This repository demonstrates securing upstream services using OpenID Connect (OIDC) login with Traefik and thomseddon/traefik-forward-auth. It provides a practical example of how to implement authentication in a microservices architecture, ensuring that access to services is protected and authenticated via a trusted OIDC provider.
Integrating OIDC with Traefik using traefik-forward-auth allows for a secure, scalable, and easy-to-implement authentication mechanism. This setup is ideal for protecting sensitive services behind an authentication layer, ensuring that only authorized users can access them.
- Docker and Docker Compose installed on your system
- An OIDC-compatible identity provider (e.g., Keycloak) configured
Update the .env file or set environment variables directly in docker-compose.yaml for the traefik-forward-auth service:
PROVIDERS_OIDC_ISSUER_URL: Your OIDC provider's URL.PROVIDERS_OIDC_CLIENT_IDandPROVIDERS_OIDC_CLIENT_SECRET: Obtained from your OIDC provider.SECRET: A random secret used bytraefik-forward-auth.
- Clone this repository:
git clone <repository-url>- Navigate to the project directory:
cd <project-directory>- Start the services:
docker-compose up -dAccess to the echo-server service is protected by OIDC authentication. Users are redirected to the OIDC provider for login before accessing the service.
Contributions to improve the project are welcome. Feel free to fork the repository, make your changes, and submit a pull request.
This project is licensed under the MIT License - see the LICENSE file for details.