oidc-forward-auth/examples/google.md

Example for Google Authentication

1. Navigate to Google APIs Developer Console
2. Open Credentials
3. Click on Create Credentials and OAuth client ID
4. Select Application type Web Application
5. Enter as Authorised redirect URI auth.yourdomain.tld/auth/resp
6. Copy and save Client Id and Client Secret
   • e.g. ******.apps.googleusercontent.com and uqE8NtQQZ_******
7. Configure the environment variables to the following:

   ISSUER=https://accounts.google.com
   CLIENT_ID=******.apps.googleusercontent.com
   CLIENT_SECRET=uqE8NtQQZ_******
   AUTH_DOMAIN=auth.yourdomain.tld
   COOKIE_DOMAIN=yourdomain.tld
   

8. Create the traefik forwardauth middleware (middlewares.forwardauth.toml):

   http:
   middlewares:
     keycloak:
     forwardAuth:
       address: "http://traefik-forward-auth:4181" # Note: You need to use the internal DNS name (e.g. docker container name)
       trustForwardHeader: true
       authResponseHeaders: [ "X-Forwarded-User" ]
   

9. Final docker-compose:

   traefik:
     image: traefik:latest
     networks:
       - traefik
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - ./config:/etc/traefik
     ports:
       - 80:80
       - 443:443
     restart: always
   
   whoami:
     image: containous/whoami
     networks:
       - traefik
     labels:
       # Docker
       - traefik.enable=true
   
       # Routing
       - traefik.http.routers.whoami.rule=Host(`whoami.yourdomain.tld`)
       - traefik.http.routers.whoami.tls.certresolver=letsencrypt
       - traefik.http.routers.whoami.tls.domains[0].main=*.yourdomain.tld
       - traefik.http.routers.whoami.tls.domains[0].sans=yourdomain.tld
       - traefik.http.routers.whoami.entrypoints=https
       - traefik.http.routers.whoami.middlewares=keycloak@file
   
       # Healthcehck
       - traefik.http.services.whoami.loadbalancer.server.port=80
       - traefik.http.services.whoami.loadbalancer.healthcheck.path=/
       - traefik.http.services.whoami.loadbalancer.healthcheck.interval=5s
       - traefik.http.services.whoami.loadbalancer.healthcheck.timeout=3s
     restart: always
   
   traefik-forward-auth:
     image: stivik/oidc-forward-auth
     networks:
       - traefik
     environment:
       - ISSUER=https://accounts.google.com
       - CLIENT_ID=******.apps.googleusercontent.com
       - CLIENT_SECRET=uqE8NtQQZ_******
       - AUTH_DOMAIN=auth.yourdomain.tld
       - COOKIE_DOMAIN=yourdomain.tld
       - LOG_LEVEL=debug
     labels:
       # Docker
       - traefik.enable=true
   
       # Routing
       - traefik.http.routers.keycloak-forward.rule=Host(`auth.yourdomain.tld`)
       - traefik.http.routers.keycloak-forward.tls.certresolver=letsencrypt
       - traefik.http.routers.keycloak-forward.tls.domains[0].main=*.yourdomain.tld
       - traefik.http.routers.keycloak-forward.tls.domains[0].sans=yourdomain.tld
       - traefik.http.routers.keycloak-forward.entrypoints=https
       - traefik.http.services.keycloak-forward.loadbalancer.server.port=4181
       - traefik.http.routers.keycloak-forward.middlewares=keycloak@file # Note: The forwardauth handler itself requires the forwardauth middleware
   

10. When you now browse to whoami.yourdomain.tld you will be redirected to the Google Auth and after a successfully authentication you will be redirected back to the application.