Proxies the authorization header in Traefik

We are in the process of moving our Ingress from Nginx to Traefik and right now i am stuck with an issue. We are using forwardauth proxy and everything works fine so far except for Grafana where we want to pass a certain header from forwardauth service to Grafana so a user can login automatically. I am still trying to find the right way to achieve this in Traefik.

For Nginx Ingress, we have the following annotations,

annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/auth-response-headers: Authorization
    nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
    nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"
    nginx.ingress.kubernetes.io/configuration-snippet: |
      auth_request_set $user   $upstream_http_x_auth_request_user;
      auth_request_set $email  $upstream_http_x_auth_request_email;
      proxy_set_header X-User  $user;
      proxy_set_header X-Email $email;

when i deployed the traefik Ingress, I did the following things

 1. add an IngressRoute for the hostname I need to access
   2. add a middleware for the headers i need to extract

Here is the middleware yaml file

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: sso
spec:
  forwardAuth:
    address: http://traefik-sso:4181
    authResponseHeaders:
        - "X-Forwarded-User"
        - "X-Auth-User"
        - "X-Auth-Request-Email"
        -  "X-Auth-Request-User"
    trustForwardHeader: true

The above steps has not resolve the issue. Can you help me the correct snippet to be used in the Traefik to proxies the authorization header in the auth response to the Grafana.

Hello @shiak,

Thanks for your interest in Traefik!

What are the headers needed by Grafana?
Are you sure that the authentication server returns the headers which should be forwarded to the service?

I might be wrong but the proxy_set_header inject new headers in the service request with the content of some authentication response header. This probably means that Grafana needs the X-User and X-Email headers to authenticate the user.

Therefore, if you have to rename the X-Auth-Request-User / X-Auth-Request-Email headers to X-User / X-Email, for now, you will have to use a plugin after the ForwardAuth middleware (e.g. Header Transformation).

Hope this helps