traefik-forward-auth: Endless login loop

Hi,

First of all, it is the first time I am using Oauth so I might have done something wrong in my setup. I am redirected to google for auth but every time I click on my email address (once connected to google), the same google screen is showing up and I am not redirected to my website.

At the moment, I set DOMAIN=gmail.com in my docker-compose.yml as I don’t have an address @DOMAIN.COM on google.

Any idea?

Forward-auth log shows forward-oauth | 2018-10-31T13:42:40.440721148Z 2018/10/31 13:42:40 Set CSRF cookie and redirecting to google login

Traefik log shows (on hitting the URL): traefik | 2018-10-31T13:45:40.019947588Z time="2018-10-31T13:45:40Z" level=debug msg="Remote error http://forward-oauth:4181. StatusCode: 307"

and it shows this on hitting my email address on google auth webpage:

traefik          | 2018-10-31T13:45:54.929432773Z time="2018-10-31T13:45:54Z" level=debug msg="vulcand/oxy/roundrobin/rr: begin ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/_oauth\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"state=993f242d01:https://hydra.DOMAIN.COM/\\u0026code=4/hD4PkUroE8\\u0026scope=email%20profile%20https://www.googleapis.com/auth/userinfo.profile%20https://www.googleapis.com/auth/userinfo.email\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-GB,en-US;q=0.9,en;q=0.8\"],\"Cookie\":[\"_forward_auth_csrf=993f242d01\"],\"Referer\":[\"https://accounts.google.com/signin/oauth/oauthchooseaccount?client_id=b5q0.apps.googleusercontent.com\\u0026as=4uOMLWOVQ\\u0026destination=https%3A%2F%2FauthDOMAIN.COOM\u0026approval_state=!ChQxMHdtX2kNd\\u0026oauthgdpr=1\\u0026xsrfsig=AHgIfE_SkNq7B213FkQ\\u0026flowName=GeneralOAuthFlow\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"auth.DOMAIN.COM\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"188.60.195.90:59429\",\"RequestURI\":\"/_oauth?state=993f2e4c48042d01:https://hydra.DOMAIN.COM/\\u0026code=4/hgAMuUroE8\\u0026scope=email%20profile%20https://www.googleapis.com/auth/userinfo.profile%20https://www.googleapis.com/auth/userinfo.email\",\"TLS\":null}"
traefik          | 2018-10-31T13:45:54.929841936Z time="2018-10-31T13:45:54Z" level=debug msg="vulcand/oxy/roundrobin/rr: Forwarding this request to URL" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/_oauth\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"state=993f2e4c042d01:https://hydra.DOMAIN.COM/\\u0026code=4/PkUroE8\\u0026scope=email%20profile%20https://www.googleapis.com/auth/userinfo.profile%20https://www.googleapis.com/auth/userinfo.email\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-GB,en-US;q=0.9,en;q=0.8\"],\"Cookie\":[\"_forward_auth_csrf=993f2e4cff14042d01\"],\"Referer\":[\"https://accounts.google.com/signin/oauth/oauthchooseaccount?client_id=pq0.apps.googleusercontent.com\\u0026as=4OVQ\\u0026destination=https%3A%2F%2Fauth.DOMAIN.COM\\u0026approval_state=!ChQxMFdtX2kNd\\u0026oauthgdpr=1\\u0026xsrfsig=AHgIQ\\u0026flowName=GeneralOAuthFlow\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"auth.DOMAIN.COM\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"188.60.195.90:59429\",\"RequestURI\":\"/_oauth?state=993f242d01:https://hydra.DOMAIN.COM/\\u0026code=4/hD4PkUroE8\\u0026scope=email%20profile%20https://www.googleapis.com/auth/userinfo.profile%20https://www.googleapis.com/auth/userinfo.email\",\"TLS\":null}" ForwardURL="http://172.18.0.11:4181"
