Hello everyone,
I'm facing an issue with OAuth authentication in Portainer across two different domains, and I hope you can offer some assistance.
Setup:
- I'm using Portainer to manage my Docker environment.
- Traefik is my reverse proxy.
- Authentik is my Identity Provider for OAuth authentication.
- I want to access Portainer via two different domains:
- External domain:
portainer.example.com - Internal domain:
portainer.intern
- External domain:
Problem:
Portainer only allows specifying a single redirect URL for OAuth authentication in its settings, which means OAuth login works with only one domain by default.
When I set the redirect URL in Portainer to https://portainer.example.com/, OAuth authentication works perfectly through this domain. However, when I try to log in via the internal domain https://portainer.intern, I receive the error:
"Invalid OAuth state, try again."
Attempts to Solve:
- Host Header Rewriting in Traefik:
I tried rewriting the Host header in Traefik so that requests from the internal domain are forwarded to Portainer with the external Host header.
This led to issues with sessions and cookies since they are bound to the original domain. As a result, the "Invalid OAuth state" error occurred. - Using an OAuth2 Proxy:
I considered using an OAuth2 proxy to handle the authentication in front of Portainer.
However, this resulted in being prompted for login twice: once by the proxy and then again by the OAuth button in Portainer. I want to avoid this double login. - Using Authentik's Proxy Provider:
The proxy provider from Authentik is better suited for applications that don't have native OAuth support. Since Portainer has built-in OAuth, this approach isn't ideal for me. - Using a Single Domain:
Limiting access to just one domain is not an option for me, as I need to use both the external and internal domains.
Question:
Do you see a way to achieve this using Traefik?
I'm open to alternative approaches or solutions that could resolve my problem.
Thank you in advance for your help!