/Google OIDC Auth

Google OIDC Auth

6
v0.1.0

Traefik Google OIDC Auth Middleware

This is a Traefik middleware plugin that authenticates users with Google OpenID Connect, and then checks that their email address or Google Workspace domain is authorized.

Requirements

  • Setup a new project in the Google API console to obtain a client ID and client secret. See the Google developer docs.
  • Install the plugin to Traefik using static config.
  • Configure the middleware in dynamic config.
  • Associate a service to the middleware.

Configuration

OptionDefaultRequiredDescription
oidc.clientIDXOAuth client ID
oidc.clientSecretXOAuth client secret
oidc.callbackPath/oidc/callbackThe path where the OIDC provider will redirect the user after authenticating.
cookie.nameoidc_authName of the cookie. It can be customized to avoid collisions when running multiple instances of the middleware.
cookie.path/You can use this to limit the scope of the cookie to a specific path. Defaults to '/'.
cookie.secretXSecret is the HMAC key for cookie signing, and helps provide integrity protection for cookies.
cookie.duration24hValidity period for new cookies. Users are granted access for this length of time regardless of changes to user's account in the OIDC provider. Uses the Go time.Duration format.
cookie.insecurefalseSet to true to omit the Secure attribute from cookies.
authorized.emailsXList of allowed email addresses.
authorized.domainsXList of allowed domains.
debugfalseEnable debug logging to stdout.

Headers

X-Forwarded-User

When the middleware proxies a request it adds an X-Fowarded-User header containing the user's email address.

Example config

Static config

# traefik.yml
experimental:
plugins:
google-oidc-auth-middleware:
moduleName: "github.com/andrewkroh/google-oidc-auth-middleware"
# Populate this with the latest release tag.
version: vX.Y.Z

Dynamic config

# dynamic.yml
http:
middlewares:
oidc-auth:
plugin:
google-oidc-auth-middleware:
oidc:
clientID: example.apps.googleusercontent.com
clientSecret: fake-secret
cookie:
secret: mySecretKey
authorized:
emails:
domains:
- example.com
routers:
my-router:
rule: host(`localhost`)
service: service-foo
entryPoints:
- web
middlewares:
- oidc-auth