KeyCloak - Funky Penguin's Geek Cookbook

While the Traefik Forward Auth recipe demonstrated a quick way to protect a set of explicitly-specified URLs using OIDC credentials from a Google account, this recipe will illustrate how to use your own KeyCloak instance to secure any URLs within your DNS domain.


This is a companion discussion topic for the original entry at https://geek-cookbook.funkypenguin.co.nz/ha-docker-swarm/traefik-forward-auth/keycloak/

Hi there!
First of all, thanks for your wonderful recipes!
Second, I have been trying, but without success, to configure a traefik-forward-auth to work with my existing traefik and keycloak, but I always get 307 to the googleapis.
It’s been 3 days and I can’t find the issue.
Would you be able to pin point the problem?

Swap to this container - https://hub.docker.com/r/funkypenguin/traefik-forward-auth

The one in the compose doesn’t actually support anything other than Google.

1 Like

IT’S ALIVE! ALIVE!!!
Thanks!!

1 Like

:+1: The “official” image will be updated with generic OIDC support in due course :slight_smile:

failed to get oidc parametere from oidc connect…

Any help here?

CLIENT_ID=Forward-auth
CLIENT_SECRET=9ca3050f-954b-4859-b007-da93kd00d
OIDC_ISSUER=https://keycloak.127.0.0.1.xip.io/auth/realms/master
SECRET=elfgj04
AUTH_HOST=auth.127.0.01.xip.io
COOKIE_DOMAINS=127.0.0.1.xip.io

traefik-forward-auth:
image: funkypenguin/traefik-forward-auth
env_file: ./assets/traefik.env
networks:
- web
- internal
labels:
- traefik.port=4181
- traefik.frontend.rule=Host:auth.127.0.0.1.xip.io
- traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181
- traefik.frontend.auth.forward.trustForwardHeader=true

If you exec into the traefik-forward-auth container, can you curl the OIDC issuer URL?

My guess (from the somewhat strange hostname) is you’re running Keycloak on a 127.0.0.1 address - that won’t work inside a container. It must listen to a non-local IP (e.g in a non-public range like 172.16/12 or 192.168/16)

I edited the ip to 127.0.0.1 for privacy reasons.

Container exits before I can exec : traefik-forward-auth_1 exited with code 1

I am having the same issue as @thebetterjort

level=fatal msg=“failed to get oidc parametere from oidc connect”
which to me feels like its working up to https://github.com/funkypenguin/traefik-forward-auth/blob/6d516ec16d93ce26654f18aff22de331935fe6ba/main.go#L150

EDIT: I am an idiot… somehow my traefik_public network was down… getting it back and now the container is stable

Is it possible to run one instance of this over a variety of applications with different permissions?

Either by configuring OIDC_ISSUER as an label on the other application, configuring it based on the redirect host, or other means.

Or do I need to duplicate this container for each realm?

1 Like

Hello,

I followed your setup but when I try to access whoami, I am redirected to KeyCloak web interface with an error “Invalid parameter: redirect_uri”

When checking the full URL, I noticed the following:

https://keycloak.mydomain.com/auth/realms/master/protocol/openid-connect/auth?client_id=traefik-forward-auth&redirect_uri=https%3A%2F%2Fwhoami.mydomain.com (…)

From my understanding, it should be redirected to auth, not whoami ? Any idea ?

I confirm I have AUTH_HOST configured as explained, and here is how I deploy whoami (currently in same stack than traefik):

  whoami:
    image: emilevauge/whoami
    networks:
      - traefik_public
    deploy:
      labels:
        - traefik.enable=true
        # - traefik.backend=whoami
        - traefik.frontend.rule=Host:whoami.mydomain.com
        - traefik.port=80
        - traefik.tags=traefik_public
        - traefik.docker.network=traefik_public
        # Traefik service that listens to HTTP
        - traefik.redirectorservice.frontend.entryPoints=http
        - traefik.redirectorservice.frontend.redirect.entryPoint=https
        # Traefik service that listens to HTTPS
        - traefik.webservice.frontend.entryPoints=https
        - traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181
        - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
        - traefik.frontend.auth.forward.trustForwardHeader=true

what settings do you have for your My-traefik-forward-auth in your keycloak client admin page?
what is your settings for your auth container settings
are you with cloudflare? letsencrypt SSL?

your whoami container traefik labels looks way too complex for testing…
you should be able to get away with

labels:
        - traefik.enable=true
        - traefik.frontend.rule=Host:whoami.mydomain.com
        - traefik.port=80
        - traefik.docker.network=traefik_public
        - traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181
        - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
        - traefik.frontend.auth.forward.trustForwardHeader=true

My Config: (missing some bits as I just copied a the main section)

    image: funkypenguin/traefik-forward-auth
    env_file: /var/data/config/traefik/traefik-app.env
    networks:
      - networks_public
    depends_on:
      - traefik-app
    deploy:
      labels:
        - traefik.port=4181
        - traefik.enable=true
        - traefik.frontend.rule=Host:auth.mydomain.com
        - traefik.docker.network=traefik_public
        - traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181
        - traefik.frontend.auth.forward.trustForwardHeader=true

my traefik-app.env file (mix of traefik, traefik-forward-auth, and cert dumper settings)

TZ=Region/Place
PUID=999
PGID=999
# For cloudflare
CLOUDFLARE_EMAIL=$myemail
CLOUDFLARE_API_KEY=$apikey
CLIENT_ID=my-traefik-forward-auth
CLIENT_SECRET=$SECRETKEY
OIDC_ISSUER=https://keycloak.mydomain.com/auth/realms/master
SECRET=$ANOTHERSECRET
AUTH_HOST=auth.mydomain.com
COOKIE_DOMAINS=mydomain.com
LOG_LEVEL=error

I answered my own question… I made a typo for COOKIE_DOMAINS. I forgot to add a S (despite the instructions are very clear, I have been confused by the original repository where this option was without S).
Now it works fine.

1 Like