
time="2019-10-29T09:44:21Z" level=debug msg="fw.Path was %s/_oauth" SourceIP=192.168.32.1

time="2019-10-29T09:44:21Z" level=debug msg="Handling request" Headers="map[Accept-Language:[fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7,it;q=0.6,pt;q=0.5,tr;q=0.4,de;q=0.3,da;q=0.2,la;q=0.1] Cache-Control:[max-age=0] X-Forwarded-Server:[1f4d3f943287] User-Agent:[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.70 Safari/537.36] X-Forwarded-Host:[auth.domain.tld] Sec-Fetch-User:[?1] Accept:[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3] Cookie:[_forward_auth_csrf=b8169ff5b8e06089009a9deb4b539fc6] Referer:[https://sso.domain.tld/auth/realms/internal-network/protocol/openid-connect/auth?client_id=traefik-auth&redirect_uri=https%3A%2F%2Fauth.domain.tld%2F_oauth&response_type=code&scope=openid+profile+email&state=75596501f9afe65d1b30060c6e49db4a%3Ahttps%3A%2F%2Fauth.domain.tld] Sec-Fetch-Mode:[navigate] Sec-Fetch-Site:[same-site] Upgrade-Insecure-Requests:[1] X-Forwarded-For:[192.168.32.1] X-Real-Ip:[192.168.32.1] X-Forwarded-Port:[443] Dnt:[1] X-Forwarded-Proto:[https] Accept-Encoding:[gzip, deflate, br]]" SourceIP=192.168.32.1
time="2019-10-29T09:44:21Z" level=debug msg="Set CSRF cookie and redirecting to oidc login" SourceIP=192.168.32.1
time="2019-10-29T09:44:21Z" level=debug msg="uri.Path was %s" SourceIP=192.168.32.1
time="2019-10-29T09:44:21Z" level=debug msg="fw.Path was %s/_oauth" SourceIP=192.168.32.1

time="2019-10-29T09:44:21Z" level=debug msg="Handling request" Headers="map[Sec-Fetch-User:[?1] Accept:[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3] Referer:[https://sso.domain.tld/auth/realms/internal-network/protocol/openid-connect/auth?client_id=traefik-auth&redirect_uri=https%3A%2F%2Fauth.domain.tld%2F_oauth&response_type=code&scope=openid+profile+email&state=75596501f9afe65d1b30060c6e49db4a%3Ahttps%3A%2F%2Fauth.domain.tld] X-Forwarded-Proto:[https] X-Forwarded-Server:[1f4d3f943287] Accept-Encoding:[gzip, deflate, br] Cache-Control:[max-age=0] Sec-Fetch-Site:[same-site] X-Forwarded-For:[192.168.32.1] X-Forwarded-Host:[auth.domain.tld] X-Real-Ip:[192.168.32.1] Accept-Language:[fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7,it;q=0.6,pt;q=0.5,tr;q=0.4,de;q=0.3,da;q=0.2,la;q=0.1] Dnt:[1] Sec-Fetch-Mode:[navigate] Upgrade-Insecure-Requests:[1] X-Forwarded-Port:[443] User-Agent:[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.70 Safari/537.36] Cookie:[_forward_auth_csrf=4df4c555e87b8b0866e2526d234e3b70]]" SourceIP=192.168.32.1
time="2019-10-29T09:44:21Z" level=debug msg="Set CSRF cookie and redirecting to oidc login" SourceIP=192.168.32.1
time="2019-10-29T09:44:21Z" level=debug msg="uri.Path was %s" SourceIP=192.168.32.1
time="2019-10-29T09:44:21Z" level=debug msg="fw.Path was %s/_oauth" SourceIP=192.168.32.1

