This plugin allows you to secure the upstream services with an OpenID Connect (OIDC) provider. It uses the WASM extension of Traefik to perform.
This middleware is under active development - things should NOT break, but they might.
Enable the plugin in your traefik configuration.
moduleName: ""
version: "v0.0.4"
Add a middleware and reference it in a route.
- url: http://whoami:80
issuerUrl: ""
clientID: your_client_id
clientSecret: your_client_secret
scopes: ["openid", "profile", "email", "groups"]
name: "X-Oidc-Name"
preferred_username: "X-Oidc-Username"
sub: "X-Oidc-Subject"
groups: "X-Oidc-Groups"
logout: "/oauth2/logout"
entryPoints: ["web"]
rule: "HostRegexp(`.+`)"
service: whoami
middlewares: ["oidc-auth"]
Name | Required | Type | Default | Description |
provider | yes | Provider |
none | Identity Provider Configuration. See Provider Config. |
cookie | no | Cookie |
none | Cookie Configuration. See Cookie Config. |
endpoint | no | Endpoint |
none | Endpoint Configuration. See Endpoint Config. |
totp | no | TOTP |
none | TOTP Configuration to generate auth state. See TOTP Config. |
claimMap | no | map[string]string |
none | key value pairs of claims to extract from the OIDC token and set as headers. |
dnsAddr | no | string |
"" |
Address of the DNS server to use. (Because there is no default DNS resolver in WASM, this is required) |
tokenAutoRefreshTime | no | time.Duration |
5m |
The rest of time to auto refresh the token. |
enable | no | bool |
true |
Enable the plugin. |
Name | Required | Type | Default | Description |
issuerUrl | yes | string |
none | URL of the OIDC provider. |
clientID | yes | string |
none | Client ID of the OIDC client. |
clientSecret | yes | string |
none | Client Secret of the OIDC client. |
scopes | no | []string |
["openid"] |
Scopes to request from the OIDC provider. |
Name | Required | Type | Default | Description |
accessToken | no | string |
"__oidc_token" |
Name of the cookie to store the access token. |
refreshToken | no | string |
"__oidc_refresh_token" |
Name of the cookie to store the refresh token. |
originPath | no | string |
"__oidc_origin_path" |
Name of the cookie to store the origin path. |
Name | Required | Type | Default | Description |
callback | no | string |
"/oauth2/callback" |
Path to the OIDC callback endpoint. |
logout | no | string |
"/oauth2/logout" |
Path to the OIDC logout endpoint. |
fallback | no | string |
"/" |
Path to the fallback endpoint. When logout is called, it will redirect to this endpoint. |
Name | Required | Type | Default | Description |
Period | no | uint |
30 |
The period of the TOTP token. |
Skew | no | uint |
0 |
The skew of the TOTP token. |
Digest | no | uint |
8 |
The length of the TOTP token. |
Algorithm | no | string |
"SHA1" |
The algorithm of the TOTP token. |