OpenID Connect Authentication

The OpenID Connect Authentication middleware secures your applications by delegating the authentication to an external provider (Google Accounts, LinkedIn, GitHub, etc.) and obtaining the end user's session claims and scopes for authorization purposes.

To authenticate the user, the middleware redirects through the authentication provider. Once the authentication is complete, users are redirected back to the middleware before being authorized to access the upstream application.

Encrypted Session Cookies

This middleware uses encrypted cookies to carry the session data.

Authentication Source

Before configuring an OpenID Connect Authentication middleware, an Authentication Source must be defined in the static configuration.

Below is an example of a minimal OpenID Connect Authentication Source that can be added to a static configuration:

YAML

authSources:
  oidcSource:
    oidc:
      issuer: https://issuer.com
      clientID: client-id
      clientSecret: client-secret

TOML

[authSources]
  [authSources.oidcSource]
    [authSources.oidcSource.oidc]
      issuer = "https://issuer.com"
      clientID = "client-id"
      clientSecret = "client-secret"

Authentication Source Options

issuer

Required, Default=""

The issuer is the URL to the OpenID Connect provider (e.g.: https://accounts.google.com). It should point to the server which provides the OpenID Connect configuration.

YAML

authSources:
  oidcSource:
    oidc:
      issuer: https://issuer.com

TOML

[authSources]
  [authSources.oidcSource]
    [authSources.oidcSource.oidc]
      issuer = "https://issuer.com"

clientID

Required, Default=""

The clientID is the unique client identifier for an account on the OpenID Connect provider.

YAML

authSources:
  oidcSource:
    oidc:
      clientID: client-id

TOML

[authSources]
  [authSources.oidcSource]
    [authSources.oidcSource.oidc]
      clientID = "client-id"

clientSecret

Required, Default=""

The clientSecret is the unique client secret for an account on the OpenID Connect provider.

YAML

authSources:
  oidcSource:
    oidc:
      clientSecret: client-secret

TOML

[authSources]
  [authSources.oidcSource]
    [authSources.oidcSource.oidc]
      clientSecret = "client-secret"

pkce

Optional, Default=false

The pkce option enables the Proof Key for Code Exchange as described in RFC 7636.

YAML

authSources:
  oidcSource:
    oidc:
      pkce: true

TOML

[authSources]
  [authSources.oidcSource]
    [authSources.oidcSource.oidc]
      pkce = true

tls

Optional

Defines the TLS configuration used for the secure connection to the OpenID Connect provider.

tls.caBundle

Optional, Default=""

An optional caBundle containing a PEM-encoded certificate bundle or a path to a file containing the certificate bundle used to establish a TLS connection with the OpenID Connect issuer.

Using a File

Note that TraefikEE does not watch for file changes. If caBundle is set to a file path, its content will be read once when the middleware is initialized.

File (YAML) using content

authSources:
  oidcSource:
    oidc:
      tls:
        caBundle: |-
          -----BEGIN CERTIFICATE-----
          MIIB9TCCAWACAQAwgbgxGTAXBgNVBAoMEFF1b1ZhZGlzIExpbWl0ZWQxHDAaBgNV
          BAsME0RvY3VtZW50IERlcGFydG1lbnQxOTA3BgNVBAMMMFdoeSBhcmUgeW91IGRl
          Y29kaW5nIG1lPyAgVGhpcyBpcyBvbmx5IGEgdGVzdCEhITERMA8GA1UEBwwISGFt
          aWx0b24xETAPBgNVBAgMCFBlbWJyb2tlMQswCQYDVQQGEwJCTTEPMA0GCSqGSIb3
          DQEJARYAMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCJ9WRanG/fUvcfKiGl
          EL4aRLjGt537mZ28UU9/3eiJeJznNSOuNLnF+hmabAu7H0LT4K7EdqfF+XUZW/2j
          RKRYcvOUDGF9A7OjW7UfKk1In3+6QDCi7X34RE161jqoaJjrm/T18TOKcgkkhRzE
          apQnIDm0Ea/HVzX/PiSOGuertwIDAQABMAsGCSqGSIb3DQEBBQOBgQBzMJdAV4QP
          Awel8LzGx5uMOshezF/KfP67wJ93UW+N7zXY6AwPgoLj4Kjw+WtU684JL8Dtr9FX
          ozakE+8p06BpxegR4BR3FMHf6p+0jQxUEAkAyb/mVgm66TyghDGC6/YkiKoZptXQ
          98TwDIK/39WEB/V607As+KoYazQG8drorw==
          -----END CERTIFICATE-----

File (YAML) using file path

authSources:
  oidcSource:
    oidc:
      tls:
        caBundle: /etc/tls/ca-bundle.pem

File (TOML)

[authSources]
  [authSources.oidcSource]
    [authSources.oidcSource.oidc.tls]
      caBundle = """
-----BEGIN CERTIFICATE-----
MIIB9TCCAWACAQAwgbgxGTAXBgNVBAoMEFF1b1ZhZGlzIExpbWl0ZWQxHDAaBgNV
BAsME0RvY3VtZW50IERlcGFydG1lbnQxOTA3BgNVBAMMMFdoeSBhcmUgeW91IGRl
Y29kaW5nIG1lPyAgVGhpcyBpcyBvbmx5IGEgdGVzdCEhITERMA8GA1UEBwwISGFt
aWx0b24xETAPBgNVBAgMCFBlbWJyb2tlMQswCQYDVQQGEwJCTTEPMA0GCSqGSIb3
DQEJARYAMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCJ9WRanG/fUvcfKiGl
EL4aRLjGt537mZ28UU9/3eiJeJznNSOuNLnF+hmabAu7H0LT4K7EdqfF+XUZW/2j
RKRYcvOUDGF9A7OjW7UfKk1In3+6QDCi7X34RE161jqoaJjrm/T18TOKcgkkhRzE
apQnIDm0Ea/HVzX/PiSOGuertwIDAQABMAsGCSqGSIb3DQEBBQOBgQBzMJdAV4QP
Awel8LzGx5uMOshezF/KfP67wJ93UW+N7zXY6AwPgoLj4Kjw+WtU684JL8Dtr9FX
ozakE+8p06BpxegR4BR3FMHf6p+0jQxUEAkAyb/mVgm66TyghDGC6/YkiKoZptXQ
98TwDIK/39WEB/V607As+KoYazQG8drorw==
-----END CERTIFICATE-----
"""

File (TOML) using file path

[authSources]
  [authSources.oidcSource]
    [authSources.oidcSource.oidc.tls]
      caBundle = "/etc/tls/ca-bundle.pem"

tls.insecureSkipVerify

Optional, Default=false

Disables TLS certificate verification when communicating with the OpenID Connect issuer. Useful for testing purposes but strongly discouraged for production.

File (YAML)

authSources:
  oidcSource:
    oidc:
      tls:
        insecureSkipVerify: true

File (TOML)

[authSources]
  [authSources.oidcSource]
    [authSources.oidcSource.oidc.tls]
      insecureSkipVerify = true

timeout

Optional, Default="5s"

This option controls the time before giving up requests to the OpenID Connect issuer.

