/GitHub OAuth Plugin

GitHub OAuth Plugin

4
v0.3.2

Traefik GitHub OAuth Plugin

This is a fork of MuXiu1997 repository. This fork is mostly fixing some of the security concerns I wanted to address. This will be kept synced with the main repo.

This is a Traefik middleware plugin that allows users to authenticate using GitHub OAuth.

The plugin is intended to be used as a replacement for the BasicAuth middleware,

providing a more secure way for users to access protected routes.

process

Quick Start (Docker)

  1. Create a GitHub OAuth App

  2. Run the Traefik GitHub OAuth server

    docker run -d --name traefik-github-oauth-server \
    --network <traefik-proxy-network> \
    -e 'GITHUB_OAUTH_CLIENT_ID=<client-id>' \
    -e 'GITHUB_OAUTH_CLIENT_SECRET=<client-secret>' \
    -e 'API_BASE_URL=http://<traefik-github-oauth-server-host>' \
    -l 'traefik.http.services.traefik-github-oauth-server.loadbalancer.server.port=80' \
    -l 'traefik.http.routers.traefik-github-oauth-server.rule=Host(`<traefik-github-oauth-server-host>`)' \
    luizfonseca/traefik-github-oauth-server
  3. Install the Traefik GitHub OAuth plugin

    Add this snippet in the Traefik Static configuration

    experimental:
    plugins:
    github-oauth:
    moduleName: "github.com/luizfonseca/traefik-github-oauth-plugin"
    version: <version>
  4. Run your App

    docker run -d --whoami test \
    --network <traefik-proxy-network> \
    --label 'traefik.http.middlewares.whoami-github-oauth.plugin.github-oauth.apiBaseUrl=http://traefik-github-oauth-server' \
    --label 'traefik.http.middlewares.whoami-github-oauth.plugin.github-oauth.whitelist.logins[0]=luizfonseca' \
    --label 'traefik.http.routers.whoami.rule=Host(`whoami.example.com`)' \
    --label 'traefik.http.routers.whoami.middlewares=whoami-github-oauth' \
    traefik/whoami

Configuration

Server configuration

Environment VariableDescriptionDefaultRequired
GITHUB_OAUTH_CLIENT_IDThe GitHub OAuth App client idYes
GITHUB_OAUTH_CLIENT_SECRETThe GitHub OAuth App client secretYes
API_BASE_URLThe base URL of the Traefik GitHub OAuth serverYes
API_SECRET_KEYThe api secret key. You can ignore this if you are using the internal networkNo
SERVER_ADDRESSThe server address:80No
DEBUG_MODEEnable debug mode and set log level to debugfalseNo
LOG_LEVELThe log level, Available values: debug, info, warn, errorinfoNo

Middleware Configuration

# The base URL of the Traefik GitHub OAuth server
apiBaseUrl: http://<traefik-github-oauth-server-host>
# The api secret key. You can ignore this if you are using the internal network
apiSecretKey: optional_secret_key_if_not_on_the_internal_network
# The path to redirect to after the user has authenticated, defaults to /_auth
# Note: This path is not GitHub OAuth App's Authorization callback URL
authPath: /_auth
# optional jwt secret key, if not set, the plugin will generate a random key
jwtSecretKey: optional_secret_key
# The log level, defaults to info
# Available values: debug, info, warn, error
logLevel: info
# whitelist
whitelist:
# The list of GitHub user ids that in the whitelist
ids:
- 996
# The list of GitHub user logins that in the whitelist
logins:
- luizfonseca

License

MIT