Kubernetes-dashboard with traefik-forward-auth

Hello experts,

I'm new to k8s & traefik. My goal is to authenticate kubernetes-dashboard with OIDC authentication.

I'm able to do it with traefik-forward-auth + IODC (DEX) but post authentication success. I'm still redirecting to kubernetes-dashabord login page at the end. Below is the spec for my middleware, able to authenticate but k8s-dashboard redirecting to login page again.

address: http://traefik-forward-auth.traefik:4181
- X-Forwarded-User
trustForwardHeader: true

Any suggestions will be great help.

Thanks, Ps

Hello @psreddy22,

Thanks for your interest in Traefik!

I understand that the k8s-dashboard is expecting an Authorization header containing a valid JWT bearer token.
I'm not familiar with DEX, but as a quick look, the basic authentication logic is to follow redirects:

  • User visits client app.
  • Client app redirects user to dex with an OAuth2 request.
  • Dex determines user’s identity.
  • Dex redirects user to client with a code.
  • Client exchanges code with dex for an id_token.

Using the ForwardAuthmiddleware this way would lead to this scenario:

  • Client hits Traefik with unauthorized request
  • Traefik Forward auth middleware forwards to DEX
  • DEX redirects to its login page (backend not reached)
  • Client hits login page and authenticates
  • DEX redirects with original request
  • Client hits again Traefik with authorized request
  • Traefik Forward auth middleware forwards to DEX
  • DEX returns HTTP 200
  • Traefik grant the request to be performed

For now, I cannot suggest anything except verifying that each step is achieved successfully.
To troubleshoot your issue, can you share a minimal reproducible case and your logs?