Getting Started
Configure the Plugin
Enable the plugin in your traefik configuration.
experimental:
plugins:
traefik-oidc-auth:
moduleName: "github.com/sevensolutions/traefik-oidc-auth"
version: "v0.7.0"
Configure Middleware
caution
It is highly reccomnded to change the default encryption-secret by providing your own 32-character secret using the Secret-option.
You can generate a random one here: https://it-tools.tech/token-generator?length=32
- YAML
- Kubernetes
This is an example using YAML file config
http:
services:
whoami:
loadBalancer:
servers:
- url: http://whoami:80
middlewares:
oidc-auth:
plugin:
traefik-oidc-auth:
Secret: "MLFs4TT99kOOq8h3UAVRtYoCTDYXiRcZ" # Please change this secret for your setup
Provider:
Url: "https://<YourIdentityProviderUrl>"
ClientId: "<YourClientId>"
ClientSecret: "<YourClientSecret>"
#UsePkce: true # Or use PKCE if your Provider supports this
Scopes: ["openid", "profile", "email"]
routers:
whoami:
entryPoints: ["web"]
rule: "HostRegexp(`.+`)"
service: whoami
middlewares: ["oidc-auth"]
This is an example using Kubernetes IngressRoute CRD config
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: oidc
namespace: traefik
spec:
plugin:
traefik-oidc-plugin: # same key as in the static configuration
Secret: "urn:k8s:secret:oidc-secret:pluginSecret"
Provider:
# You could just write strings here for the values.
ClientId: "abcd-12345"
# Or you can reference a Secret in the same namespace as the Middleware.
# This will resolve to the value of the providerClientSecret key
# in the secret named oidc-secret.
ClientSecret: "urn:k8s:secret:oidc-secret:providerClientSecret"
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: whoami
namespace: traefik
spec:
routes:
- kind: Rule
match: Host(`whoami.mycluster.com`)
middlewares:
- name: oidc
services:
- kind: Service
name: whoami
port: 80