traefik          | 2018-10-31T13:45:54.930209893Z time="2018-10-31T13:45:54Z" level=debug msg="vulcand/oxy/forward: begin ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"http\",\"Opaque\":\"\",\"User\":null,\"Host\":\"172.18.0.11:4181\",\"Path\":\"\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-GB,en-US;q=0.9,en;q=0.8\"],\"Cookie\":[\"_forward_auth_csrf=993f2d01\"],\"Referer\":[\"https://accounts.google.com/signin/oauth/oauthchooseaccount?client_id=1hbb5q0.apps.googleusercontent.com\\u0026as=4uOMLZVQ\\u0026destination=https%3A%2F%2Fauth.DOMAIN.COM\\u0026approval_state=!ChQxWQlBhbGJCWQ%E2%88%99APNbktkAAAAAW9sDhHgTS3FGyDWs8BWxBCm4HdtX2kNd\\u0026oauthgdpr=1\\u0026xsrfsig=AHgIfB213FkQ\\u0026flowName=GeneralOAuthFlow\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"auth.DOMAIN.COM\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"188.60.195.90:59429\",\"RequestURI\":\"/_oauth?state=993f248042d01:https://hydra.DOMAIN.COM/\\u0026code=4/hgAMuldPkUroE8\\u0026scope=email%20profile%20https://www.googleapis.com/auth/userinfo.profile%20https://www.googleapis.com/auth/userinfo.email\",\"TLS\":null}"
traefik          | 2018-10-31T13:45:54.930525308Z time="2018-10-31T13:45:54Z" level=debug msg="vulcand/oxy/forward/http: begin ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"http\",\"Opaque\":\"\",\"User\":null,\"Host\":\"172.18.0.11:4181\",\"Path\":\"\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-GB,en-US;q=0.9,en;q=0.8\"],\"Cookie\":[\"_forward_auth_csrf=993f42d01\"],\"Referer\":[\"https://accounts.google.com/signin/oauth/oauthchooseaccount?client_id=ohvq0.apps.googleusercontent.com\\u0026as=4uOMOVQ\\u0026destination=https%3A%2F%2Fauth.DOMAIN.COM\\u0026approval_state=!ChcTS3FGyDWs8BWxBCm4HdtX2kNd\\u0026oauthgdpr=1\\u0026xsrfsig=AHFkQ\\u0026flowName=GeneralOAuthFlow\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"auth.DOMAIN.COM\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"188.60.195.90:59429\",\"RequestURI\":\"/_oauth?state=993f2e4042d01:https://hydraDOMAIN.COM/\\u0026code=4/hgoE8\\u0026scope=email%20profile%20https://www.googleapis.com/auth/userinfo.profile%20https://www.googleapis.com/auth/userinfo.email\",\"TLS\":null}"
traefik          | 2018-10-31T13:45:54.930641362Z time="2018-10-31T13:45:54Z" level=debug msg="Upstream ResponseWriter of type *pipelining.writerWithoutCloseNotify does not implement http.CloseNotifier. Returning dummy channel."
traefik          | 2018-10-31T13:45:54.932439662Z time="2018-10-31T13:45:54Z" level=debug msg="vulcand/oxy/forward/http: Round trip: http://172.18.0.11:4181, code: 307, Length: 434, duration: 1.606526ms tls:version: 303, tls:resume:true, tls:csuite:c02f, tls:server:hydra.DOMAIN.COM"
