I have configured a middleware with the traefik-oidc-auth plugin. I get the "no public keys" after successfully authenticating against Authentik SSO.
Just trying to put the dashboard behind behind authentication here. Yes, basicAuth was only there as a test when I was trying to figure out why middlewares weren't loading.
Log Entries:
2024-12-06 20:10:01 [ERROR] [traefik-oidc-auth] Failed reading state cookie: http: named cookie not present
2024-12-06 20:10:02 [ERROR] [traefik-oidc-auth] Returned token is not valid: no public Keys found
config.yml:
global:
checknewversion: true # Periodically check if a new version has been released.
sendanonymoususage: true # Periodically send anonymous usage statistics.
log:
level: WARN
api:
dashboard: true
serversTransport:
insecureSkipVerify: true
entryPoints:
https:
address: ":443" # Create the HTTPS entrypoint on port 443
metrics:
address: ":8082" # Create the HTTP metrics entrypoint on port 8082
certificatesResolvers:
dns-cloudflare-nti:
acme:
caServer: https://acme-v02.api.letsencrypt.org/directory #LE Production
# caServer: https://acme-staging-v02.api.letsencrypt.org/directory # LE Staging
dnsChallenge:
provider: cloudflare
resolvers: 1.1.1.1:53,1.0.0.1:53
delayBeforeCheck: 90
email: (redacted)
storage: /etc/traefik/acme.json
providers:
docker:
endpoint: "tcp://socket-proxy-traefik:2375" # Listen to the UNIX Docker socket
exposedByDefault: false # Only expose container that are explicitly enabled (using label traefik.enabled)
network: "traefik-backend" # Default network to use for connections to all containers.
watch: true # Watch Docker Swarm events
file:
filename: "/etc/traefik/configs/config.yml" # Link to the dynamic configuration
directory: "/etc/traefik/configs/dynamic" # Link to the dynamic configuration
watch: true
providersThrottleDuration: 10 # Configuration reload frequency
metrics:
prometheus:
manualRouting: true
buckets:
- 0.1
- 0.3
- 1.2
- 5.0
experimental:
plugins:
traefik-oidc-auth:
moduleName: "github.com/sevensolutions/traefik-oidc-auth"
version: "v0.4.1"
middlewares.yml:
http:
middlewares:
traefik-auth:
basicAuth:
users:
- "user:passwd"
TraefikOIDC:
plugin:
traefik-oidc-auth:
Provider:
Url: "https://sso.example.com/application/o/traefik/"
ClientId: "...."
ClientSecret: "...."
Scopes: ["openid", "profile", "email"]
Authorization:
AssertClaims:
- Name: "roles"
AllOf: ["Traefik - Admins"]
docker-compose.yml:
services:
traefik:
image: docker.io/library/traefik:v3.2.1
container_name: traefik
stdin_open: true
tty: true
command:
- --configFile=/etc/traefik/configs/config.yml
ports:
- 443:443
volumes:
- traefik-dynamic:/etc/traefik
environment:
- CF_DNS_API_TOKEN=(redacted)
- TZ=America/New_York
networks:
- traefik-backend
- socket_proxy
restart: unless-stopped
labels:
# Enable Traefik
- "traefik.enable=true"
# HTTP Router - traefik-secure
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`proxy.mydomain.com`)"
- "traefik.http.routers.traefik-secure.tls.certresolver=dns-cloudflare-nti"
- "traefik.http.routers.traefik-secure.service=api@internal"
- "traefik.http.routers.traefik-secure.middlewares=TraefikOIDC@file"
# HTTP Router - traefik-stats
- "traefik.http.routers.stats-traefik-secure.tls=true"
- "traefik.http.routers.stats-traefik-secure.entrypoints=https"
- "traefik.http.routers.stats-traefik-secure.rule=Host(`stats.proxy.mydomain.com`)"
- "traefik.http.routers.stats-traefik-secure.service=prometheus@internal"
volumes:
traefik-config:
driver: local
traefik-dynamic:
driver: local
networks:
traefik-backend:
name: traefik-backend
socket_proxy:
name: socket_proxy
external: true