Kanidm
Setup Kanidm
To create or manage OAuth2 clients, you should use kanidm client and be a member of the system_admins or idm_hp_oauth2_manage_priv groups.
- Create a new OAuth2 client
kanidm system oauth2 create <client_id> <displayname> <landing page url> - Update a scope map to be able to use the client within OpenID Connect (OIDC)
You might also want to include other scopes here, e.g.
kanidm system oauth2 update-scope-map <client_id> <group_name> openidprofile,emailorgroupsYou can usekanidm system oauth2 update-scope-map <client_id> <group_name> openid profile email groupsidm_all_personsas a<group_name>if you are fine with all receiving having access to the client. - Add a redirect URL, where you specify the public URL of your application and append the path
/oidc/callbackYou might need to add all your subdomains where you plan to use this middleware or use Absolute URL configuration.kanidm system oauth2 add-redirect-url <client_id> https://login.example.com/oidc/callback - Let's verify what we have now
In the example below
kanidm system oauth2 get <client_id>traefik-oauth2is the<client_id>class: account
class: memberof
class: oauth2_resource_server
class: oauth2_resource_server_basic
class: object
directmemberof: [email protected]
displayname: Traefik OAuth
es256_private_key_der: private_binary
memberof: [email protected]
name: traefik-oauth2
oauth2_allow_insecure_client_disable_pkce: true
oauth2_rs_basic_secret: hidden
oauth2_rs_origin: https://login.example.com/oidc/callback
oauth2_rs_origin_landing: https://login.example.com/
oauth2_rs_scope_map: [email protected]: {"email", "groups", "openid", "profile"}
oauth2_rs_token_key: hidden
oauth2_strict_redirect_uri: true
spn: traefik-[email protected]
uuid: f1f4e707-832e-4beb-ba12-9410b883dddf
You will find all Kanidm configuration options in the documentation.
tip
Before you start, make sure your Kanidm has a valid (and not self-signed) TLS certificate and idm.example.com is accessible from the Traefik container/host.
Middleware Configuration
tip
To display the client's secret, use kanidm system oauth2 show-basic-secret <client_id>
note
Kanidm enforces PKCE by default. To disable this behaviour use kanidm system oauth2 warning-insecure-client-disable-pkce <client_id>
- Relative URL with PKCE
- Relative URL without PKCE
- Absolute URL without PKCE and Forward Auth headers
http:
middlewares:
oidc-auth:
plugin:
traefik-oidc-auth:
Provider:
Url: "https://idm.example.com/oauth2/openid/<client_id>"
ClientId: "<client_id>"
UsePkce: true
Scopes: ["openid", "profile"]
http:
middlewares:
oidc-auth:
plugin:
traefik-oidc-auth:
Provider:
Url: "https://idm.example.com/oauth2/openid/<client_id>"
ClientId: "<client_id>"
ClientSecret: "<client_secret>"
Scopes: ["openid", "profile"]
http:
middlewares:
oidc-auth:
plugin:
traefik-oidc-auth:
LogLevel: DEBUG
CallbackUri: "https://login.example.com/oidc/callback"
SessionCookie:
Domain: ".example.com"
Provider:
Url: "https://idm.example.com/oauth2/openid/<client_id>"
ClientId: "<client_id>"
ClientSecret: "<client_secret>"
UsePkce: false
Scopes: ["openid", "profile", "email", "groups"]
Headers:
- Name: "Remote-User"
Value: "{{`{{ .claims.preferred_username }}`}}"
- Name: "Remote-Email"
Value: "{{`{{ .claims.email }}`}}"
- Name: "Remote-Groups"
Value: "{{`{{ .claims.groups }}`}}"
- Name: "Remote-Name"
Value: "{{`{{ .claims.name }}`}}"
routers:
auth:
rule: "Host(`login.example.com)"
service: noop@internal
middlewares: ["oidc-auth@file"]