File (YAML)

authSources:
  oidcSource:
    oidc:
      timeout: 15s

File (TOML)

[authSources]
  [authSources.oidcSource.oidc]
    timeout = "15s"

maxRetries

Optional, Default=3

The number of retries for requests to the OpenID Connect issuer that fail.

File (YAML)

authSources:
  oidcSource:
    oidc:
      maxRetries: 5

File (TOML)

[authSources]
  [authSources.oidcSource.oidc]
    maxRetries = 5

discoveryParams

Optional, Default=""

A map of arbitrary query parameters to be added to the openid-configuration well-known URI during the discovery mechanism.

File (YAML)

authSources:
  oidcSource:
    oidc:
      discoveryParams:
        hd: example.com
        mykey: myvalue

File (TOML)

[authSources]
  [authSources.oidcSource]
    [authSources.oidcSource.oidc.discoveryParams]
      hd = example.com
      mykey = myvalue

Session Storage

An OpenID Connect Authentication middleware can use a persistent KV storage to store the HTTP sessions data instead of keeping all the state in cookies. It avoids cookies growing inconveniently large, which can lead to latency issues.

Below is an example of a reference of all the possible options when configuring a consul KV storage in the static configuration.

Info

The options are all the same for the three other storage types (etcd, zookeeper, and redis), except for namespace, and token.

YAML

stores:

  consulStore:
    # the value has to match one of the possible
    # kv store types (consul, etcd, zookeeper, and redis).
    consul:
      keyPrefix: traefikee
      endpoints:
        - 'localhost:8500'

      username: foo
      password: bar
      token: baz
      namespace: production

      tls:
        caBundle: path/to/ca.crt
        insecureSkipVerify: false

TOML

[stores]

  # the value has to match one of the possible
  # kv store types (consul, etcd, zookeeper, and redis).
  [stores.consulStore.consul]
    keyPrefix = "traefikee"
    endpoints = ["localhost:8500"]
    username = "foo"
    password = "bar"
    token = "baz"
    namespace = "production"

    [stores.consulStore.consul.tls]
      caBundle = "path/to/ca.crt"
      insecureSkipVerify = false

Info

stores were previously named sessionStorages. The old property is now deprecated and will be removed in a future release.

Store Options

Warning

In the examples below, storeType should be replaced by one of the possible store types: etcd, zookeeper, redis, consul.

endpoints

Required, Default=""

Defines how to access the KV Store.

File (YAML)

stores:
  foo:
    storeType:
      endpoints:
        - "127.0.0.1:8500"

File (TOML)

[stores]
  [stores.foo.storeType]
    endpoints = ["127.0.0.1:8500"]

keyPrefix

Optional, Default=""

KeyPrefix optionally configures the prefix of the key for the entries that store the sessions.

File (YAML)

stores:
  foo:
    storeType:
      keyPrefix: "traefikee"

File (TOML)

[stores]
  [stores.foo.storeType]
    keyPrefix = traefikee

username

Optional, Default=""

Defines a username to connect to the KV store.

File (YAML)

stores:
  foo:
    storeType:
      username: "foo"
      password: "bar"

File (TOML)

[stores]
  [stores.foo.storeType]
    username = foo
    password = bar

password

Optional, Default=""

Defines a password to connect to the KV store.

File (YAML)

stores:
  foo:
    storeType:
      username: "foo"
      password: "bar"

File (TOML)

[stores]
  [stores.foo.storeType]
    username: foo
    password: bar

tls

Optional

Defines the TLS configuration used for the secure connection to the KV store.

A (possibly empty) TLS section is necessary to connect to a TLS endpoint.

tls.caBundle

Optional, Default=""

An optional caBundle containing a PEM-encoded certificate bundle or a path to a file containing the certificate bundle used to establish a TLS connection with the KV store.

Using a File

Note that TraefikEE does not watch for file changes. If caBundle is set to a file path, its content will be read once when the KV store client is initialized.

File (YAML) using content

stores:
  foo:
    storeType:
      tls:
        caBundle: |-
          -----BEGIN CERTIFICATE-----
          MIIB9TCCAWACAQAwgbgxGTAXBgNVBAoMEFF1b1ZhZGlzIExpbWl0ZWQxHDAaBgNV
          BAsME0RvY3VtZW50IERlcGFydG1lbnQxOTA3BgNVBAMMMFdoeSBhcmUgeW91IGRl
          Y29kaW5nIG1lPyAgVGhpcyBpcyBvbmx5IGEgdGVzdCEhITERMA8GA1UEBwwISGFt
          aWx0b24xETAPBgNVBAgMCFBlbWJyb2tlMQswCQYDVQQGEwJCTTEPMA0GCSqGSIb3
          DQEJARYAMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCJ9WRanG/fUvcfKiGl
          EL4aRLjGt537mZ28UU9/3eiJeJznNSOuNLnF+hmabAu7H0LT4K7EdqfF+XUZW/2j
          RKRYcvOUDGF9A7OjW7UfKk1In3+6QDCi7X34RE161jqoaJjrm/T18TOKcgkkhRzE
          apQnIDm0Ea/HVzX/PiSOGuertwIDAQABMAsGCSqGSIb3DQEBBQOBgQBzMJdAV4QP
          Awel8LzGx5uMOshezF/KfP67wJ93UW+N7zXY6AwPgoLj4Kjw+WtU684JL8Dtr9FX
          ozakE+8p06BpxegR4BR3FMHf6p+0jQxUEAkAyb/mVgm66TyghDGC6/YkiKoZptXQ
          98TwDIK/39WEB/V607As+KoYazQG8drorw==
          -----END CERTIFICATE-----

File (YAML) using file path

stores:
  foo:
    storeType:
      tls:
        caBundle: /etc/tls/ca-bundle.pem

File (TOML)

[stores]
  [stores.foo]
    [stores.foo.storeType.tls]
      caBundle = """
-----BEGIN CERTIFICATE-----
MIIB9TCCAWACAQAwgbgxGTAXBgNVBAoMEFF1b1ZhZGlzIExpbWl0ZWQxHDAaBgNV
BAsME0RvY3VtZW50IERlcGFydG1lbnQxOTA3BgNVBAMMMFdoeSBhcmUgeW91IGRl
Y29kaW5nIG1lPyAgVGhpcyBpcyBvbmx5IGEgdGVzdCEhITERMA8GA1UEBwwISGFt
aWx0b24xETAPBgNVBAgMCFBlbWJyb2tlMQswCQYDVQQGEwJCTTEPMA0GCSqGSIb3
DQEJARYAMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCJ9WRanG/fUvcfKiGl
EL4aRLjGt537mZ28UU9/3eiJeJznNSOuNLnF+hmabAu7H0LT4K7EdqfF+XUZW/2j
RKRYcvOUDGF9A7OjW7UfKk1In3+6QDCi7X34RE161jqoaJjrm/T18TOKcgkkhRzE
apQnIDm0Ea/HVzX/PiSOGuertwIDAQABMAsGCSqGSIb3DQEBBQOBgQBzMJdAV4QP
Awel8LzGx5uMOshezF/KfP67wJ93UW+N7zXY6AwPgoLj4Kjw+WtU684JL8Dtr9FX
ozakE+8p06BpxegR4BR3FMHf6p+0jQxUEAkAyb/mVgm66TyghDGC6/YkiKoZptXQ
98TwDIK/39WEB/V607As+KoYazQG8drorw==
-----END CERTIFICATE-----
"""

File (TOML) using file path

[stores]
  [stores.foo]
    [stores.foo.storeType.tls]
      caBundle = "/etc/tls/ca-bundle.pem"

tls.insecureSkipVerify

Optional, Default=false

If insecureSkipVerify is true, the TLS connection to the KV store accepts any certificate presented by the server regardless of the hostnames it covers.

