Description: I’m struggling with an infinite redirect loop when using Traefik v3 (Docker provider), thomseddon/traefik-forward-auth (OIDC), Azure AD, and Cloudflare Tunnel for public access. The session cookie (_forward_auth_session) is never set, only the CSRF cookie appears, and the callback keeps redirecting.
Setup:
-
Traefik v3.5.0 (Docker provider, full header logging enabled)
-
thomseddon/traefik-forward-auth:2.2 (latest stable that works with Portainer)
-
Azure AD App Registration (redirect URI:
https://sentinel.mydomain.tld/_oauth) -
Cloudflare Tunnel for public DNS
-
Wazuh dashboard behind Traefik, protected by OIDC
Relevant docker-compose.yml excerpt:
services:
traefik:
image: traefik:v3.5.0
ports:
- "80:80"
- "443:443"
command:
- "--log.level=DEBUG"
- "--accesslog=true"
- "--accesslog.fields.headers.defaultmode=keep"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--entrypoints.web.http.redirections.entryPoint.to=websecure"
- "--entrypoints.web.http.redirections.entryPoint.scheme=https"
- "--entrypoints.web.http.redirections.entryPoint.permanent=true"
- "--entrypoints.websecure.forwardedHeaders.insecure=true"
# ...certresolver and ACME config...
labels:
- "traefik.enable=true"
- "traefik.http.routers.wazuh-dashboard.rule=Host(`sentinel.mydomain.tld`)"
- "traefik.http.routers.wazuh-dashboard.entrypoints=websecure"
- "traefik.http.routers.wazuh-dashboard.tls.certresolver=cloudflare"
- "traefik.http.routers.wazuh-dashboard.middlewares=forward-auth"
- "traefik.http.services.wazuh-dashboard.loadbalancer.server.port=5601"
- "traefik.http.routers.forward-auth-callback.rule=Host(`sentinel.mydomain.tld`) && PathPrefix(`/_oauth`)"
- "traefik.http.routers.forward-auth-callback.entrypoints=websecure"
- "traefik.http.routers.forward-auth-callback.tls=true"
- "traefik.http.routers.forward-auth-callback.tls.certresolver=cloudflare"
- "traefik.http.routers.forward-auth-callback.priority=90"
- "traefik.http.routers.forward-auth-callback.service=forward-auth"
forward-auth:
image: thomseddon/traefik-forward-auth:2.2
environment:
- DEFAULT_PROVIDER=oidc
- PROVIDERS_OIDC_ISSUER_URL=https://login.microsoftonline.com/<tenant-id>/v2.0
- PROVIDERS_OIDC_CLIENT_ID=<redacted>
- PROVIDERS_OIDC_CLIENT_SECRET=<redacted>
- SECRET=<redacted>
- INSECURE_COOKIE=true
- AUTH_HOST=sentinel.mydomain.tld
# - COOKIE_DOMAIN=.mydomain.tld (tried with/without)
- LOG_LEVEL=debug
- LIFETIME=43200
labels:
- "traefik.enable=true"
- "traefik.http.middlewares.forward-auth.forwardauth.address=http://forward-auth:4181"
- "traefik.http.middlewares.forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
- "traefik.http.services.forward-auth.loadbalancer.server.port=4181"
Azure AD App Registration:
-
Redirect URI:
https://sentinel.mydomain.tld/_oauth -
Permissions:
openid,profile,email,User.Read(all delegated, admin consent granted)
Symptoms:
-
Browser is redirected to Azure AD, login succeeds, callback hits
/oauth, but only CSRF cookie is set. -
No
_forward_auth_sessioncookie is ever set. -
Traefik logs show only 307 redirects, never a 200/302 with Set-Cookie.
-
Infinite redirect loop, never authenticated.
Troubleshooting tried:
-
Verified all OIDC secrets/IDs.
-
Tried with/without
COOKIE_DOMAIN. -
Set
AUTH_HOST. -
Container/system time matches.
-
No errors in forward-auth logs, only debug messages about CSRF.
-
Traefik callback router and middleware config match docs.
-
Cloudflare Tunnel is working, public DNS resolves.
Questions:
-
Is there a known issue with OIDC callback handling in traefik-forward-auth:2.2 and Traefik v3?
-
Is there a required config for session cookie that I’m missing?
-
Any tips for debugging why the session cookie is never set?
-
Is there a working example for Azure AD OIDC with Traefik v3 and traefik-forward-auth?
Any help or pointers appreciated!