time="2019-10-29T09:44:21Z" level=debug msg="Handling request" Headers="map[Accept:[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3] Accept-Encoding:[gzip, deflate, br] Cache-Control:[max-age=0] Cookie:[_forward_auth_csrf=02b53e1dd999410c2acb20433f3298c1] X-Real-Ip:[192.168.32.1] Accept-Language:[fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7,it;q=0.6,pt;q=0.5,tr;q=0.4,de;q=0.3,da;q=0.2,la;q=0.1] Sec-Fetch-Mode:[navigate] Sec-Fetch-Site:[same-site] X-Forwarded-For:[192.168.32.1] Sec-Fetch-User:[?1] X-Forwarded-Port:[443] User-Agent:[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.70 Safari/537.36] Dnt:[1] Referer:[https://sso.domain.tld/auth/realms/internal-network/protocol/openid-connect/auth?client_id=traefik-auth&redirect_uri=https%3A%2F%2Fauth.domain.tld%2F_oauth&response_type=code&scope=openid+profile+email&state=75596501f9afe65d1b30060c6e49db4a%3Ahttps%3A%2F%2Fauth.domain.tld] Upgrade-Insecure-Requests:[1] X-Forwarded-Host:[auth.domain.tld] X-Forwarded-Proto:[https] X-Forwarded-Server:[1f4d3f943287]]" SourceIP=192.168.32.1
time="2019-10-29T09:44:21Z" level=debug msg="Set CSRF cookie and redirecting to oidc login" SourceIP=192.168.32.1
time="2019-10-29T09:44:21Z" level=debug msg="uri.Path was %s" SourceIP=192.168.32.1
time="2019-10-29T09:44:21Z" level=debug msg="fw.Path was %s/_oauth" SourceIP=192.168.32.1

time="2019-10-29T09:44:21Z" level=debug msg="Handling request" Headers="map[Cookie:[_forward_auth_csrf=0c2706fb99677e5dd69078d486d6fa5a] Dnt:[1] X-Forwarded-Proto:[https] X-Forwarded-Server:[1f4d3f943287] X-Real-Ip:[192.168.32.1] Accept-Encoding:[gzip, deflate, br] Referer:[https://sso.domain.tld/auth/realms/internal-network/protocol/openid-connect/auth?client_id=traefik-auth&redirect_uri=https%3A%2F%2Fauth.domain.tld%2F_oauth&response_type=code&scope=openid+profile+email&state=75596501f9afe65d1b30060c6e49db4a%3Ahttps%3A%2F%2Fauth.domain.tld] Sec-Fetch-User:[?1] X-Forwarded-For:[192.168.32.1] X-Forwarded-Host:[auth.domain.tld] Accept:[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3] X-Forwarded-Port:[443] User-Agent:[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.70 Safari/537.36] Accept-Language:[fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7,it;q=0.6,pt;q=0.5,tr;q=0.4,de;q=0.3,da;q=0.2,la;q=0.1] Cache-Control:[max-age=0] Sec-Fetch-Mode:[navigate] Sec-Fetch-Site:[same-site] Upgrade-Insecure-Requests:[1]]" SourceIP=192.168.32.1
time="2019-10-29T09:44:21Z" level=debug msg="Set CSRF cookie and redirecting to oidc login" SourceIP=192.168.32.1
time="2019-10-29T09:44:21Z" level=debug msg="uri.Path was %s" SourceIP=192.168.32.1
time="2019-10-29T09:44:21Z" level=debug msg="fw.Path was %s/_oauth" SourceIP=192.168.32.1

time="2019-10-29T09:44:21Z" level=debug msg="Handling request" Headers="map[Referer:[https://sso.domain.tld/auth/realms/internal-network/protocol/openid-connect/auth?client_id=traefik-auth&redirect_uri=https%3A%2F%2Fauth.domain.tld%2F_oauth&response_type=code&scope=openid+profile+email&state=75596501f9afe65d1b30060c6e49db4a%3Ahttps%3A%2F%2Fauth.domain.tld] X-Forwarded-For:[192.168.32.1] Upgrade-Insecure-Requests:[1] Accept:[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3] Accept-Encoding:[gzip, deflate, br] Accept-Language:[fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7,it;q=0.6,pt;q=0.5,tr;q=0.4,de;q=0.3,da;q=0.2,la;q=0.1] Sec-Fetch-Mode:[navigate] X-Forwarded-Host:[auth.domain.tld] X-Forwarded-Port:[443] X-Forwarded-Server:[1f4d3f943287] Sec-Fetch-User:[?1] X-Forwarded-Proto:[https] X-Real-Ip:[192.168.32.1] User-Agent:[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.70 Safari/537.36] Cache-Control:[max-age=0] Cookie:[_forward_auth_csrf=b14f5d93e564e7d9ca5aebdb03637794] Dnt:[1] Sec-Fetch-Site:[same-site]]" SourceIP=192.168.32.1
time="2019-10-29T09:44:21Z" level=debug msg="Set CSRF cookie and redirecting to oidc login" SourceIP=192.168.32.1
time="2019-10-29T09:44:21Z" level=debug msg="uri.Path was %s" SourceIP=192.168.32.1
time="2019-10-29T09:44:21Z" level=debug msg="fw.Path was %s/_oauth" SourceIP=192.168.32.1