File (YAML)

stores:
  foo:
    storeType:
      tls:
        insecureSkipVerify: true

File (TOML)

[stores]
  [stores.foo.storeType.tls]
    insecureSkipVerify = true

Consul Specific Options

namespace

Optional, Default=""

The namespace option defines the namespace to query.

Warning

The namespace option only works with Consul Enterprise, which provides the Namespaces feature.

File (YAML)

stores:
  foo:
    storeType:
      namespace: production

File (TOML)

[stores]
  [stores.foo.storeType]
    namespace = "production"

token

Optional, Default=""

Defines a token with which to connect to Consul.

File (YAML)

stores:
  foo:
    storeType:
      token: secret

File (TOML)

[stores]
  [stores.foo.storeType]
    token = "secret"

OpenID Connect Authentication Middleware

After declaring an OpenID Connect Authentication Source in the static configuration of the cluster, OpenID Connect Authentication middleware can be added to routers in the dynamic configuration.

Middleware Options

source

Required, Default=""

The source option should contain the name of the Authentication Source used by the middleware.

Docker

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.source=oidcSource"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-oidc
spec:
  plugin:
    oidcAuth:
      source: oidcSource

Consul Catalog

- "traefik.http.middlewares.test-oidc.plugin.oidcAuth.source=oidcSource"

Marathon

"labels": {
  "traefik.http.middlewares.test-oidc.plugin.oidcAuth.source": "oidcSource"
}

Rancher

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.source=oidcSource"

File (YAML)

http:
  middlewares:
    test-oidc:
      plugin:
        oidcAuth:
          source: oidcSource

File (TOML)

[http.middlewares]
  [http.middlewares.test-oidc.plugin.oidcAuth]
    source = "oidcSource"

redirectUrl

Required, Default=""

The redirect URL is the URL used by the OpenID Connect provider to redirect back to the middleware once the authorization is complete. Simply put, the URL informs the OpenID Connect provider how to return to the middleware. For the request to reach the middleware, it must be allowed in the router rule. If the router rule is accepting all paths on a domain, no extra work is needed. If the router rule is specific about the paths allowed, the path set in this option should be included.

Docker

labels:
  - "traefik.http.routers.login-router.entrypoints=http,https"
  - "traefik.http.routers.login-router.middlewares=oidcAuth"
  # Rules to match the loginUrl and redirectUrl can be added into
  # your current router.
  - "traefik.http.routers.login-router.rule=Path(`/myapi`) || Path(`/login`) || Path(`/callback`)"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: whoami
  namespace: traefikee
spec:
  entryPoints:
    - http
    - https
  routes:
      # Rules to match the loginUrl and redirectUrl can be added into
      # your current router.
    - match: Path(`/myapi`) || Path(`/login`) || Path(`/callback`)
      kind: Rule
      middlewares:
        - name: oidcAuth

Consul Catalog

- "traefik.http.routers.login-router.entrypoints=http,https"
- "traefik.http.routers.login-router.middlewares=oidcAuth"
  # Rules to match the loginUrl and redirectUrl can be added into
  # your current router.
- "traefik.http.routers.login-router.rule=Path(`/myapi`) || Path(`/login`) || Path(`/callback`)"

Marathon

"labels": {
  - "traefik.http.routers.login-router.entrypoints": "http, https",
  - "traefik.http.routers.login-router.middlewares": "oidcAuth",
  # Rules to match the loginUrl and redirectUrl can be added into
  # your current router.
  - "traefik.http.routers.login-router.rule": "Path(`/myapi`) || Path(`/login`) || Path(`/callback`)"
}

Rancher

labels:
  - "traefik.http.routers.login-router.entrypoints=http, https"
  - "traefik.http.routers.login-router.middlewares=oidcAuth"
  # Rules to match the loginUrl and redirectUrl can be added into
  # your current router.
  - "traefik.http.routers.login-router.rule=Path(`/myapi`) || Path(`/login`) || Path(`/callback`)"

File (YAML)

http:
  routers:
    login-router:
      entryPoints:
        - http
        - https
      middlewares:
        - oidcAuth
      # Rules to match the loginUrl and redirectUrl can be added into
      # your current router.
      rule: Path(`/myapi`) || Path(`/login`) || Path(`/callback`)

File (TOML)

[http]
  [http.routers]
    [http.routers.login-router]
      entryPoints = ["http", "https"]
      middlewares = ["oidcAuth"]
      # Rules to match the loginUrl and redirectUrl can be added into
      # your current router.
      rule = "Path(`/myapi`) || Path(`/login`) || Path(`/callback`)"

This URL will not be passed to the upstream application, but rather handled by the middleware itself. The chosen URL should therefore not conflict with any URLs needed by the upstream application.

This URL sometimes needs to be set in the OpenID Connect Provider's configuration as well (like for Google Accounts for example).

It can be the absolute URL, relative to the protocol (inherits the request protocol), or relative to the domain (inherits the request domain and protocol).

Request URL	RedirectURL	Result	Description
http://expl.co	/cback	http://expl.co/cback	The result inherits the protocol and domain from the request and uses the redirectURL's path
https://scur.co	expl.co/cback	https://expl.co/cback	The result inherits the protocol from the request and uses the redirectURL's domain and path
https://scur.co	http://expl.co/cback	http://expl.co/cback	The result replaces the request URL with the redirect URL since it is an absolute URL

Supported Schemes

Only http and https schemes are supported.

Docker

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.redirectUrl=/callback"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-oidc
spec:
  plugin:
    oidcAuth:
      redirectUrl: "/callback"

Consul Catalog

- "traefik.http.middlewares.test-oidc.plugin.oidcAuth.redirectUrl=/callback"

Marathon

"labels": {
    "traefik.http.middlewares.test-oidc.plugin.oidcAuth.redirectUrl": "/callback"
}

Rancher

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.redirectUrl=/callback"

File (YAML)

http:
  middlewares:
    test-oidc:
      plugin:
        oidcAuth:
          redirectUrl: "/callback"

File (TOML)

[http.middlewares]
  [http.middlewares.test-oidc.plugin.oidcAuth]
    redirectUrl = "/callback"

scopes

Optional, Default=['openid']

The scopes to request. Must include openid.

