This is a Traefik middleware plugin that authenticates users with Google OpenID Connect, and then checks that their email address or Google Workspace domain is authorized.
Option | Default | Required | Description |
---|---|---|---|
oidc.clientID | X | OAuth client ID | |
oidc.clientSecret | X | OAuth client secret | |
oidc.callbackPath | /oidc/callback | The path where the OIDC provider will redirect the user after authenticating. | |
cookie.name | oidc_auth | Name of the cookie. It can be customized to avoid collisions when running multiple instances of the middleware. | |
cookie.path | / | You can use this to limit the scope of the cookie to a specific path. Defaults to '/'. | |
cookie.secret | X | Secret is the HMAC key for cookie signing, and helps provide integrity protection for cookies. | |
cookie.duration | 24h | Validity period for new cookies. Users are granted access for this length of time regardless of changes to user's account in the OIDC provider. Uses the Go time.Duration format. | |
cookie.insecure | false | Set to true to omit the Secure attribute from cookies. | |
authorized.emails | X | List of allowed email addresses. | |
authorized.domains | X | List of allowed domains. | |
debug | false | Enable debug logging to stdout. |
X-Forwarded-User
When the middleware proxies a request it adds an X-Fowarded-User
header
containing the user's email address.
Static config
# traefik.ymlexperimental:plugins:google-oidc-auth-middleware:moduleName: "github.com/andrewkroh/google-oidc-auth-middleware"# Populate this with the latest release tag.version: vX.Y.Z
Dynamic config
# dynamic.ymlhttp:middlewares:oidc-auth:plugin:google-oidc-auth-middleware:oidc:clientID: example.apps.googleusercontent.comclientSecret: fake-secretcookie:secret: mySecretKeyauthorized:emails:domains:- example.comrouters:my-router:rule: host(`localhost`)service: service-fooentryPoints:- webmiddlewares:- oidc-auth