time="2019-10-29T09:44:21Z" level=debug msg="Handling request" Headers="map[X-Forwarded-Port:[443] X-Forwarded-Server:[1f4d3f943287] Referer:[https://sso.domain.tld/auth/realms/internal-network/protocol/openid-connect/auth?client_id=traefik-auth&redirect_uri=https%3A%2F%2Fauth.domain.tld%2F_oauth&response_type=code&scope=openid+profile+email&state=75596501f9afe65d1b30060c6e49db4a%3Ahttps%3A%2F%2Fauth.domain.tld] Upgrade-Insecure-Requests:[1] Sec-Fetch-Mode:[navigate] X-Real-Ip:[192.168.32.1] User-Agent:[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.70 Safari/537.36] Accept-Language:[fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7,it;q=0.6,pt;q=0.5,tr;q=0.4,de;q=0.3,da;q=0.2,la;q=0.1] Dnt:[1] X-Forwarded-For:[192.168.32.1] X-Forwarded-Proto:[https] Accept:[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3] Accept-Encoding:[gzip, deflate, br] Sec-Fetch-User:[?1] X-Forwarded-Host:[auth.domain.tld] Cache-Control:[max-age=0] Cookie:[_forward_auth_csrf=a47ef0643266f30b192397c95f040d3c] Sec-Fetch-Site:[same-site]]" SourceIP=192.168.32.1
time="2019-10-29T09:44:21Z" level=debug msg="Set CSRF cookie and redirecting to oidc login" SourceIP=192.168.32.1
time="2019-10-29T09:44:21Z" level=debug msg="uri.Path was %s" SourceIP=192.168.32.1
time="2019-10-29T09:44:21Z" level=debug msg="fw.Path was %s/_oauth" SourceIP=192.168.32.1

time="2019-10-29T09:44:21Z" level=debug msg="Handling request" Headers="map[Accept-Language:[fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7,it;q=0.6,pt;q=0.5,tr;q=0.4,de;q=0.3,da;q=0.2,la;q=0.1] Cache-Control:[max-age=0] Sec-Fetch-Mode:[navigate] Sec-Fetch-Site:[same-site] X-Forwarded-Port:[443] X-Forwarded-Proto:[https] Accept-Encoding:[gzip, deflate, br] Upgrade-Insecure-Requests:[1] User-Agent:[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.70 Safari/537.36] Cookie:[_forward_auth_csrf=847108ccdb9a738e5ed360c6b442e082] X-Real-Ip:[192.168.32.1] Accept:[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3] Dnt:[1] Referer:[https://sso.domain.tld/auth/realms/internal-network/protocol/openid-connect/auth?client_id=traefik-auth&redirect_uri=https%3A%2F%2Fauth.domain.tld%2F_oauth&response_type=code&scope=openid+profile+email&state=75596501f9afe65d1b30060c6e49db4a%3Ahttps%3A%2F%2Fauth.domain.tld] Sec-Fetch-User:[?1] X-Forwarded-For:[192.168.32.1] X-Forwarded-Host:[auth.domain.tld] X-Forwarded-Server:[1f4d3f943287]]" SourceIP=192.168.32.1
time="2019-10-29T09:44:21Z" level=debug msg="Set CSRF cookie and redirecting to oidc login" SourceIP=192.168.32.1
time="2019-10-29T09:44:21Z" level=debug msg="uri.Path was %s" SourceIP=192.168.32.1
time="2019-10-29T09:44:21Z" level=debug msg="fw.Path was %s/_oauth" SourceIP=192.168.32.1

