How this Plugin Works
The Traefik OIDC Authentication plugin secures upstream services by integrating OAuth 2.0 authentication directly into the Traefik reverse proxy. Acting as an authentication middleware, the plugin intercepts incoming requests and performs the following steps:
-
Authentication Verification
Checks for the presence of a valid OAuth token, provided via Cookie. -
Token Validation
Verifies the token with the configured OAuth provider, ensuring it is valid and unexpired. -
User Authorization
Confirms that the authenticated user has the necessary permissions to access the upstream service. This may involve claim validation or matching user roles. -
Request Handling
If the token is valid, the plugin allows the request to pass through to the upstream service. If the token is missing, invalid, or unauthorized, the plugin redirects the user to the OAuth provider's authorization endpoint or returns an HTTP error (e.g., 401 Unauthorized).
The plugin simplifies secure access to protected services, eliminating the need for individual applications to implement OAuth flows. It is especially useful for services running behind Traefik in microservices architectures. Configuration typically includes specifying the OAuth provider, client credentials, and allowed scopes or roles.