Docker

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.scopes=openid, myscope"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-oidc
spec:
  plugin:
    oidcAuth:
      scopes:
        - openid
        - myscope

Consul Catalog

- "traefik.http.middlewares.test-oidc.plugin.oidcAuth.scopes=openid, myscope"

Marathon

"labels": {
    "traefik.http.middlewares.test-oidc.plugin.oidcAuth.scopes": "openid, myscope"
}

Rancher

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.scopes=openid, myscope"

File (YAML)

http:
  middlewares:
    test-oidc:
      plugin:
        oidcAuth:
          scopes:
            - openid
            - myscope

File (TOML)

[http.middlewares]
  [http.middlewares.test-oidc.plugin.oidcAuth]
      scopes = ["openid", "myscope"]

authParams

Optional, Default=""

A map of the arbitrary query parameters to be passed to the Authentication Provider.

Disabling Consent Prompt

When a prompt key is set to an empty string in the AuthParams, the prompt parameter is not added to the OAuth2 authorization URL. Which means the user won't be prompted for consent.

Docker

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.authParams.hd=example.com"
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.authParams.mykey=myvalue"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-oidc
spec:
  plugin:
    oidcAuth:
      authParams:
        hd: example.com
        mykey: myvalue

Consul Catalog

- "traefik.http.middlewares.test-oidc.plugin.oidcAuth.authParams.hd=example.com"
- "traefik.http.middlewares.test-oidc.plugin.oidcAuth.authParams.mykey=myvalue"

Marathon

"labels": {
    "traefik.http.middlewares.test-oidc.plugin.oidcAuth.authParams.hd": "example.com",
    "traefik.http.middlewares.test-oidc.plugin.oidcAuth.authParams.mykey": "myvalue"
}

Rancher

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.authParams.hd=example.com"
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.authParams.mykey=myvalue"

File (YAML)

http:
  middlewares:
    test-oidc:
      plugin:
        oidcAuth:
          authParams:
            hd: example.com
            mykey: myvalue

File (TOML)

[http.middlewares]
  [http.middlewares.test-oidc.plugin.oidcAuth]
    [http.middlewares.test-oidc.plugin.oidcAuth.authParams]
      hd = example.com
      mykey = myvalue

disableLogin

Optional, Default=false

Disables redirections to the authentication provider. This can be useful for protecting APIs where redirecting to a login page is undesirable.

Docker

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.disableLogin=true"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-oidc
spec:
  plugin:
    oidcAuth:
      disableLogin: true

Consul Catalog

- "traefik.http.middlewares.test-oidc.plugin.oidcAuth.disableLogin=true"

Marathon

"labels": {
    "traefik.http.middlewares.test-oidc.plugin.oidcAuth.disableLogin": "true"
}

Rancher

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.disableLogin=true"

File (YAML)

http:
  middlewares:
    test-oidc:
      plugin:
        oidcAuth:
          disableLogin: true

File (TOML)

[http.middlewares]
  [http.middlewares.test-oidc.plugin.oidcAuth]
    disableLogin = true

loginUrl

Optional, Default=""

The URL used to start authorization when needed. All other requests that are not already authorized will return a 401 Unauthorized. When left empty, all requests can start authorization. It can be a path (/login for example), a host and a path (example.com/login) or a complete URL (https://example.com/login).

Supported Schemes

Only http and https schemes are supported.

Docker

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.loginUrl=example.com/login"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-oidc
spec:
  plugin:
    oidcAuth:
      loginUrl: example.com/login

Consul Catalog

- "traefik.http.middlewares.test-oidc.plugin.oidcAuth.loginUrl=example.com/login"

Marathon

"labels": {
    "traefik.http.middlewares.test-oidc.plugin.oidcAuth.loginUrl": "example.com/login"
}

Rancher

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.loginUrl=example.com/login"

File (YAML)

http:
  middlewares:
    test-oidc:
      plugin:
        oidcAuth:
          loginUrl: example.com/login

File (TOML)

[http.middlewares]
  [http.middlewares.test-oidc.plugin.oidcAuth]
    loginUrl = example.com/login

logoutUrl

Optional, Default=""

The URL on which the session should be deleted in order to log users out. It can be a path (/logout for example), a host and a path (example.com/logout) or a complete URL (https://example.com/logout).

Supported Schemes

Only http and https schemes are supported.

Docker

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.logoutUrl=example.com/logout"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-oidc
spec:
  plugin:
    oidcAuth:
      logoutUrl: example.com/logout

Consul Catalog

- "traefik.http.middlewares.test-oidc.plugin.oidcAuth.logoutUrl=example.com/logout"

Marathon

"labels": {
    "traefik.http.middlewares.test-oidc.plugin.oidcAuth.logoutUrl": "example.com/logout"
}

Rancher

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.logoutUrl=example.com/logout"

File (YAML)

http:
  middlewares:
    test-oidc:
      plugin:
        oidcAuth:
          logoutUrl: example.com/logout

File (TOML)

[http.middlewares]
  [http.middlewares.test-oidc.plugin.oidcAuth]
    logoutUrl = example.com/logout

postLoginRedirectUrl

Optional, Default=""

If set and used in conjunction with loginUrl, the middleware will redirect to this URL after successful login. It can be a path (/after/login for example), a host and a path (example.com/after/login) or a complete URL (https://example.com/after/login).

Supported Schemes

Only http and https schemes are supported.

Docker

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.postLoginRedirectUrl=example.com/after/login"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-oidc
spec:
  plugin:
    oidcAuth:
      postLoginRedirectUrl: example.com/login

Consul Catalog

- "traefik.http.middlewares.test-oidc.plugin.oidcAuth.postLoginRedirectUrl=example.com/after/login"

Marathon

"labels": {
    "traefik.http.middlewares.test-oidc.plugin.oidcAuth.postLoginRedirectUrl": "example.com/after/login"
}

Rancher

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.postLoginRedirectUrl=example.com/after/login"

File (YAML)

http:
  middlewares:
    test-oidc:
      plugin:
        oidcAuth:
          postLoginRedirectUrl: example.com/after/login

File (TOML)

[http.middlewares]
  [http.middlewares.test-oidc.plugin.oidcAuth]
    postLoginRedirectUrl = example.com/after/login

postLogoutRedirectUrl

Optional, Default=""

If set and used in conjunction with logoutUrl, the middleware will redirect to this URL after logout. It can be a path (/after/logout for example), a host and a path (example.com/after/logout) or a complete URL (https://example.com/after/logout).

Supported Schemes

Only http and https schemes are supported.

Docker

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.postLogoutRedirectUrl=example.com/after/logout"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-oidc
spec:
  plugin:
    oidcAuth:
      postLogoutRedirectUrl: example.com/logout

Consul Catalog

- "traefik.http.middlewares.test-oidc.plugin.oidcAuth.postLogoutRedirectUrl=example.com/after/logout"

Marathon

"labels": {
    "traefik.http.middlewares.test-oidc.plugin.oidcAuth.postLogoutRedirectUrl": "example.com/after/logout"
}

Rancher

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.postLogoutRedirectUrl=example.com/after/logout"

File (YAML)

http:
  middlewares:
    test-oidc:
      plugin:
        oidcAuth:
          postLogoutRedirectUrl: example.com/after/logout

File (TOML)

[http.middlewares]
  [http.middlewares.test-oidc.plugin.oidcAuth]
    postLogoutRedirectUrl = example.com/after/logout

stateCookie.secret

Optional, Default=""

The encryption key used to secure state information, it must be 16, 24 or 32 characters long. TraefikEE generates one if none is provided.

