thomseddon/traefik-forward-auth

No user info in token

KBL411 opened this issue · 0 comments

KBL411 commented

Hi, the goal of this project is to expose a container behind open-source tools.
I use traefik to redirect traffic and authenticate users via an OIDC SSO.
I have no other solution than to use a container for user authentication via OIDC SSO.
My problem is that in my token, I don't have any information about the user, so my SSO request rejects me.

Have I forgotten something?
How can I see what's in my token?
In fact, another team manages SSO. According to them, my request contains no information about the user.

version: '3'

services:
  reverse-proxy:
    image: my-registry/traefik:v2.3
    restart: unless-stopped
    command:
      - --log.level=TRACE
      - --api.insecure=true
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --entrypoints.web.address=:80
      - --entrypoints.web-secure.address=:443
      - --entrypoints.web.http.redirections.entryPoint.to=web-secure
      - --entrypoints.web.http.redirections.entryPoint.scheme=https
      - --entrypoints.web-secure.http.middlewares=traefik-forward-auth
      - --providers.file.filename=/configuration/traefik.yml
      - --providers.file.watch=true
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /configuration/:/configuration/:ro
    networks:
      - mutu

  traefik-forward-auth:
    depends_on:
      - reverse-proxy
    image: my-registry/thomseddon/traefik-forward-auth:latest
    restart: unless-stopped
    volumes:
      - /configuration/:/configuration/:ro
    environment:
      - SSL_CERT_FILE=/path/to/certif.crt
      - DEFAULT_PROVIDER=oidc
      - PROVIDERS_OIDC_ISSUER_URL=https://local.sso
      - PROVIDERS_OIDC_CLIENT_ID=clientID
      - PROVIDERS_OIDC_CLIENT_SECRET=secret
      - SECRET=randomgenkey
      - LOG_LEVEL=TRACE
      - INSECURE_COOKIE=false
    labels:
      - "traefik.enable=true"
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.address=http://traefik-forward-auth:4181"
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
      - "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4181"
      - "traefik.http.routers.traefik-forward-auth.entrypoints=web-secure"
      - "traefik.http.routers.traefik-forward-auth.middlewares=traefik-forward-auth"
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.trustForwardHeader=true"
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.tls.cert=/path/to/certif.crt"
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.tls.key=/path/to/certif.key"
    networks:
      - mutu

  whoami:
    image: containous/whoami
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`whoami.localhost.com`)"
      - "traefik.http.routers.whoami.middlewares=traefik-forward-auth"
      - "traefik.http.routers.whoami.entrypoints=web-secure"
      - "traefik.http.routers.whoami.tls=true"
      - "traefik.docker.network=mutu"
    networks:
      - mutu