Traefik includes a forward-auth middleware, but there is also an OIDC-specific middleware in Traefik Enterprise Edition https://traefik.io/glossary/openid-connect-everything-you-need-to-know/
Is it possible to achieve OIDC auth with just the free forward-auth middleware in Traefik proxy? I want to secure an example service using Keycloak on Rancher Kubernetes. The forward-auth documentation isn't clear as to what the auth server can be.
Also, this GitHub project seemingly supports OIDC, https://github.com/thomseddon/traefik-forward-auth but I am a little confused with the similar names. Is it the same or different from Traefik's forward-auth? Can I use this in a production setup?
- UPDATE 1: I think the way to go is to use Traefik forward auth to forward the auth request to either gogatekeeper or oauth2-proxy. These proxies work with OIDC providers in the backend and return 2XX or 4XX codes depending on the authentication result.
yes, it's possible to achieve the OIDC auth with the forward-auth middleware but you need also an external service like https://github.com/thomseddon/traefik-forward-auth.
I'm still working on it to create a production ready service, i found this interesting project that do the work https://oauth2-proxy.github.io/oauth2-proxy/ instead of thomseddon container.
I suggest this example project, made on top of docker, it explain well the behavior of the system https://github.com/BlackBeltTechnology/traefik-keycloak-sso-reverse-proxy
There is also this well documented site https://geek-cookbook.funkypenguin.co.nz/docker-swarm/traefik-forward-auth/keycloak/