Skip to content
/ traefik-oidc-wasm Public

This plugin allows you to secure the upstream services with an OpenID Connect (OIDC) provider. It uses the WASM extension of Traefik to perform.

License

Apache-2.0 license
1 star 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

xzzpig/traefik-oidc-wasm

BranchesTags

Repository files navigation

Traefik OIDC WASM Plugin

This plugin allows you to secure the upstream services with an OpenID Connect (OIDC) provider. It uses the WASM extension of Traefik to perform.

Warning

This middleware is under active development - things should NOT break, but they might.

💡 Getting Started

Enable the plugin in your traefik configuration.

experimental:
  plugins:
    traefik-oidc:
      moduleName: "github.com/xzzpig/traefik-oidc-wasm"
      version: "v0.0.4"

Add a middleware and reference it in a route.

http:
  services:
    whoami:
      loadBalancer:
        servers:
          - url: http://whoami:80

  middlewares:
    oidc-auth:
      plugin:
        traefik-oidc:
          provider:
            issuerUrl: "https://idm.example.com"
            clientID: your_client_id
            clientSecret: your_client_secret
            scopes: ["openid", "profile", "email", "groups"]
          claimMap:
            name: "X-Oidc-Name"
            preferred_username: "X-Oidc-Username"
            sub: "X-Oidc-Subject"
            groups: "X-Oidc-Groups"
          endpoint:
            logout: "/oauth2/logout"

  routers:
    whoami:
      entryPoints: ["web"]
      rule: "HostRegexp(`.+`)"
      service: whoami
      middlewares: ["oidc-auth"]

🛠 Configuration Options

Plugin Config

Name Required Type Default Description
provider yes Provider none Identity Provider Configuration. See Provider Config.
cookie no Cookie none Cookie Configuration. See Cookie Config.
endpoint no Endpoint none Endpoint Configuration. See Endpoint Config.
totp no TOTP none TOTP Configuration to generate auth state. See TOTP Config.
claimMap no map[string]string none key value pairs of claims to extract from the OIDC token and set as headers.
dnsAddr no string "1.1.1.1:53" Address of the DNS server to use. (Because there is no default DNS resolver in WASM, this is required)
tokenAutoRefreshTime no time.Duration 5m The rest of time to auto refresh the token.
enable no bool true Enable the plugin.

Provider Config

Name Required Type Default Description
issuerUrl yes string none URL of the OIDC provider.
clientID yes string none Client ID of the OIDC client.
clientSecret yes string none Client Secret of the OIDC client.
scopes no []string ["openid"] Scopes to request from the OIDC provider.

Cookie Config

Name Required Type Default Description
accessToken no string "__oidc_token" Name of the cookie to store the access token.
refreshToken no string "__oidc_refresh_token" Name of the cookie to store the refresh token.
originPath no string "__oidc_origin_path" Name of the cookie to store the origin path.

Endpoint Config

Name Required Type Default Description
callback no string "/oauth2/callback" Path to the OIDC callback endpoint.
logout no string "/oauth2/logout" Path to the OIDC logout endpoint.
fallback no string "/" Path to the fallback endpoint. When logout is called, it will redirect to this endpoint.

TOTP Config

Name Required Type Default Description
Period no uint 30 The period of the TOTP token.
Skew no uint 0 The skew of the TOTP token.
Digest no uint 8 The length of the TOTP token.
Algorithm no string "SHA1" The algorithm of the TOTP token.

About

This plugin allows you to secure the upstream services with an OpenID Connect (OIDC) provider. It uses the WASM extension of Traefik to perform.

Topics

oidc traefik-plugin

Resources

Readme

License

Apache-2.0 license
Activity

Stars

1 star

Watchers

1 watching

Forks

1 fork
Report repository

Releases 5

v0.0.5 Latest
Oct 22, 2024
+ 4 releases

Packages

No packages published

Languages