How do i use forwardauth for Traefik dashboard?


I am trying to secure access to the traefik dashboard with our Keycloak instance. For this, i have discovered the forwardauth feature: Traefik ForwardAuth Documentation - Traefik .

The help page states, that I just need "- traefik.http.middlewares.test-auth.forwardauth.address=" label for it to work.

When added the label to my docker-compose file, it does not seem to do anything. I have discovered, that I need to actually use the middleware with "- traefik.http.routers.dashboard.middlewares=dashboard-auth@docker" label. But even after this, I am not forwarded to the auth server.

This is my full compose file: openSUSE Paste

Can anyone tell me what am i missing? Do i need externally running "mesosphere/traefik-forward-auth", as seen in some guides?

Or how do i accomplish external authorization for the given service ( dashboard running on port 3000 )?

Thank you very much for any hints.

Did you check some tutorials on the Internet? Seems you need a supporting traefik-forward-auth container (article, github).

Yeah that is part of my question. I am not sure if the supporting container is still required, because it is not mentioned in forwardauth help page: Traefik ForwardAuth Documentation - Traefik .

My assumption is that it's an old approach and it's not required anymore. Is this not true and do i really still need it?


Traefik ForwardAuth has a very specific API where the auth service must return status 200 for the request to go through. I assume that a traefik-forward-auth service is packaging the external auth process for Traefik to get the desired status code.

"The ForwardAuth middleware delegates authentication to an external service. If the service answers with a 2XX code, access is granted, and the original request is performed. Otherwise, the response from the authentication server is returned."

Let me clarify few things please:

"external service" = IDP (for example Keycloak) ?
"service answers" = IDP sends 200 status code to traefik upon successful auth ?

I still cannot see where the "traefik-forward-auth" service is located in this situation. In my head I see it as IDP is sending 200 status code to the traefik. What exactly is the "traefik-forward-auth" doing, then? It is the recieving side of the 200 status code and just forwards it to Traefik? Is it the server that redirects you to IDP upon first visit? What exactly is it doing?

Please note, that my problem is currently, that the traefik is not forwarding me to the IDP upon first visit. I just get unauthenticated access and can see the dashboard like there is no forwardauth. Forwardauth is just not redirecting me to the IDP, so it cannot recieve any status code.

Ok, I got some progress.

I was able to get forwardauth talking to the IDP (yes, the traefik-forward-auth service is really required). Now i get this error from traefik-forward-auth:

failed to exchange token: oauth2: cannot fetch token: 400 Bad Request\nResponse: {"error":"invalid_grant","error_description":"Code not valid"}

Which seems to be error on IDP side, which tells me that:
KC-SERVICES0093: Invalid parameter value for: scope
type=LOGIN_ERROR, realmId=1c385ee1-c0a8-4442-9ad0-302d7430e247, clientId=traefik-dashboard, userId=null, ipAddress=, error=invalid_request, response_type=co
de, redirect_uri=https://dashboard.traefik.mysite/_oauth, response_mode=query

And the source of the error seems to be caused by: "error_description=Invalid+scopes%3A+openid+profile+email+groups".

I struggled with this some time back. I finally got it working and published the results here:

GitHub - stevegroom/traefikGateway: Turnkey Traefik Gateway with Let's Encrypt TLS, KeyCloak SSO and Jaeger tracing.

I've not attempted to update it to current versions, so may need some work.


1 Like