traefik          | 2018-10-31T13:45:54.932707222Z time="2018-10-31T13:45:54Z" level=debug msg="vulcand/oxy/forward/http: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"http\",\"Opaque\":\"\",\"User\":null,\"Host\":\"172.18.0.11:4181\",\"Path\":\"\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-GB,en-US;q=0.9,en;q=0.8\"],\"Cookie\":[\"_forward_auth_csrf=993f2e448042d01\"],\"Referer\":[\"https://accounts.google.com/signin/oauth/oauthchooseaccount?client_id=qpdjq1hbb5q0.apps.googleusercontent.com\\u0026as=4uQ\\u0026destination=https%3A%2F%2Fauth.DOMAIN.COM\\u0026approval_state=!ChQxkNd\\u0026oauthgdpr=1\\u0026xsrfsig=AHgIfE_SkNz41NQjL1AlzKR5Mq7B213FkQ\\u0026flowName=GeneralOAuthFlow\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"auth.DOMAIN.COm\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"188.60.195.90:59429\",\"RequestURI\":\"/_oauth?state=993f2ed548042d01:https://hydra.DOMAIN.COM/\\u0026code=4/hgAMuldpxs8Wy0NOWtxskTUroE8\\u0026scope=email%20profile%20https://www.googleapis.com/auth/userinfo.profile%20https://www.googleapis.com/auth/userinfo.email\",\"TLS\":null}"
traefik          | 2018-10-31T13:45:54.932886522Z time="2018-10-31T13:45:54Z" level=debug msg="vulcand/oxy/forward: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"http\",\"Opaque\":\"\",\"User\":null,\"Host\":\"172.18.0.11:4181\",\"Path\":\"\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-GB,en-US;q=0.9,en;q=0.8\"],\"Cookie\":[\"_forward_auth_csrf=993f2042d01\"],\"Referer\":[\"https://accounts.google.com/signin/oauth/oauthchooseaccount?client_id=b5q0.apps.googleusercontent.com\\u0026as=4uORWOVQ\\u0026destination=https%3A%2F%2Fauth.DOMAIN.COM\\u0026approval_state=!CCm4HdtX2kNd\\u0026oauthgdpr=1\\u0026xsrfsig=AHgI13FkQ\\u0026flowName=GeneralOAuthFlow\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"auth.DOMAIN.COM\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"188.60.195.90:59429\",\"RequestURI\":\"/_oauth?state=9901:https://hydra.DOMAIN.COM/\\u0026code=4/hgAMroE8\\u0026scope=email%20profile%20https://www.googleapis.com/auth/userinfo.profile%20https://www.googleapis.com/auth/userinfo.email\",\"TLS\":null}"
traefik          | 2018-10-31T13:45:54.933021455Z time="2018-10-31T13:45:54Z" level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/_oauth\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"state=99301:https://hydra.DOMAIN.COM/\\u0026code=4/hgAroE8\\u0026scope=email%20profile%20https://www.googleapis.com/auth/userinfo.profile%20https://www.googleapis.com/auth/userinfo.email\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-GB,en-US;q=0.9,en;q=0.8\"],\"Cookie\":[\"_forward_auth_csrf=99301\"],\"Referer\":[\"https://accounts.google.com/signin/oauth/oauthchooseaccount?client_id=bb5q0.apps.googleusercontent.com\\u0026as=4uOVQ\\u0026destination=https%3A%2F%2Fauth.DOMAIN.COM\\u0026approval_state=!Ch2kNd\\u0026oauthgdpr=1\\u0026xsrfsig=AH3FkQ\\u0026flowName=GeneralOAuthFlow\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"auth.DOMAIN.COM\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"188.60.195.90:59429\",\"RequestURI\":\"/_oauth?state=993f201:https://hydra.DOMAIN.COM/\\u0026code=4/hgroE8\\u0026scope=email%20profile%20https://www.googleapis.com/auth/userinfo.profile%20https://www.googleapis.com/auth/userinfo.email\",\"TLS\":null}"

