Oauth2 middleware redirect after login

Traefik Traefik v2 (latest)
1

Hi Guys,

traefik is a greate service! :slight_smile:

I solved all of my problems by myself, but i have a problem i need your support now.

I'm working on a simple REST Endpoint with an AngularJS Frontend. To protect the REST Endpoint i integrated an oauth2 middleware to verify the cookie and handle the sign-in process.

https://github.com/pusher/oauth2_proxy

Everything locks good and works so far. The only problem is the redirect after succesful login.

I attached a minimal example to explain my problem. I added the oauth2 proxy and the whoami contaier protected via the oauth2 proxy.

version: '3.7'
services:
  traefik:
    image: 'traefik:cantal'
    restart: unless-stopped
    command:
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --providers.docker.defaultRule=Host(`{{ index .Labels "ai.ix.fqdn"}}`)
      - --entrypoints.http.address=:80
      - --entrypoints.https.address=:443
      - --certificatesresolvers.mytlschallenge.acme.tlschallenge=true
      - --certificatesresolvers.mytlschallenge.acme.email=postmaster@continental.cloud
      - --certificatesresolvers.mytlschallenge.acme.storage=/letsencrypt/acme.json

    labels:
      traefik.enable: 'true'
      traefik.http.middlewares.default-compress.compress: 'true'
      traefik.http.middlewares.default-http.redirectScheme.scheme: https
      traefik.http.middlewares.default-http.redirectScheme.permanent: 'true'
      traefik.http.middlewares.default-https.chain.middlewares: default-compress
      traefik.http.routers.default-redirect.entrypoints: http
      traefik.http.routers.default-redirect.middlewares: default-http
      traefik.http.routers.default-redirect.rule: "HostRegexp(`{any:.*}`)"
    ports:
      - '80:80'
      - '443:443'
    volumes:
      - './letsencrypt:/letsencrypt'
      - '/var/run/docker.sock:/var/run/docker.sock:ro'

  oauth:
    image: quay.io/pusher/oauth2_proxy:master
    restart: unless-stopped
    labels:
      ai.ix.expose: 'true'
      traefik.enable: 'true'
      traefik.http.middlewares.oauth-verify.forwardAuth.address: http://oauth:4180/oauth2/auth 
      traefik.http.middlewares.oauth-verify.forwardAuth.trustForwardHeader: 'true'
      traefik.http.middlewares.oauth-verify.forwardAuth.authResponseHeaders: X-Forwarded-User,X-Auth-Request-Email,Set-Cookie
      traefik.http.middlewares.oauth-signin.errors.service: oauth@docker 
      traefik.http.middlewares.oauth-signin.errors.status: '401' 
      traefik.http.middlewares.oauth-signin.errors.query: /oauth2/sign_in
      traefik.http.routers.oauth.entrypoints: 'https'
      traefik.http.routers.oauth.rule: Host(`oauth.${DOMAIN?err}`) || PathPrefix(`/oauth2`)
      traefik.http.routers.oauth.tls.certResolver: mytlschallenge
      traefik.http.routers.oauth.service: oauth@docker
      traefik.http.services.oauth.loadbalancer.server.port: '4180'
    environment:
      OAUTH2_PROXY_CLIENT_ID: '${OAUTH2_PROXY_CLIENT_ID?err}'
      OAUTH2_PROXY_CLIENT_SECRET: '${OAUTH2_PROXY_CLIENT_SECRET?err}'
      OAUTH2_PROXY_COOKIE_DOMAIN: '.${DOMAIN?err}'
      OAUTH2_PROXY_COOKIE_REFRESH: '1h'
      OAUTH2_PROXY_COOKIE_SECURE: 'true'
      OAUTH2_PROXY_COOKIE_SECRET: '${OAUTH2_PROXY_COOKIE_SECRET?err}'
      OAUTH2_PROXY_EMAIL_DOMAINS: '*'
      OAUTH2_PROXY_FOOTER: '-'
      OAUTH2_PROXY_HTTP_ADDRESS: '0.0.0.0:4180'
      OAUTH2_PROXY_PASS_BASIC_AUTH: 'false'
      OAUTH2_PROXY_PASS_USER_HEADERS: 'true'
      OAUTH2_PROXY_PROVIDER: 'OIDC'
      OAUTH2_PROXY_REVERSE_PROXY: 'true'
      OAUTH2_PROXY_SET_AUTHORIZATION_HEADER: 'true'
      OAUTH2_PROXY_SET_XAUTHREQUEST: 'true'
      OAUTH2_PROXY_WHITELIST_DOMAIN: '.${DOMAIN?err}'
      OAUTH2_PROXY_LOGIN_URL: 'https://${OIDC_DOMAIN?err}/oauth2/authorize'
      OAUTH2_PROXY_PROFILE_URL: 'https://${OIDC_DOMAIN?err}/oauth2/userInfo'
      OAUTH2_PROXY_REDEEM_URL: 'https://${OIDC_DOMAIN?err}/oauth2/token'
      OAUTH2_PROXY_SCOPE: 'openid'
      OAUTH2_PROXY_PROVIDER_DISPLAY_NAME: 'GenericPayment Login'

  whoami2:
    image: containous/whoami
    restart: unless-stopped
    labels:
      ai.ix.fqdn: api.${DOMAIN?err}
      traefik.enable: 'true'
      traefik.http.services.whoami2.loadbalancer.server.port: '80'
      traefik.http.routers.whoami2.entrypoints: https
      traefik.http.routers.whoami2.middlewares: oauth-signin,oauth-verify,default-https
      traefik.http.routers.whoami2.rule: Host(`api.${DOMAIN?err}`) && PathPrefix(`/whoami`)
      traefik.http.routers.whoami2.tls.certResolver: mytlschallenge

go to api.${DOMAIN}/whoami

redirects to the oauth login page and store the cookie. But the redirect after login is to

api.${DOMAIN}

instead of

api.${DOMAIN}/whoami.

If i add a new middleware to the service:

      traefik.http.routers.whoami2.middlewares: redirect-header,oauth-signin,oauth-verify,default-https
      traefik.http.middlewares.redirect-header.headers.customrequestheaders.X-Auth-Request-Redirect: /whoami

the redirect works but only for given static url, /whoami

In nginx there is a runtime varialbe $request_uri which can be used to set the header value.

Is there a similar variable or setting in traefik available? Does somebody have experience with such oauth2 middleware and can give me some hints and tipps how i can fix my redirect probelm?

Thanks for your help and have a nice day!

1 Like
2

There are suggested workarounds at the oauth2-proxy issue Not redirecting to subpath after login using Traefik's 401 errors middleware ยท Issue #1297 ยท oauth2-proxy/oauth2-proxy ยท GitHub