/traefik-oauth-upstream

Traefik middleware that handles oauth for the upstream (not downstream).

Primary LanguageGoApache License 2.0Apache-2.0

Upstream OAuth - Traefik Middleare

This middleware adds OAuth headers to your requests so that for the upstream (service) the request is
OAuth-authenticated. Using other middleware layers you can configure any kind of downstream (client) authentication (E.g., Basic Auth) or leave it open to the internet! (not recommended)

After the client has signed in, tokens are kept cached and are automatically refreshed.

Typical flow

sequenceDiagram
  participant B as Downstream client
  participant O as OAuth Provider
  participant P as Traefik OAuth Plugin
  participant U as Upstream server

  alt First ever request
    B->>P: Plain request
    P->>B: 302
    B->>O: Auth request
    O->>B: Success redirect
    B->>+P: OAuth callback
    Note right of P: Token & refresh token stored
    P->>-B: Redirect back to original request
  end

  alt Token still valid
    B->>+P: Plain request
    Note right of P: Bearer token added
    P->>-U: Authorised request
    U->>P: Response
    P->>B: Response
  end

  alt Token expired
    B->>P: Plain request
    P->>O: Refresh token
    O->>+P: Refreshed tokens
    Note right of P: Tokens updated and bearer added
    P->>-U: Authorised request
    U->>P: Response
    P->>B: Response
  end
  
Loading

Config

You can set up different upstream OAuths by configuring different middlewares, or you can configure one middleware and reuse it with multiple routers/services.

Config example

Development

This repo is GitPod friendly.