About this issue

Original URL
State: closed
Created 6 years ago
Comments: 34 (12 by maintainers)

Commits related to this issue

Bump github.com/stretchr/testify from 1.8.0 to 1.8.1 (#11) Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.8.0 to 1.8.1. - [Release notes](https://github.com/stretchr... — committed to mkska/traefik-forward-auth by dependabot[bot] 2 years ago
Merge from jordemort/traefik-forward-auth (#5) * Allow custom key to be used for whitelist and X-Forwarded-User instead of the hardcoded email (#1) * init commit * add github workflow * fix ... — committed to mkska/traefik-forward-auth by mkska 10 months ago

Most upvoted comments

I was able to get this working with Kubernetes. I run traefik-forward-auth in the same pod as my traefik ingress controller (I then run several of these in a deployment). Hence the usage of “localhost” in my forward URL. I also did not need the auth-trust-headers annotation but maybe your case is different.

The key is applying the auth-* annotations to the auth ingress as it’s the auth forwarder module in Traefik which provides the X-Forwarded-Uri. Without the annotations, the auth ingress misses the forwarded URL and ends up in a loop.

You’ll notice there is no traefik.toml. Everything is accomplished with annotations, command line arguments and secrets/environment variables.

My auth host ingress:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  labels:
    app: traefik-ingress-lb
  name: traefik-auth-ingress
  namespace: traefik-ingress
  annotations:
    kubernetes.io/ingress.class: "traefik"
    ingress.kubernetes.io/ssl-redirect: "true"
    ingress.kubernetes.io/auth-type: "forward"
    ingress.kubernetes.io/auth-url: "http://localhost:4181"
    ingress.kubernetes.io/auth-response-headers: "X-Forwarded-User"
spec:
  rules:
  - host: auth.mydomain.com
    http:
      paths:
      - path: /auth/_oauth
        backend:
          serviceName: traefik
          servicePort: 4181
  tls:
  - hosts:
    - auth.mydomain.com
    secretName: traefik-auth-cert

A protected service example (Traefik’s dashboard)

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  labels:
    app: traefik-ingress-lb
  name: traefik-dashboard-ingress
  namespace: traefik-ingress
  annotations:
    kubernetes.io/ingress.class: "traefik"
    ingress.kubernetes.io/ssl-redirect: "true"
    ingress.kubernetes.io/auth-type: "forward"
    ingress.kubernetes.io/auth-url: "http://localhost:4181"
    ingress.kubernetes.io/auth-response-headers: "X-Forwarded-User"
spec:
  rules:
  - host: traefik.mydomain.com
    http:
      paths:
      - backend:
          serviceName: traefik
          servicePort: 8080
  tls:
  - hosts:
    - traefik.mydomain.com
    secretName: traefik-cert

Here’s a very stripped down deployment example:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: traefik-ingress-lb
  name: traefik-ingress-controller
  namespace: traefik-ingress
spec:
  selector:
    matchLabels:
      app: traefik-ingress-lb
  replicas: 2
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 50%
      maxUnavailable: 50%
  template:
    metadata:
      labels:
        app: traefik-ingress-lb
    spec:
      serviceAccountName: traefik-ingress-controller
      affinity:
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
          - labelSelector:
              matchExpressions:
              - key: app
                operator: In
                values:
                - traefik-ingress-lb
            topologyKey: "kubernetes.io/hostname"
      containers:
        - name: traefik-ingress-lb
          image: traefik:v1.7.8
          args:
            - --defaultentrypoints=http,https
            - --entrypoints=Name:http Address::80 Compress:true Redirect.EntryPoint:https
            - --entrypoints=Name:https Address::443 TLS:/ssl/tls.crt,/ssl/tls.key TLS.MinVersion:VersionTLS12 TLS.DefaultCertificate.Cert:/ssl/tls.crt TLS.DefaultCertificate.Key:/ssl/tls.key
            - --entrypoints=Name:api Address::8080
            - --kubernetes
            - --kubernetes.ingressclass=traefik
            - --api
            - --api.entrypoint=api
            - --api.dashboard=true
          ports:
            - name: http
              containerPort: 80
            - name: https
              containerPort: 443
            - name: dashboard
              containerPort: 8080
          volumeMounts:
            - name: ssl
              mountPath: /ssl
        - name: traefik-forward-auth
          image: thomseddon/traefik-forward-auth:latest
          imagePullPolicy: Always
          env:
            - name: CLIENT_ID
              valueFrom:
                secretKeyRef:
                  name: traefik-env
                  key: oauth-client-id
            - name: CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  name: traefik-env
                  key: oauth-client-secret
            - name: SECRET
              valueFrom:
                secretKeyRef:
                  name: traefik-env
                  key: oauth-secret
            - name: LOG_LEVEL
              value: info
            - name: AUTH_HOST
              value: auth.mydomain.com
            - name: URL_PATH
              value: auth/_oauth
            - name: COOKIE_DOMAINS
              value: mydomain.com
            - name: WHITELIST
              value: my@gmail.com
          ports:
            - name: http-auth
              containerPort: 4181
      volumes:
        - name: ssl
          secret:
            secretName: traefik-default-cert