time="2019-10-29T09:44:21Z" level=debug msg="Handling request" Headers="map[Accept-Encoding:[gzip, deflate, br] Cookie:[_forward_auth_csrf=e2b2da4c95ace485308dba4d04cee3df] Sec-Fetch-Site:[same-site] X-Forwarded-Host:[auth.domain.tld] X-Forwarded-Port:[443] X-Real-Ip:[192.168.32.1] User-Agent:[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.70 Safari/537.36] Dnt:[1] Referer:[https://sso.domain.tld/auth/realms/internal-network/protocol/openid-connect/auth?client_id=traefik-auth&redirect_uri=https%3A%2F%2Fauth.domain.tld%2F_oauth&response_type=code&scope=openid+profile+email&state=75596501f9afe65d1b30060c6e49db4a%3Ahttps%3A%2F%2Fauth.domain.tld] Sec-Fetch-User:[?1] Upgrade-Insecure-Requests:[1] X-Forwarded-For:[192.168.32.1] X-Forwarded-Proto:[https] Accept-Language:[fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7,it;q=0.6,pt;q=0.5,tr;q=0.4,de;q=0.3,da;q=0.2,la;q=0.1] Cache-Control:[max-age=0] Sec-Fetch-Mode:[navigate] X-Forwarded-Server:[1f4d3f943287] Accept:[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3]]" SourceIP=192.168.32.1
time="2019-10-29T09:44:21Z" level=debug msg="Set CSRF cookie and redirecting to oidc login" SourceIP=192.168.32.1
time="2019-10-29T09:44:21Z" level=debug msg="uri.Path was %s" SourceIP=192.168.32.1
time="2019-10-29T09:44:21Z" level=debug msg="fw.Path was %s/_oauth" SourceIP=192.168.32.1

As you can see, no error mentioned... Don't know what's wrong here :roll_eyes:

EDIT : here are more informations about my setup

  • Keycloak instance is running in a Kubernetes Cluster (on the same network), it's the Helm Chart v6.0.0 (with env variable PROXY_ADDRESS_FORWARDING="true") - https://hub.helm.sh/charts/codecentric/keycloak
  • Traefik and Traefik-auth containers are running on server 10.1.0.3
  • 192.168.32.1 is the docker bridge

OK, so here was the mistake : you need to apply the middleware "keycloak" to the traefik-auth container.

So here is my docker-compose now :

version: "3.5"

services:

  traefik:
    container_name: traefik
    image: traefik:v2.0
    environment:
      - CF_API_EMAIL=xxx@xxxx.xx
      - CF_API_KEY=xxxxxxxxxxxxxxxx
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./dynamic/:/dynamic/
      - ./static/:/etc/traefik/
      - ./log:/log
      - /var/run/docker.sock:/var/run/docker.sock
    networks:
      - internal_network
    labels:
      traefik.enable: true
      traefik.http.routers.api.entrypoints: web-secure
      traefik.http.routers.api.rule: Host("proxy.domain.tld")
      traefik.http.routers.api.tls: true
      traefik.http.routers.api.tls.certresolver: cloudflare
      traefik.http.routers.api.service: api@internal
      traefik.http.services.api.loadbalancer.healthcheck.path: /ping
      traefik.http.routers.api.middlewares: keycloak@file # Protect Web UI
    restart: always

  traefik-auth:
    container_name: traefik-auth
    image: funkypenguin/traefik-forward-auth
    environment:
      - CLIENT_ID=traefik-auth
      - CLIENT_SECRET=<random_secret>
      - OIDC_ISSUER=https://sso.domain.tld/auth/realms/internal-network
      - SECRET=LH49wCZ4ZijgUTfm8etb
      - AUTH_HOST=auth.domain.tld
      - COOKIE_DOMAINS=domain.tld
      - LOG_LEVEL=debug
    networks:
      - internal_network
    labels:
      traefik.enable: true
      traefik.http.routers.auth.entrypoints: web-secure
      traefik.http.routers.auth.rule: Host("auth.domain.tld")
      traefik.http.routers.auth.tls: true
      traefik.http.routers.auth.tls.certresolver: cloudflare
      traefik.http.routers.auth.service: auth@docker
      traefik.http.services.auth.loadbalancer.server.port: 4181
      traefik.http.routers.auth.middlewares: keycloak@file # <-- APPLY MIDDLEWARE TO ITSELF
    restart: always

networks:
  internal_network:
    name: internal_network
    driver: bridge

The middleware in my /dynamic/global.yaml :

http:
  middlewares:
    keycloak:
      forwardAuth:
        address: "http://traefik-auth:4181"
        trustForwardHeader: true
        authResponseHeaders:
          - "X-Forwarded-User"
3 Likes

Thanks for posting the solution! I look forward to using this soon

This is more a reminder for me if I ever end up at this post again but hopefully it helps some other users as well.

It is very very important to you use an internal connection for traefik.http.middlewares.api.forwardAuth.address or Traefik will redirect loop you.

2 Likes

Thanks for posting this, it was the solution that the loop problem with me too

Thank you!
Two weeks looping until find you response!