SSO OAuth Google with traefik-forward-auth - middleware does not exist

raynoxfr · March 31, 2023, 3:14pm

Hello,

I have followed some pages like this for my setting :
https://daquinoaldo.medium.com/traefik-docker-oauth-a-free-reverse-proxy-with-tsl-and-google-oauth2-da9aa0df96cc

i have setted up the files below, but I get some error like that in Traefik :

time="2023-03-31T16:52:32+02:00" level=error msg="middleware \"oauth@docker\" does not exist" routerName=whoami@docker entryPointName=websecure

And of course, it doesn't work, and I get an access denied, The OAuth client was not found from Google Web Page (Error 401 : invalid_client)

traefik

version: "3"
services:

  traefik:
    container_name: "traefik"
    image: traefik:latest
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    command:
      - "--log.level=DEBUG"
      #- "--api.insecure=true"
      - '--api=true'
      - '--api.dashboard=true'
      
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
      - "--entrypoints.websecure.address=:443"
      
      ### HTTPS ###
      - "--certificatesresolvers.myresolver.acme.httpchallenge=true"
      - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
      #DNS- "--certificatesresolvers.myresolver.acme.dnschallenge=true"
      #DNS- "--certificatesresolvers.myresolver.acme.dnschallenge.provider=ovh"
      #DNS- "--certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=60"
      - "--certificatesresolvers.myresolver.acme.email=pascal@domain.ext"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
      - "--certificatesresolvers.myresolver.acme.caserver=https://acme-v02.api.letsencrypt.org/directory" # For live
      #- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory" # For testing
      
    environment:
      - "TZ=Europe/Paris"
      #DNS- "OVH_ENDPOINT=ovh-eu"
      #DNS- "OVH_APPLICATION_KEY=xxxxxxxx"
      #DNS- "OVH_APPLICATION_SECRET=xxxxxxxx"
      #DNS- "OVH_CONSUMER_KEY=xxxxxxxx"
    ports:
      - "80:80"
      - "443:443"
      #- "8080:8080"
    networks:
      - traefik_proxy
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "/docker/traefik/config:/etc/traefik:ro"
      - "/docker/traefik/letsencrypt:/letsencrypt"
      
    labels:
      - "traefik.enable=true"
      - "traefik.frontend.passHostHeader=true"
      # HTTP Catchall for redirecting HTTP -> HTTPS
      - "traefik.http.routers.traefik.rule=PathPrefix(`/`)"
      - "traefik.http.routers.traefik.entrypoints=web"
      - "traefik.http.routers.traefik.rule=Host(`routing.domain.ext`)"
      - "traefik.http.routers.traefik.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=websecure"
      # Dashboard
      - "traefik.http.routers.traefik-secure.entrypoints=websecure"
      - "traefik.http.routers.traefik-secure.rule=Host(`routing.domain.ext`)"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=myresolver"
      - "traefik.http.routers.traefik-secure.service=api@internal"
      - "traefik.http.services.api@internal.loadbalancer.server.port=8080" # Required in swarms, https://doc.traefik.io/traefik/v2.0/routing/providers/docker/#services
      # Auth
      - "traefik.https.middlewares.traefik-dashboard-auth.basicauth.users: traefik_user:$$apr1$$epoKf5li$$QfTMJZOCS/halv3CiIUEu0"
      - "traefik.https.routers.traefik-secure.middlewares: traefik-dashboard-auth"

networks: 
  traefik_proxy:
    external: true

traefik-forward-auth

version: "3"
services:
    oauth:
      image: thomseddon/traefik-forward-auth:latest
      container_name: oauth
      restart: unless-stopped
      stdin_open: true
      tty: true
      environment:
        - PUID=1000
        - PGID=1000
        - TZ=Europe/Paris
        - DEFAULT_ACTION=auth
        - DEFAULT_PROVIDER=google
        - PROVIDERS_GOOGLE_CLIENT_ID="xxxxxxxxxxxxx.apps.googleusercontent.com"
        - PROVIDERS_GOOGLE_CLIENT_SECRET="xxxxxxxxxxxxx"
        - SECRET="xxxxxxxxxxxxx"
        # comment out AUTH_HOST if you'd rather use individual redirect_uris (slightly less complicated but more work)
        - AUTH_HOST="auth.domain.ext"
        - COOKIE_DOMAIN="domain.ext"
        - INSECURE_COOKIE=false
        - WHITELIST="pascal@domain.ext"
        - LOG_LEVEL=info
        - LOG_FORMAT=text
        - LIFETIME=86400 # 1 day
      networks:
        - traefik_proxy
      labels:
        - "traefik.enable=true"
        - "traefik.docker.network=traefik_proxy"
        - "traefik.http.routers.oauth.rule=Host(`auth.domain.ext`)"
        - "traefik.http.routers.oauth.entrypoints=websecure"
        - "traefik.http.routers.auth.tls=true"
        - "traefik.http.middlewares.oauth.forwardauth.address=http://oauth:4181"
        - "traefik.http.middlewares.oauth.forwardauth.authResponseHeaders=X-Forwarded-User"
        - "traefik.http.middlewares.oauth.forwardauth.trustForwardHeader=true"
        - "traefik.http.routers.oauth.middlewares=oauth"
        - "traefik.http.routers.oauth.tls.certresolver=myresolver"
        - "traefik.http.services.oauth.loadbalancer.server.port=4181"

networks: 
  traefik_proxy:
    external: true

Test

version: "3"
services:
  whoami:
    image: traefik/whoami:latest
    container_name: whoami
    restart: unless-stopped
    networks:
      - traefik_proxy
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`test.domain.ext`)"
      - "traefik.docker.network=traefik_proxy"
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.tls.certresolver=myresolver"
      - "traefik.http.routers.whoami.middlewares=oauth"
networks: 
  traefik_proxy:
    external: true

test.domain.ext doesn't work correctly

About setting for DNS

auth.domain.ext CNAME domain.ext

And of course, I have configured an Oauth Google available for the domain.ext

Any idea ?
Thanks

bluepuma77 · April 1, 2023, 6:20am

I would think if you set the middleware on your oauth container, it’s going to run around in circles.

raynoxfr · April 3, 2023, 11:53am

Thank you, but I don't know what exactly I have to do.
I have already a line in "oauth" container :

- "traefik.http.routers.oauth.middlewares=oauth"

I have remove the line above and I get :

level=debug msg="Remote error http://oauth:4181. StatusCode: 307" middlewareName=oauth@docker middlewareType=ForwardedAuthType

wphampton · May 5, 2023, 3:04pm

I am trying to figure out all this myself, but I noticed this line:
- "traefik.http.routers.auth.tls=true"

...among a bunch of other lines that used traefik.http.routers.oauth.

So that made me wonder if that line should also have .oauth instead of .auth.

Topic		Replies	Views
Traefik 2 ForwardAuth help Traefik v2 docker	1	492	June 8, 2020
Configure traefik with authentik Traefik v2 docker , middleware	3	4010	October 24, 2023
Problem using a middleware cross providers Traefik v2 middleware	2	1828	September 27, 2019
Help setting up ForwardAuth using Keycloak and traefik-forward-auth Traefik v2 docker	1	7343	October 9, 2022
Traefik + Oauth2-proxy : forwardauth middleware forgets URL Traefik v2 middleware	2	7935	August 23, 2022

SSO OAuth Google with traefik-forward-auth - middleware does not exist

Related topics