Docker

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.stateCookie.secret=mysecret12345678"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-oidc
spec:
  plugin:
    oidcAuth:
      stateCookie:
        secret: "mysecret12345678"

Consul Catalog

- "traefik.http.middlewares.test-oidc.plugin.oidcAuth.stateCookie.secret=mysecret12345678"

Marathon

"labels": {
    "traefik.http.middlewares.test-oidc.plugin.oidcAuth.stateCookie.secret": "mysecret12345678"
}

Rancher

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.stateCookie.secret=mysecret12345678"

File (YAML)

http:
  middlewares:
    test-oidc:
      plugin:
        oidcAuth:
          stateCookie:
            secret: "mysecret12345678"

File (TOML)

[http.middlewares]
  [http.middlewares.test-oidc.plugin.oidcAuth]
    [http.middlewares.test-oidc.plugin.oidcAuth.stateCookie]
      secret = "mysecret12345678"

stateCookie.name

Optional, Default="%s-state"

The name of the state cookie. This option supports limited templating in the form that a single %s flag can be specified, in which case the middleware replaces the %s flag with the source of the state cookie. (e.g.: mystatecookie-%s with a source called mysource will result in a cookie named mystatecookie-mysource).

Docker

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.stateCookie.name=mystatecookie-%s"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-oidc
spec:
  plugin:
    oidcAuth:
      stateCookie:
        name: "mystatecookie-%s"

Consul Catalog

- "traefik.http.middlewares.test-oidc.plugin.oidcAuth.stateCookie.name=mystatecookie-%s"

Marathon

"labels": {
    "traefik.http.middlewares.test-oidc.plugin.oidcAuth.stateCookie.name": "mystatecookie-%s"
}

Rancher

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.stateCookie.name=mystatecookie-%s"

File (YAML)

http:
  middlewares:
    test-oidc:
      plugin:
        oidcAuth:
          stateCookie:
            name: "mystatecookie-%s"

File (TOML)

[http.middlewares]
  [http.middlewares.test-oidc.plugin.oidcAuth]
    [http.middlewares.test-oidc.plugin.oidcAuth.stateCookie]
      name = "mystatecookie-%s"

stateCookie.path

Optional, Default="/"

Indicates a URL path that must exist in the requested URL in order to send the Cookie header. The %x2F ("/") character is considered a directory separator, and subdirectories will match as well.

For example, if stateCookie.path is set to /docs, these paths will match:

• /docs
• /docs/web/
• /docs/web/http

Docker

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.stateCookie.path=/docs"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-oidc
spec:
  plugin:
    oidcAuth:
      stateCookie:
        path: "/docs"

Consul Catalog

- "traefik.http.middlewares.test-oidc.plugin.oidcAuth.stateCookie.path=/docs"

Marathon

"labels": {
    "traefik.http.middlewares.test-oidc.plugin.oidcAuth.stateCookie.path": "/docs"
}

Rancher

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.stateCookie.path=/docs"

File (YAML)

http:
  middlewares:
    test-oidc:
      plugin:
        oidcAuth:
          stateCookie:
            path: "/docs"

File (TOML)

[http.middlewares]
  [http.middlewares.test-oidc.plugin.oidcAuth]
    [http.middlewares.test-oidc.plugin.oidcAuth.stateCookie]
      path = "/docs"

stateCookie.domain

Optional, Default=""

Specifies the hosts that are allowed to receive the cookie. If specified, then subdomains are always included.

For example, if it is set to example.com, then cookies are included on subdomains like api.example.com.

Docker

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.stateCookie.domain=example.com"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-oidc
spec:
  plugin:
    oidcAuth:
      stateCookie:
        domain: "example.com"

Consul Catalog

- "traefik.http.middlewares.test-oidc.plugin.oidcAuth.stateCookie.domain=example.com"

Marathon

"labels": {
    "traefik.http.middlewares.test-oidc.plugin.oidcAuth.stateCookie.domain": "example.com"
}

Rancher

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.stateCookie.domain=example.com"

File (YAML)

http:
  middlewares:
    test-oidc:
      plugin:
        oidcAuth:
          stateCookie:
            domain: "example.com"

File (TOML)

[http.middlewares]
  [http.middlewares.test-oidc.plugin.oidcAuth]
    [http.middlewares.test-oidc.plugin.oidcAuth.stateCookie]
      domain = "example.com"

stateCookie.maxAge

Optional, Default=600

Number of seconds after which the state cookie should expire. A zero or negative number will expire the cookie immediately.

Docker

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.stateCookie.maxAge=600"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-oidc
spec:
  plugin:
    oidcAuth:
      stateCookie:
        maxAge: 600

Consul Catalog

- "traefik.http.middlewares.test-oidc.plugin.oidcAuth.stateCookie.maxAge=600"

Marathon

"labels": {
    "traefik.http.middlewares.test-oidc.plugin.oidcAuth.stateCookie.maxAge": "600"
}

Rancher

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.stateCookie.maxAge=600"

File (YAML)

http:
  middlewares:
    test-oidc:
      plugin:
        oidcAuth:
          stateCookie:
            maxAge: 600

File (TOML)

[http.middlewares]
  [http.middlewares.test-oidc.plugin.oidcAuth]
    [http.middlewares.test-oidc.plugin.oidcAuth.stateCookie]
      maxAge = 600

stateCookie.sameSite

Optional, Default="lax"

Inform browsers how they should handle the state cookie on cross-site requests. Setting it to lax or strict can provide some protection against cross-site request forgery attacks (CSRF).

Accepted values are the following:

• none: The browser will send cookies with both cross-site requests and same-site requests.
• strict: The browser will only send cookies for same-site requests (requests originating from the site that set the cookie). If the request originated from a different URL than the URL of the current location, none of the cookies tagged with the strict attribute will be included.
• lax: Same-site cookies are withheld on cross-site subrequests, such as calls to load images or frames, but will be sent when a user navigates to the URL from an external site; for example, by following a link.

Docker

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.stateCookie.sameSite=strict"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-oidc
spec:
  plugin:
    oidcAuth:
      stateCookie:
        sameSite: "strict"

Consul Catalog

- "traefik.http.middlewares.test-oidc.plugin.oidcAuth.stateCookie.sameSite=strict"

Marathon

"labels": {
    "traefik.http.middlewares.test-oidc.plugin.oidcAuth.stateCookie.sameSite": "strict"
}

Rancher

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.stateCookie.sameSite=strict"

File (YAML)

http:
  middlewares:
    test-oidc:
      plugin:
        oidcAuth:
          stateCookie:
            sameSite: "strict"

File (TOML)

[http.middlewares]
  [http.middlewares.test-oidc.plugin.oidcAuth]
    [http.middlewares.test-oidc.plugin.oidcAuth.stateCookie]
      sameSite = "strict"

stateCookie.httpOnly

Optional, Default=true

Forbids JavaScript from accessing the cookie. For example, through the Document.cookie property, the XMLHttpRequest API, or the Request API. This mitigates attacks against cross-site scripting (XSS).

