Kanidm
Setup Kanidm
To create or manage OAuth2 clients, you should use kanidm client and be a member of the system_admins or idm_hp_oauth2_manage_priv groups.
- Create a new OAuth2 client
kanidm system oauth2 create <client_id> <displayname> <landing page url> - Update a scope map to be able to use the client within OpenID Connect (OIDC)
You might also want to include other scopes here, e.g.
kanidm system oauth2 update-scope-map <client_id> <group_name> openidprofile,emailorgroupsYou can usekanidm system oauth2 update-scope-map <client_id> <group_name> openid profile email groupsidm_all_personsas a<group_name>if you are fine with all receiving having access to the client. - Add a redirect URL, where you specify the public URL of your application and append the path
/oidc/callbackYou might need to add all your subdomains where you plan to use this middleware or use Absolute URL configuration.kanidm system oauth2 add-redirect-url <client_id> https://login.example.com/oidc/callback - Let's verify what we have now
In the example below
kanidm system oauth2 get <client_id>traefik-oauth2is the<client_id>class: account
class: memberof
class: oauth2_resource_server
class: oauth2_resource_server_basic
class: object
directmemberof: [email protected]
displayname: Traefik OAuth
es256_private_key_der: private_binary
memberof: [email protected]
name: traefik-oauth2
oauth2_allow_insecure_client_disable_pkce: true
oauth2_rs_basic_secret: hidden
oauth2_rs_origin: https://login.example.com/oidc/callback
oauth2_rs_origin_landing: https://login.example.com/
oauth2_rs_scope_map: [email protected]: {"email", "groups", "openid", "profile"}
oauth2_rs_token_key: hidden
oauth2_strict_redirect_uri: true
spn: traefik-[email protected]
uuid: f1f4e707-832e-4beb-ba12-9410b883dddf
You will find all Kanidm configuration options in the documentation.
tip
Before you start, make sure your Kanidm has a valid (and not self-signed) TLS certificate and idm.example.com is accessible from the Traefik container/host.
Middleware Configuration
tip
To display the client's secret, use kanidm system oauth2 show-basic-secret <client_id>
- Relative URL with PKCE
- Relative URL without PKCE
- Absolute URL without PKCE and Forward Auth headers
http:
middlewares:
oidc-auth:
plugin:
traefik-oidc-auth:
Provider:
Url: "https://idm.example.com/oauth2/openid/<client_id>"
ClientId: "<client_id>"
UsePkce: true
Scopes: ["openid", "profile"]
http:
middlewares:
oidc-auth:
plugin:
traefik-oidc-auth:
Provider:
Url: "https://idm.example.com/oauth2/openid/<client_id>"
ClientId: "<client_id>"
ClientSecret: "<client_secret>"
Scopes: ["openid", "profile"]
http:
middlewares:
oidc-auth:
plugin:
traefik-oidc-auth:
LogLevel: DEBUG
CallbackUri: "https://login.example.com/oidc/callback"
SessionCookie:
Domain: ".example.com"
Provider:
Url: "https://idm.example.com/oauth2/openid/<client_id>"
ClientId: "<client_id>"
ClientSecret: "<client_secret>"
UsePkce: false
Scopes: ["openid", "profile", "email", "groups"]
Headers:
- Name: "Remote-User"
Value: "{{`{{ .claims.preferred_username }}`}}"
- Name: "Remote-Email"
Value: "{{`{{ .claims.email }}`}}"
- Name: "Remote-Groups"
Value: "{{`{{ .claims.groups }}`}}"
- Name: "Remote-Name"
Value: "{{`{{ .claims.name }}`}}"
routers:
auth:
rule: "Host(`login.example.com)"
service: noop@internal
middlewares: ["oidc-auth@file"]
note
You need to set TokenValidation to IdToken to populate claims. Otherwise, they do not include any scopes.
note
Kanidm enforces PKCE by default. To disable this behaviour use kanidm system oauth2 warning-insecure-client-disable-pkce <client_id>