And finally a service definition to power our ingress backend services:

apiVersion: v1
kind: Service
metadata:
  labels:
    app: traefik-ingress-lb
  annotations:
    traefik.backend.loadbalancer.stickiness: "true"
  name: traefik
  namespace: traefik-ingress
spec:
  ports:
    - name: dashboard
      port: 8080
    - name: http-auth
      port: 4181
  selector:
    app: traefik-ingress-lb

The only allowed redirect URL in my Google Developer console is: https://auth.mydomain.com/auth/_oauth

It took quite a bit of fiddling and research to get this working; feel free to include it as an example somewhere if it’s useful to others.

romracer on Feb 12, 2019

I was also having an authentication loop issue using AUTH_HOST with docker-compose. I solved it and thought I’d post my solution here since this is one of the top post when you search for this issue on Google 😃 . In my case, the problem was due to the fact that I didn’t enabled traefik-forward-auth.middlewares using traefik-forward-auth globally for my https entrypoint, I was under the assumption that I could make it work by only adding it to the service I wanted authenticated, and that was a mistake. The traefik-forward-auth.middlewares also needs to be set on the traefik-forward-auth service.

something like this :

  traefik-forward-auth:
    image: thomseddon/traefik-forward-auth:2
    container_name: traefik-forward-auth
    environment:
      - PROVIDERS_GOOGLE_CLIENT_ID=clientid
      - PROVIDERS_GOOGLE_CLIENT_SECRET=secret      
      - SECRET=secret      
      - COOKIE_DOMAIN=$DOMAIN      
      - AUTH_HOST=auth.$DOMAIN
      - LOG_LEVEL=debug
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik-forward-auth.rule=Host(`auth.$DOMAIN`)"
      - "traefik.http.routers.traefik-forward-auth.entrypoints=websecure"
      - "traefik.http.routers.traefik-forward-auth.tls=true"
      - "traefik.http.routers.traefik-forward-auth.middlewares=traefik-forward-auth"
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.address=https://auth.$DOMAIN"
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.address=http://traefik-forward-auth:4181"
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User"

  whoami:
    image: containous/whoami
    container_name: whoami
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`whoami-$DOMAIN`)"
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.tls=true"
      - "traefik.http.routers.whoami.middlewares=traefik-forward-auth"

Maybe pointing in the docs that the forwardauth middleware needs to be applied to the traefik-forward-auth service too would be good ?

maximede on Jul 23, 2021

The traefik-forward-auth.middlewares also needs to be set on the traefik-forward-auth service.

This is indeed a solution that worked for me too, however I suspect this masks something deeper. Looking at how traefik represents traffic: it seems that adding the middleware is allowing a successful redirect that otherwise isn’t working. I initially thought the “callback URL” on GitHub had to be https://auth.domain.com/_oauth with the explicit path, but it seems to work without. Any thoughts @thomseddon ?