Docker

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.stateCookie.httpOnly=true"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-oidc
spec:
  plugin:
    oidcAuth:
      stateCookie:
        httpOnly: true

Consul Catalog

- "traefik.http.middlewares.test-oidc.plugin.oidcAuth.stateCookie.httpOnly=true"

Marathon

"labels": {
    "traefik.http.middlewares.test-oidc.plugin.oidcAuth.stateCookie.httpOnly": "true"
}

Rancher

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.stateCookie.httpOnly=true"

File (YAML)

http:
  middlewares:
    test-oidc:
      plugin:
        oidcAuth:
          stateCookie:
            httpOnly: true

File (TOML)

[http.middlewares]
  [http.middlewares.test-oidc.plugin.oidcAuth]
    [http.middlewares.test-oidc.plugin.oidcAuth.stateCookie]
      httpOnly = true

stateCookie.secure

Optional, Default=false

A secure cookie is only sent to the server when a request is made with the https scheme.

Docker

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.stateCookie.secure=true"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-oidc
spec:
  plugin:
    oidcAuth:
      stateCookie:
        secure: true

Consul Catalog

- "traefik.http.middlewares.test-oidc.plugin.oidcAuth.stateCookie.secure=true"

Marathon

"labels": {
    "traefik.http.middlewares.test-oidc.plugin.oidcAuth.stateCookie.secure": "true"
}

Rancher

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.stateCookie.secure=true"

File (YAML)

http:
  middlewares:
    test-oidc:
      plugin:
        oidcAuth:
          stateCookie:
            secure: true

File (TOML)

[http.middlewares]
  [http.middlewares.test-oidc.plugin.oidcAuth]
    [http.middlewares.test-oidc.plugin.oidcAuth.stateCookie]
      secure = true

session.name

Optional, Default="%s-session"

The name of the session cookie. This option supports limited templating in the form that a single %s flag can be specified, in which case the middleware replaces the %s flag with the source of the session cookie. (e.g.: mysessioncookie-%s with a source called mysource will result in a cookie named mysessioncookie-mysource).

Docker

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.name=mysession-%s"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-oidc
spec:
  plugin:
    oidcAuth:
      session:
        name: "mysession-%s"

Consul Catalog

- "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.name=mysession-%s"

Marathon

"labels": {
    "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.name": "mysession-%s"
}

Rancher

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.name=mysession-%s"

File (YAML)

http:
  middlewares:
    test-oidc:
      plugin:
        oidcAuth:
          session:
            name: "mysession-%s"

File (TOML)

[http.middlewares]
  [http.middlewares.test-oidc.plugin.oidcAuth]
    [http.middlewares.test-oidc.plugin.oidcAuth.session]
      name = "mysession-%s"

session.path

Optional, Default="/"

Indicates a URL path that must exist in the requested URL in order to send the Cookie header. The %x2F ("/") character is considered a directory separator, and subdirectories will match as well.

For example, if session.path is set to /docs, these paths will match:

• /docs
• /docs/web/
• /docs/web/http

Docker

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.path=/docs"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-oidc
spec:
  plugin:
    oidcAuth:
      session:
        path: "/docs"

Consul Catalog

- "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.path=/docs"

Marathon

"labels": {
    "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.path": "/docs"
}

Rancher

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.path=/docs"

File (YAML)

http:
  middlewares:
    test-oidc:
      plugin:
        oidcAuth:
          session:
            path: "/docs"

File (TOML)

[http.middlewares]
  [http.middlewares.test-oidc.plugin.oidcAuth]
    [http.middlewares.test-oidc.plugin.oidcAuth.session]
      path = "/docs"

session.domain

Optional, Default=""

Specifies the hosts that are allowed to receive the cookie. If specified, then subdomains are always included.

For example, if it is set to example.com, then cookies are included on subdomains like api.example.com.

Docker

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.domain=example.com"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-oidc
spec:
  plugin:
    oidcAuth:
      session:
        domain: "example.com"

Consul Catalog

- "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.domain=example.com"

Marathon

"labels": {
    "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.domain": "example.com"
}

Rancher

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.domain=example.com"

File (YAML)

http:
  middlewares:
    test-oidc:
      plugin:
        oidcAuth:
          session:
            domain: "example.com"

File (TOML)

[http.middlewares]
  [http.middlewares.test-oidc.plugin.oidcAuth]
    [http.middlewares.test-oidc.plugin.oidcAuth.session]
      domain = "example.com"

session.expiry

Optional, Default=86400 (24h)

Number of seconds after which the session should expire. A zero or negative number is prohibited.

Docker

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.expiry=86400"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-oidc
spec:
  plugin:
    oidcAuth:
      session:
        expiry: 86400

Consul Catalog

- "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.expiry=86400"

Marathon

"labels": {
    "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.expiry": "86400"
}

Rancher

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.expiry=86400"

File (YAML)

http:
  middlewares:
    test-oidc:
      plugin:
        oidcAuth:
          session:
            expiry: 86400

File (TOML)

[http.middlewares]
  [http.middlewares.test-oidc.plugin.oidcAuth]
    [http.middlewares.test-oidc.plugin.oidcAuth.session]
      expiry = 86400

session.sliding

Optional, Default=true

Tells the middleware to renew the session cookie each time an authenticated request is received.

Docker

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.sliding=true"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-oidc
spec:
  plugin:
    oidcAuth:
      session:
        sliding: true

Consul Catalog

- "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.sliding=true"

Marathon

"labels": {
    "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.sliding": "true"
}

Rancher

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.sliding=true"

File (YAML)

http:
  middlewares:
    test-oidc:
      plugin:
        oidcAuth:
          session:
            sliding: true

File (TOML)

[http.middlewares]
  [http.middlewares.test-oidc.plugin.oidcAuth]
    [http.middlewares.test-oidc.plugin.oidcAuth.session]
      sliding = true

session.refresh

Optional, Default=true

When enabled, refresh the access token when it expires.

Docker

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.refresh=true"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-oidc
spec:
  plugin:
    oidcAuth:
      session:
        refresh: true

Consul Catalog

- "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.refresh=true"

Marathon

"labels": {
    "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.refresh": "true"
}

Rancher

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.refresh=true"

File (YAML)

http:
  middlewares:
    test-oidc:
      plugin:
        oidcAuth:
          session:
            refresh: true

File (TOML)

[http.middlewares]
  [http.middlewares.test-oidc.plugin.oidcAuth]
    [http.middlewares.test-oidc.plugin.oidcAuth.session]
      refresh = true

session.sameSite

Optional, Default="lax"

Inform browsers how they should handle the session cookie on cross-site requests. Setting it to lax or strict can provide some protection against cross-site request forgery attacks (CSRF).

Accepted values are the following:

• none: The browser will send cookies with both cross-site requests and same-site requests.
• strict: The browser will only send cookies for same-site requests (requests originating from the site that set the cookie). If the request originated from a different URL than the URL of the current location, none of the cookies tagged with the strict attribute will be included.
• lax: Same-site cookies are withheld on cross-site subrequests, such as calls to load images or frames, but will be sent when a user navigates to the URL from an external site; for example, by following a link.

