Dashboard & Keycloak ForwardAuth Issue

fifofonix · December 10, 2019, 1:46pm

Has anyone experienced an issue with forward auth that affects access to the dashboard specifically?

I'm running Traefik v2.0.7 in docker swarm and have successfully implemented a single forward auth middleware declaration via docker labels that I am using successfully to protect several endpoints (e.g. prometheus, spark). The forward auth is to keycloak via a traefik-fwd-auth container.

However, I am unable to successfully protect the Traefik dashboard itself in this way. The behaviour is odd. If I have logged in to one of my other protected resources, and therefore have appropriate cookies set, then I can view the dashboard as expected. This is good.

However, if I start in a fresh session and visit the dashboard directly I see a forever refreshing page where instead the expected behaviour as per other protected resources is the keycloak login page. See image below.

If I examine the logs of the traefik-fwd-auth container I see the log events that I would expect to produce a login page, ie. the same exact messages I see when I hit the other protected containers when they produce login page:

level=debug msg="Set CSRF cookie and redirecting to oidc login" SourceIP=10.255.0.5
level=debug msg="uri.Path was %s/dashboard/service-worker.js" SourceIP=10.255.0.5
level=debug msg="fw.Path was %s/_oauth" SourceIP=10.255.0.5

My theory is that this is a bug somehow related to the special 'magic' treatment of the dashboard, ie. declaring the service as api@internal. Anyone experienced this and have a workaround?

fifofonix · January 3, 2020, 3:09pm

This is definitely a Traefik dashboard issue and is related to cookie handling.

It is still present post upgrade to Traefik 2.1.1

Note we are operating with a 'secure' dashboard.

The title for this issue should be 'Dashboard ForwardAuth Cookies Issue' but I can't edit the original post any longer. This is not Keycloak specific.

Dashboard behavior is as follows:

New browser with no cached cookies processes forward auth login successfully. The login prompt (Keycloak) appears, is processed and dashboard rendered successfully.
In same browser post invalidation of Keycloak session (and expiry of cached Keycloak cookies) navigation to the dashboard will NOT result in a login prompt but will instead render dashboard UI with perennially refreshing empty tables (see original image above, and new one below).
In same browser clear cookies and hit refresh on the dashboard tab....keycloak login prompt appears correctly, and processes correctly.

Note per the original information this ONLY affects the dashboard. We have several other services protected via forward auth (using same Keycloak credentials) and can navigate between these services without issue and see login prompts on all of them straight away whenever the session is terminated and cookies expire.

Any help on this appreciated.

Topic		Replies	Views
Help please: Dashboard authentication is getting bypassed using forward slash at the end of url Traefik v2 (latest) dashboard-api	6	987	February 7, 2020
Securing the dashboard observations Traefik v2 (latest) docker , dashboard-api	1	681	November 28, 2019
Traefik doesn't seem to work with api@internal service Traefik v2 (latest) docker-swarm , dashboard-api , middleware	7	8193	December 9, 2023
Dashboard behind Keycloak Gatekeeper Traefik v2 (latest) dashboard-api	1	2286	February 14, 2021
Unable to activate Secure dashboard on traefik 2.2.1 Traefik v2 (latest) docker-swarm , dashboard-api	6	966	May 29, 2020

Dashboard & Keycloak ForwardAuth Issue

Related Topics