Here the log from my side:

traefik-forward-auth_1  | time="2021-08-08T23:23:56Z" level=debug msg="Authenticating request" cookies="other_cookies; _forward_auth_csrf=398c6ddafd150f4267dc8455639eb26c]" handler=Auth host=whoami.domain.com method=GET proto=https rule=default source_ip=150.150.150.150 uri=/
traefik-forward-auth_1  | time="2021-08-08T23:23:56Z" level=debug msg="Set CSRF cookie and redirected to provider login url" csrf_cookie="_forward_auth_csrf=c12a92bbfde54ae8acb99278455357ed; Path=/; Domain=domain.com; Expires=Mon, 09 Aug 2021 11:23:56 GMT; HttpOnly; Secure" handler=Auth host=whoami.domain.com login_url="https://github.com/login/oauth/authorize?client_id=a4f9be1831eccc6e2cce&redirect_uri=https%3A%2F%2Fauth.domain.com%2F_oauth&response_type=code&scope=profile+email&state=c12a92bbfde54ae8acb99278455357ed%3Ageneric-oauth%3Ahttps%3A%2F%2Fwhoami.domain.com%2F" method=GET proto=https rule=default source_ip=150.150.150.150 uri=/
traefik-forward-auth_1  | time="2021-08-08T23:23:57Z" level=debug msg="Handling callback" cookies="other_cookies; _forward_auth_csrf=c12a92bbfde54ae8acb99278455357ed]" handler=AuthCallback host=auth.domain.com method=GET proto=https rule=default source_ip=150.150.150.150 uri="/_oauth?code=2b3aeb15259366fe073e&state=c12a92bbfde54ae8acb99278455357ed%3Ageneric-oauth%3Ahttps%3A%2F%2Fwhoami.domain.com%2F"
traefik-forward-auth_1  | time="2021-08-08T23:23:58Z" level=info msg="Successfully generated auth cookie, redirecting user." handler=AuthCallback host=auth.domain.com method=GET proto=https provider=generic-oauth redirect="https://whoami.domain.com/" rule=default source_ip=150.150.150.150 uri="/_oauth?code=2b3aeb15259366fe073e&state=c12a92bbfde54ae8acb99278455357ed%3Ageneric-oauth%3Ahttps%3A%2F%2Fwhoami.domain.com%2F" user=me@gmail.com
traefik-forward-auth_1  | time="2021-08-08T23:23:58Z" level=debug msg="Authenticating request" cookies="other_cookies; _forward_auth=source_ip= B_DUovzYcDqcWZ5PSDRoJic3RCxbEzaZTilCUP=|1628508238|me@gmail.com]" handler=Auth host=whoami.domain.com method=GET proto=https rule=default source_ip=150.150.150.150 uri=/
traefik-forward-auth_1  | time="2021-08-08T23:23:58Z" level=debug msg="Allowing valid request" handler=Auth host=whoami.domain.com method=GET proto=https rule=default source_ip=150.150.150.150 uri=/
traefik-forward-auth_1  | time="2021-08-08T23:23:59Z" level=debug msg="Authenticating request" cookies="other_cookies; _forward_auth=source_ip= B_DUovzYcDqcWZ5PSDRoJic3RCxbEzaZTilCUP=|1628508238|me@gmail.com]" handler=Auth host=whoami.domain.com method=GET proto=https rule=default source_ip=150.150.150.150 uri=/favicon.ico
traefik-forward-auth_1  | time="2021-08-08T23:23:59Z" level=debug msg="Allowing valid request" handler=Auth host=whoami.domain.com method=GET proto=https rule=default source_ip=150.150.150.150 uri=/favicon.ico

devster31 on Aug 8, 2021

There doesn’t seem to be a X-Forwarded-Uri header when the request hits ssoauth.mydomain.com, so the server doesn’t know to call the auth callback.

Can you post full toml config?

I’m haven’t looked into the way these variables are parsed, but it might be worth trying:

ingress.kubernetes.io/auth-trust-headers: true

as opposed to:

ingress.kubernetes.io/auth-trust-headers: "true"

**also, could you post the annotations for the prometheus.mydomain.com container as this correctly passes X-Forwarded-Uri

thomseddon on Jan 22, 2019

@thomseddon It is not self explanatory as I am trying to setup AUTH_HOST. It indeed works if I add hydra.DOMAIN.COM/_oauthin Google but that is not what I want. It is a bit annoying to add every subdomain to Google but if that is what it takes I can live with it.

HedgeShot on Nov 14, 2018