Docker

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.sameSite=strict"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-oidc
spec:
  plugin:
    oidcAuth:
      session:
        sameSite: "strict"

Consul Catalog

- "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.sameSite=strict"

Marathon

"labels": {
    "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.sameSite": "strict"
}

Rancher

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.sameSite=strict"

File (YAML)

http:
  middlewares:
    test-oidc:
      plugin:
        oidcAuth:
          session:
            sameSite: "strict"

File (TOML)

[http.middlewares]
  [http.middlewares.test-oidc.plugin.oidcAuth]
    [http.middlewares.test-oidc.plugin.oidcAuth.session]
      sameSite = "strict"

session.httpOnly

Optional, Default=true

Forbids JavaScript from accessing the cookie. For example, through the Document.cookie property, the XMLHttpRequest API, or the Request API. This mitigates attacks against cross-site scripting (XSS).

Docker

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.httpOnly=true"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-oidc
spec:
  plugin:
    oidcAuth:
      session:
        httpOnly: true

Consul Catalog

- "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.httpOnly=true"

Marathon

"labels": {
    "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.httpOnly": "true"
}

Rancher

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.httpOnly=true"

File (YAML)

http:
  middlewares:
    test-oidc:
      plugin:
        oidcAuth:
          session:
            httpOnly: true

File (TOML)

[http.middlewares]
  [http.middlewares.test-oidc.plugin.oidcAuth]
    [http.middlewares.test-oidc.plugin.oidcAuth.session]
      httpOnly = true

session.secure

Optional, Default=false

A secure cookie is only sent to the server when a request is made with the https scheme.

Docker

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.secure=true"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-oidc
spec:
  plugin:
    oidcAuth:
      session:
        secure: true

Consul Catalog

- "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.secure=true"

Marathon

"labels": {
    "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.secure": "true"
}

Rancher

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.secure=true"

File (YAML)

http:
  middlewares:
    test-oidc:
      plugin:
        oidcAuth:
          session:
            secure: true

File (TOML)

[http.middlewares]
  [http.middlewares.test-oidc.plugin.oidcAuth]
    [http.middlewares.test-oidc.plugin.oidcAuth.session]
      secure = true

session.secret

Optional, Default=""

The encryption key used to secure session information, it must be 16, 24 or 32 characters long. TraefikEE generates one if none is provided.

Docker

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.secret=mysecret12345678"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-oidc
spec:
  plugin:
    oidcAuth:
      session:
        secret: "mysecret12345678"

Consul Catalog

- "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.secret=mysecret12345678"

Marathon

"labels": {
    "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.secret": "mysecret12345678"
}

Rancher

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.secret=mysecret12345678"

File (YAML)

http:
  middlewares:
    test-oidc:
      plugin:
        oidcAuth:
          session:
            secret: "mysecret12345678"

File (TOML)

[http.middlewares]
  [http.middlewares.test-oidc.plugin.oidcAuth]
    [http.middlewares.test-oidc.plugin.oidcAuth.session]
      secret = "mysecret12345678"

session.store

Optional, Default=""

If specified, store is the persistent KV storage where the session data and credentials (Access Token, etc) are to be stored, instead of directly on the session cookie. The session cookie then keeps a reference (session ID) to the KV store entry.

Docker

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.store=consulStore"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-oidc
spec:
  plugin:
    oidcAuth:
      session:
        store: "consulStore"

Consul Catalog

- "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.store=consulStore"

Marathon

"labels": {
    "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.store": "consulStore"
}

Rancher

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.session.store=consulStore"

File (YAML)

http:
  middlewares:
    test-oidc:
      plugin:
        oidcAuth:
          session:
            store: "consulStore"

File (TOML)

[http.middlewares]
  [http.middlewares.test-oidc.plugin.oidcAuth]
    [http.middlewares.test-oidc.plugin.oidcAuth.session]
      store = "consulStore"

forwardHeaders

Optional, Default=None

The forwardHeaders option sets the HTTP headers to add to requests and populates them with values extracted from the ID Token claims returned by the authentication server.

Note

Claims to be forwarded that are not found in the JWT result in empty headers.

Docker

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.forwardHeaders.Group=grp"
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.forwardHeaders.Expires-At=exp"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-oidc
spec:
  plugin:
    oidcAuth:
      forwardHeaders:
        Group: grp
        Expires-At: exp

Consul Catalog

- "traefik.http.middlewares.test-oidc.plugin.oidcAuth.forwardHeaders.Group=grp"
- "traefik.http.middlewares.test-oidc.plugin.oidcAuth.forwardHeaders.Expires-At=exp"

Marathon

"labels": {
    "traefik.http.middlewares.test-oidc.plugin.oidcAuth.forwardHeaders.Group": "grp",
    "traefik.http.middlewares.test-oidc.plugin.oidcAuth.forwardHeaders.Expires-At": "exp"
}

Rancher

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.forwardHeaders.Group=grp"
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.forwardHeaders.Expires-At=exp"

File (YAML)

http:
  middlewares:
    test-oidc:
      plugin:
        oidcAuth:
          forwardHeaders:
            Group: grp
            Expires-At: exp

File (TOML)

[http.middlewares]
  [http.middlewares.test-oidc.plugin.oidcAuth]
    [http.middlewares.test-oidc.plugin.oidcAuth.forwardHeaders]
      Group = "grp"
      Expires-At = "exp"

username

Optional, Default=""

The username option sets the claim that will be evaluated to populate the clientusername in the accessLog.

Docker

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.username=userId"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-oidc
spec:
  plugin:
    oidcAuth:
      username: userId

Consul Catalog

- "traefik.http.middlewares.test-oidc.plugin.oidcAuth.username=userId"

Marathon

"labels": {
    "traefik.http.middlewares.test-oidc.plugin.oidcAuth.username": "userId"
}

Rancher

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.username=userId"

File (YAML)

http:
  middlewares:
    test-jwt:
      plugin:
        oidcAuth:
          username: userId

File (TOML)

[http.middlewares]
  [http.middlewares.test-oidc.plugin.oidcAuth]
    username = userId

claims

Optional, Default=""

The claims option sets claims to validate in order to authorize the request.

