Traefik OIDC Authentication
A Traefik middleware plugin that secures your services with OIDC (OpenID Connect) authentication and claim-based authorization — without modifying your upstream applications.
Features
OIDC / OAuth 2.0
Intercepts every request in Traefik and validates OAuth tokens — no changes needed in your upstream services.
Claim-Based Authorization
Assert JWT claims with flexible AnyOf / AllOf rules and JSON-path selectors to control who can access what.
PKCE Support
Enable PKCE for public clients (SPAs, CLIs) to protect against authorization code interception attacks.
Token Auto-Renewal
Tokens are transparently refreshed before they expire, keeping sessions alive without user interruption.
Header Forwarding
Pass tokens or any JWT claim to your upstream service via custom headers using Go template expressions.
Bypass Rules
Skip authentication for public paths, specific hosts, or internal IP ranges using Traefik-style rules.
Custom Error Pages
Serve your own branded HTML for 401 Unauthenticated and 403 Unauthorized responses.
Multiple Identity Providers
Works with any OIDC-compliant provider. Tested with 7+ popular providers out of the box.
Supported Identity Providers
Works with any OIDC-compliant provider. Dedicated guides for:
Ready to get started?
Follow the Getting Started guide to add OIDC authentication to any Traefik-proxied service in minutes.
Read the Getting Started Guide →