OpenID Connect ForwardAuth for Traefik 🔐
Go to file
2024-05-02 03:01:26 +02:00
.github Fixed PR Template 2021-10-20 16:01:48 +02:00
examples Fixed typos 2020-06-04 14:57:54 +02:00
pkg feat: add group-based access control 2024-05-02 02:53:00 +02:00
.gitignore Progress 2020-05-22 12:56:48 +02:00
Dockerfile dockerfile: enable cross build 2024-05-02 03:01:26 +02:00
go.mod upgrade dependencies 2024-05-02 01:18:14 +02:00
go.sum upgrade dependencies 2024-05-02 01:18:14 +02:00
LICENSE Add license 2020-05-20 13:19:31 +02:00
main.go Made port and redirect optional settings 2020-06-04 16:44:18 +02:00 Made port and redirect optional settings 2020-06-04 16:44:18 +02:00

OIDC ForwardAuth for Traefik

An OIDC compliant traefik forwardauth handler which follows the lifecycle of the token, also supports refreshing of tokens (WIP). Supports all OIDC compliant Identity Solutions, e.g. KeyCloak, GitHub, Google, ...
Code was also built with the Idea to be as simple and minimal as possible.


Configuration is currently only via environmnet variables supported:

Environment Variable Type Description Example
ISSUER string OIDC Issuer (required)
CLIENT_ID string OIDC Client Id (required) CLIENT_ID
CLIENT_SECRET string OIDC Client Secret (required) CLIENT_SECRET
AUTH_DOMAIN string Central auth domain (required)
COOKIE_DOMAIN string Root domain(s) of protected host(s) (required)
PORT string Port on which the Application is running on 4181
REDIRECT_URL string Redirect URL /auth/resp


The authenticated user is set in the X-Forwarded-User header.
See more in the Examples section.


Following examples are currently available:
- Google Authentication

Future Features

  • Refresh Token support
  • Add option to only allow Users with verfied mails
  • Add mail whitelist
  • Your Idea here

Cookie Domains

You can supply a comma separated list of cookie domains, if the host of the original request is a subdomain of any given cookie domain, the authentication cookie will set with the given domain.

For example, if cookie domain is and a request comes in on, the cookie will be set for the whole domain. As such, if another request is forwarded for authentication from, the original cookie will be sent and so the request will be allowed without further authentication.

Operation Details

For example, you have a few applications:,, To utilise an auth host, permit domain level cookies by setting the cookie domain to then set the auth-host to:

The user flow will then be:

  1. Request to
  2. User redirected to OIDC login
  3. After OIDC login, user is redirected to
  4. Token, user and CSRF cookie is validated, auth cookie is set to
  5. User is redirected to
  6. Request is allowed

Two criteria must be met for an auth-host to be used:

  1. Request matches given cookie-domain
  2. auth-host is also subdomain of same cookie-domain