Docker

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.claims=Equals(`grp`, `admin`)"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-oidc
spec:
  plugin:
    oidcAuth:
      claims: Equals(`grp`, `admin`)

Consul Catalog

- "traefik.http.middlewares.test-oidc.plugin.oidcAuth.claims=Equals(`grp`, `admin`)"

Marathon

"labels": {
  "traefik.http.middlewares.test-oidc.plugin.oidcAuth.claims": "Equals(`grp`, `admin`)"
}

Rancher

labels:
  - "traefik.http.middlewares.test-oidc.plugin.oidcAuth.claims=Equals(`grp`, `admin`)"

File (YAML)

http:
  middlewares:
    test-oidc:
      plugin:
        oidcAuth:
          claims: Equals(`grp`, `admin`)

File (TOML)

[http.middlewares]
  [http.middlewares.test-oidc.plugin.oidcAuth]
    claims = "Equals(`grp`, `admin`)"

Syntax

The following functions are supported in claims:

Function	Description	Example
Equals	Validated the equality of the value in key with value.	Equals(`grp`, `admin`)
Prefix	Validates the value in key has the prefix of value.	Prefix(`referrer`, `http://example.com`)
Contains (string)	Validates the value in key contains value.	Contains(`referrer`, `/foo/`)
Contains (array)	Validates the key array contains the value.	Contains(`areas`, `home`)
SplitContains	Validates the value in key contains the value once split by the separator.	SplitContains(`scope`, ` `, `writer`)
OneOf	Validates the key array contains one of the values.	OneOf(`areas`, `office`, `lab`)

All functions can be joined by boolean operands. The supported operands are:

Operand	Description	Example
&&	Compares two functions and returns true only if both evaluate to true.	Equals(`grp`, `admin`) && Equals(`active`, `true`)
||	Compares two functions and returns true if either evaluate to true.	Equals(`grp`, `admin`) || Equals(`active`, `true`)
!	Returns false if the function is true, otherwise returns true.	!Equals(`grp`, `testers`)

All examples will return true for the following data structure:

{
  "active": true,
  "grp": "admin",
  "scope": "reader writer deploy",
  "referrer": "http://example.com/foo/bar",
  "areas": [
    "office",
    "home"
  ]
}

Nested claims

Nested claims are supported by using a . between keys. For example:

Key

user.name

Claims

{
  "active": true,
  "grp": "admin",
  "scope": "reader writer deploy",
  "referrer": "http://example.com/foo/bar",
  "areas": [
    "office",
    "home"
  ],
  "user" {
    "name": "John Snow",
    "status": "undead"
  }
}

Result

John Snow

Handling keys that contain a '.'

If the key contains a dot, the dot can be escaped using \.

Handling a key that contains a '\'

If the key contains a \, it needs to be doubled \\.

Advanced Configuration Example

Below is an advanced configuration example using custom claims validation and forward headers:

Docker

labels:
  - "traefik.http.middlewares.test-oidcAuth.plugin.oidcAuth.source=oidcSource"
  - "traefik.http.middlewares.test-oidcAuth.plugin.oidcAuth.redirectUrl=example.com/callback"
  - "traefik.http.middlewares.test-oidcAuth.plugin.oidcAuth.session.secret=mysupersecret123"
  - "traefik.http.middlewares.test-oidcAuth.plugin.oidcAuth.session.samesite=lax"
  - "traefik.http.middlewares.test-oidcAuth.plugin.oidcAuth.session.secure=true"
  - "traefik.http.middlewares.test-oidcAuth.plugin.oidcAuth.forwardHeaders.Group=grp"
  - "traefik.http.middlewares.test-oidcAuth.plugin.oidcAuth.forwardHeaders.Expires-At=exp"
  - "traefik.http.middlewares.test-oidcAuth.plugin.oidcAuth.claims: Equals(`grp`, `admin`)"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-oidcAuth
spec:
  plugin:
    oidcAuth:
      source: oidcSource
      redirectUrl: example.com/callback
      session:
        secret: mysupersecret123
        samesite: lax
        secure: true
      forwardHeaders:
        Group: grp
        Expires-At: exp
      claims: Equals(`grp`, `admin`)

Consul Catalog

- "traefik.http.middlewares.test-oidcAuth.plugin.oidcAuth.source=oidcSource"
- "traefik.http.middlewares.test-oidcAuth.plugin.oidcAuth.redirectUrl=example.com/callback"
- "traefik.http.middlewares.test-oidcAuth.plugin.oidcAuth.session.secret=mysupersecret123"
- "traefik.http.middlewares.test-oidcAuth.plugin.oidcAuth.session.samesite=lax"
- "traefik.http.middlewares.test-oidcAuth.plugin.oidcAuth.session.secure=true"
- "traefik.http.middlewares.test-oidcAuth.plugin.oidcAuth.forwardHeaders.Group=grp"
- "traefik.http.middlewares.test-oidcAuth.plugin.oidcAuth.forwardHeaders.Expires-At=exp"
- "traefik.http.middlewares.test-oidcAuth.plugin.oidcAuth.claims: Equals(`grp`, `admin`)"

Marathon

"labels": {
    "traefik.http.middlewares.test-oidcAuth.plugin.oidcAuth.source": "oidcSource",
    "traefik.http.middlewares.test-oidcAuth.plugin.oidcAuth.redirectUrl": "example.com/callback",
    "traefik.http.middlewares.test-oidcAuth.plugin.oidcAuth.session.secret": "mysupersecret123",
    "traefik.http.middlewares.test-oidcAuth.plugin.oidcAuth.session.samesite": "lax",
    "traefik.http.middlewares.test-oidcAuth.plugin.oidcAuth.session.secure": "true",
    "traefik.http.middlewares.test-oidcAuth.plugin.oidcAuth.forwardHeaders.Group": "grp",
    "traefik.http.middlewares.test-oidcAuth.plugin.oidcAuth.forwardHeaders.Expires-At": "exp",
    "traefik.http.middlewares.test-oidcAuth.plugin.oidcAuth.claims": "Equals(`grp`, `admin`)"
}

Rancher

labels:
  - "traefik.http.middlewares.test-oidcAuth.plugin.oidcAuth.source=oidcSource"
  - "traefik.http.middlewares.test-oidcAuth.plugin.oidcAuth.redirectUrl=example.com/callback"
  - "traefik.http.middlewares.test-oidcAuth.plugin.oidcAuth.session.secret=mysupersecret123"
  - "traefik.http.middlewares.test-oidcAuth.plugin.oidcAuth.session.samesite=lax"
  - "traefik.http.middlewares.test-oidcAuth.plugin.oidcAuth.session.secure=true"
  - "traefik.http.middlewares.test-oidcAuth.plugin.oidcAuth.forwardHeaders.Group=grp"
  - "traefik.http.middlewares.test-oidcAuth.plugin.oidcAuth.forwardHeaders.Expires-At=exp"
  - "traefik.http.middlewares.test-oidcAuth.plugin.oidcAuth.claims: Equals(`grp`, `admin`)"

File (YAML)

http:
  middlewares:
    test-oidc:
      plugin:
        oidcAuth:
          source: oidcSource
          redirectUrl: example.com/callback
          session:
            secret: mysupersecret123
            samesite: lax
            secure: true
          forwardHeaders:
            Group: grp
            Expires-At: exp
          claims: Equals(`grp`, `admin`)

File (TOML)

[http.middlewares]
  [http.middlewares.test-oidcAuth.plugin.oidcAuth]
    source = "oidcSource"
    redirectUrl = "example.com/callback"
    claims = "Equals(`grp`, `admin`)"
    [http.middlewares.test-oidcAuth.plugin.oidcAuth.session]
      secret = "mysupersecret123"
      samesite = "lax"
      secure = true
    [http.middlewares.test-oidcAuth.plugin.oidcAuth.forwardHeaders]
      Group = "grp"
      Expires-At = "exp"