This video is really amazing, I was looking for a way to setup forward auth for Traefik and this is a perfect explaination of how to do just that. Thanks very much.
awesome demo 👍 it is possible to use this auth workflow to authenticate users to docker services, there have it‘s own built-in authentication like gitlab? so users do not have to log in twice (my auth server and gitlab) ? and one more question to your demo... How can i control which github users have access to the nginx service?
To log in to gitlab you would need an auth server that knows how to handle the authentication with Gitlab. In terms of restricting access to the nginx service, that's a good question. In Traefik, I believe you can specify a custom header that describes what service is trying to be accessed. something like "x-service-id" which your authentication server could use to see if the user has access to the service. I would have to check on that though.
@@_heyMP yeah, actually i play something with Keycloak and Traefik. Keyloak is a full OCID Provider which can handle the gitlab authentication flow. I want to combine keycloak with traefik-forward-auth library to protect routes to each service with traefik. I know you can also use a keycloak-auth-proxy in front of each docker service, to protect the route, but idk what is better to use. But from now i am looking to a solution how can i set permissions in keycloak for each service, but have the nice SSO Flow - so you need to login once and can use all services, you have access to. If you like to extend your tutorial, or have another ideas to get this working, i would be very happy
I'm guessing that this only works if the response code is 2xx, if so is there any other way of confirming that the user is authenticated maybe something with role based access? E.g. we know the user is logged in, but still doesn't have access to a particular route.
Correct. The Forward Auth is just solving the "how do I make sure that everyone is logged in?" problem. You would still need to think about how you would like to solve the role based issues. The strategy that I'm gravitating toward is that you define some high level roles at the auth server layer; when the user is redirected from the app to the auth server, it will send the app a JWT token that contains the user name and role. If the app needs to define any custom roles, then it can do some very lightweight user management also.
This video is really amazing, I was looking for a way to setup forward auth for Traefik and this is a perfect explaination of how to do just that. Thanks very much.
Really helpful, thank you so much
Amazing
awesome demo 👍 it is possible to use this auth workflow to authenticate users to docker services, there have it‘s own built-in authentication like gitlab? so users do not have to log in twice (my auth server and gitlab) ? and one more question to your demo... How can i control which github users have access to the nginx service?
To log in to gitlab you would need an auth server that knows how to handle the authentication with Gitlab. In terms of restricting access to the nginx service, that's a good question. In Traefik, I believe you can specify a custom header that describes what service is trying to be accessed. something like "x-service-id" which your authentication server could use to see if the user has access to the service. I would have to check on that though.
@@_heyMP yeah, actually i play something with Keycloak and Traefik. Keyloak is a full OCID Provider which can handle the gitlab authentication flow. I want to combine keycloak with traefik-forward-auth library to protect routes to each service with traefik. I know you can also use a keycloak-auth-proxy in front of each docker service, to protect the route, but idk what is better to use. But from now i am looking to a solution how can i set permissions in keycloak for each service, but have the nice SSO Flow - so you need to login once and can use all services, you have access to. If you like to extend your tutorial, or have another ideas to get this working, i would be very happy
I'm guessing that this only works if the response code is 2xx, if so is there any other way of confirming that the user is authenticated maybe something with role based access? E.g. we know the user is logged in, but still doesn't have access to a particular route.
Correct. The Forward Auth is just solving the "how do I make sure that everyone is logged in?" problem. You would still need to think about how you would like to solve the role based issues. The strategy that I'm gravitating toward is that you define some high level roles at the auth server layer; when the user is redirected from the app to the auth server, it will send the app a JWT token that contains the user name and role. If the app needs to define any custom roles, then it can do some very lightweight user management also.
This video might be of interest ruclips.net/video/obxNix6w2aE/видео.html
This is for Traefik 1 not 2 - correct?
Yes, v1.7 I believe.
Yeah this was for 1.7 I believe.