Hello experts,
I'm new to k8s & traefik. My goal is to authenticate kubernetes-dashboard with OIDC authentication.
I'm able to do it with traefik-forward-auth + IODC (DEX) but post authentication success. I'm still redirecting to kubernetes-dashabord login page at the end. Below is the spec for my middleware, able to authenticate but k8s-dashboard redirecting to login page again.
forwardAuth:
address: http://traefik-forward-auth.traefik:4181
authResponseHeaders:
- X-Forwarded-User
trustForwardHeader: true
Any suggestions will be great help.
Thanks, Ps
Hello @psreddy22,
Thanks for your interest in Traefik!
I understand that the k8s-dashboard is expecting an Authorization header containing a valid JWT bearer token.
I'm not familiar with DEX, but as a quick look, the basic authentication logic is to follow redirects:
- User visits client app.
- Client app redirects user to dex with an OAuth2 request.
- Dex determines user’s identity.
- Dex redirects user to client with a code.
- Client exchanges code with dex for an id_token.
Using the ForwardAuthmiddleware this way would lead to this scenario:
- Client hits Traefik with unauthorized request
- Traefik Forward auth middleware forwards to DEX
- DEX redirects to its login page (backend not reached)
- Client hits login page and authenticates
- DEX redirects with original request
- Client hits again Traefik with authorized request
- Traefik Forward auth middleware forwards to DEX
- DEX returns HTTP 200
- Traefik grant the request to be performed
For now, I cannot suggest anything except verifying that each step is achieved successfully.
To troubleshoot your issue, can you share a minimal reproducible case and your logs?