traefik-forward-auth/README.md

# Traefik Forward Auth 

Yet another minimal modification of a great minimal forward authentication service that provides OAuth/SSO login and authentication for the [traefik](https://github.com/containous/traefik) reverse proxy/load balancer.

## Why?

The original [traefik-forward-auth](https://github.com/thomseddon/traefik-forward-auth) provides the forwarding of authentication between an Identity Provider like [keycloak](https://www.keycloak.org/) and the [ForwardAuth](https://doc.traefik.io/traefik/middlewares/http/forwardauth/) middleware of [traefik](https://doc.traefik.io/traefik/).

The modification of this project is to add minimal authorization functionality. The [traefik-forward-auth](https://home.hottis.de/gitlab/dockerized/traefik-forward-auth/) is configured with a `REQUIRED_ROLE` and access to the resource is only granted if the access token issued by the Identity Provider contains a claim with that particular role. 

## Docker Image 

The Docker image can be found at [DockerHub wollud1969/traefik-forward-auth](https://hub.docker.com/r/wollud1969/traefik-forward-auth).

## Configuration

### ... of traefik-forward-auth

In the `examples` directory the ymls to deploy a whoami service ([at GitHub](https://github.com/traefik/whoami/), [at Docker Hub](https://hub.docker.com/r/containous/whoami)) and the related ymls to deploy and configure the traefik-forward-auth service.
The only relevant modification to the original [advanced separate pod example](https://github.com/thomseddon/traefik-forward-auth/tree/master/examples/traefik-v2/kubernetes/advanced-separate-pod) is the configuration parameter `REQUIRED_ROLE`.

### ... of the Identity Provider

![Keycloak Client General Settings](./images/Keycloak-General-Settings.png)

![Keycloak Client Access Settings](./images/Keycloak-Access-Settings.png)

![Keycloak Client Capability Settings](./images/Keycloak-Capability-Config.png)

![KeyCloak Client Roles](./images/Keycloak-Client-Roles.png)

![Keycloak Client Mapper](./images/Keycloak-Client-Mapper.png)


## Copyright

2018 Thom Seddon

2023 Wolfgang Hottgenroth

## License

[MIT](https://github.com/thomseddon/traefik-forward-auth/blob/master/LICENSE.md)

[MIT](https://home.hottis.de/gitlab/dockerized/traefik-forward-auth/-/blob/master/LICENSE.md)
documentation 2023-11-07 09:59:46 +01:00			`# Traefik Forward Auth`

			`Yet another minimal modification of a great minimal forward authentication service that provides OAuth/SSO login and authentication for the [traefik](https://github.com/containous/traefik) reverse proxy/load balancer.`

			`## Why?`

			`The original [traefik-forward-auth](https://github.com/thomseddon/traefik-forward-auth) provides the forwarding of authentication between an Identity Provider like [keycloak](https://www.keycloak.org/) and the [ForwardAuth](https://doc.traefik.io/traefik/middlewares/http/forwardauth/) middleware of [traefik](https://doc.traefik.io/traefik/).`

			The modification of this project is to add minimal authorization functionality. The [traefik-forward-auth](https://home.hottis.de/gitlab/dockerized/traefik-forward-auth/) is configured with a `REQUIRED_ROLE` and access to the resource is only granted if the access token issued by the Identity Provider contains a claim with that particular role.

adjust for release 2023-11-07 10:18:49 +01:00			`## Docker Image`

			`The Docker image can be found at [DockerHub wollud1969/traefik-forward-auth](https://hub.docker.com/r/wollud1969/traefik-forward-auth).`

documentation 2023-11-07 09:59:46 +01:00			`## Configuration`

			`### ... of traefik-forward-auth`

			In the `examples` directory the ymls to deploy a whoami service ([at GitHub](https://github.com/traefik/whoami/), [at Docker Hub](https://hub.docker.com/r/containous/whoami)) and the related ymls to deploy and configure the traefik-forward-auth service.
			The only relevant modification to the original [advanced separate pod example](https://github.com/thomseddon/traefik-forward-auth/tree/master/examples/traefik-v2/kubernetes/advanced-separate-pod) is the configuration parameter `REQUIRED_ROLE`.

			`### ... of the Identity Provider`

			`![Keycloak Client General Settings](./images/Keycloak-General-Settings.png)`

			`![Keycloak Client Access Settings](./images/Keycloak-Access-Settings.png)`

			`![Keycloak Client Capability Settings](./images/Keycloak-Capability-Config.png)`

			`![KeyCloak Client Roles](./images/Keycloak-Client-Roles.png)`

			`![Keycloak Client Mapper](./images/Keycloak-Client-Mapper.png)`



changes 2023-11-07 10:02:31 +01:00			`## Copyright`

			`2018 Thom Seddon`
fix 2023-11-07 10:06:15 +01:00
changes 2023-11-07 10:02:31 +01:00			`2023 Wolfgang Hottgenroth`

			`## License`

			`[MIT](https://github.com/thomseddon/traefik-forward-auth/blob/master/LICENSE.md)`

			`[MIT](https://home.hottis.de/gitlab/dockerized/traefik-forward-auth/-/blob/master/LICENSE.md)`