OAuth 2.0 Token Introspection Authentication

OAuth 2.0 Token Introspection allows Traefik Hub to retrieve metadata about an access token from an OAuth 2.0 server with the Token Introspection extension.
The metadata can be used to restrict the access to applications. For more information please refer to the RFC.

Configuration Options

`tokenSource`

This option defines how the client token should be given.

note

At least one of the following options must be defined.

Field	Description	Default	Required
`tokenSource.header`	Defines the header name containing the secret sent by the client.	""	No
`tokenSource.headerAuthScheme`	Defines the scheme when using `Authorization` as header name. Check out the `Authorization` header documentation.	""	No
`tokenSource.query`	Defines the query parameter name containing the secret sent by the client.	""	No
`tokenSource.cookie`	Defines the cookie name containing the secret sent by the client.	""	No

Requiring the secret to be passed as a Bearer token
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: test-oauth-intro
spec:
  plugin:
    oAuthIntrospection:
      tokenSource:
        header: Authorization
        headerAuthScheme: Bearer

`clientConfig`

Defines the configuration used to connect the API Gateway to a Third Party Software such as an Identity Provider.

`clientConfig.tls`

The table below lists the configuration options in Traefik Hub to define a TLS connection.

Value	Description	Required
`clientConfig.tls.ca`	PEM-encoded certificate bundle or a URN referencing a secret containing the certificate bundle used to establish a TLS connection with the authorization server	No
`clientConfig.tls.cert`	PEM-encoded certificate or a URN referencing a secret containing the certificate used to establish a TLS connection with the Vault server	No
`clientConfig.tls.key`	PEM-encoded key or a URN referencing a secret containing the key used to establish a TLS connection with the Vault server.	No
`clientConfig.tls.insecureSkipVerify`	Disables TLS certificate verification when communicating with the authorization server. Useful for testing purposes but strongly discouraged for production.	No

Storing secret values in Kubernetes secrets

When configuring the tls.ca, tls.cert, tls.key, it is possible to reference Kubernetes secrets defined in the same namespace as the Middleware.
The reference to a Kubernetes secret takes the form of a URN:

urn:k8s:secret:[name]:[valueKey]

Middleware configuration
Kubernetes TLS secret

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: test-oauth-intro
spec:
  plugin:
    oAuthIntrospection:
      clientConfig:
        tls:
          ca: "urn:k8s:secret:tls:ca"
          cert: "urn:k8s:secret:tls:cert"
          key: "urn:k8s:secret:tls:key"
          insecureSkipVerify: true

Kubernetes TLS Secret
apiVersion: v1
kind: Secret
metadata:
  name: tls
stringData:
  ca: |-
    -----BEGIN CERTIFICATE-----
    MIIB9TCCAWACAQAwgbgxGTAXBgNVBAoMEFF1b1ZhZGlzIExpbWl0ZWQxHDAaBgNV
    BAsME0RvY3VtZW50IERlcGFydG1lbnQxOTA3BgNVBAMMMFdoeSBhcmUgeW91IGRl
    Y29kaW5nIG1lPyAgVGhpcyBpcyBvbmx5IGEgdGVzdCEhITERMA8GA1UEBwwISGFt
    aWx0b24xETAPBgNVBAgMCFBlbWJyb2tlMQswCQYDVQQGEwJCTTEPMA0GCSqGSIb3
    DQEJARYAMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCJ9WRanG/fUvcfKiGl
    EL4aRLjGt537mZ28UU9/3eiJeJznNSOuNLnF+hmabAu7H0LT4K7EdqfF+XUZW/2j
    RKRYcvOUDGF9A7OjW7UfKk1In3+6QDCi7X34RE161jqoaJjrm/T18TOKcgkkhRzE
    apQnIDm0Ea/HVzX/PiSOGuertwIDAQABMAsGCSqGSIb3DQEBBQOBgQBzMJdAV4QP
    Awel8LzGx5uMOshezF/KfP67wJ93UW+N7zXY6AwPgoLj4Kjw+WtU684JL8Dtr9FX
    ozakE+8p06BpxegR4BR3FMHf6p+0jQxUEAkAyb/mVgm66TyghDGC6/YkiKoZptXQ
    98TwDIK/39WEB/V607As+KoYazQG8drorw==
    -----END CERTIFICATE-----
  cert: |-
    -----BEGIN CERTIFICATE-----
    MIIB9TCCAWACAQAwgbgxGTAXBgNVBAoMEFF1b1ZhZGlzIExpbWl0ZWQxHDAaBgNV
    BAsME0RvY3VtZW50IERlcGFydG1lbnQxOTA3BgNVBAMMMFdoeSBhcmUgeW91IGRl
    Y29kaW5nIG1lPyAgVGhpcyBpcyBvbmx5IGEgdGVzdCEhITERMA8GA1UEBwwISGFt
    aWx0b24xETAPBgNVBAgMCFBlbWJyb2tlMQswCQYDVQQGEwJCTTEPMA0GCSqGSIb3
    DQEJARYAMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCJ9WRanG/fUvcfKiGl
    EL4aRLjGt537mZ28UU9/3eiJeJznNSOuNLnF+hmabAu7H0LT4K7EdqfF+XUZW/2j
    RKRYcvOUDGF9A7OjW7UfKk1In3+6QDCi7X34RE161jqoaJjrm/T18TOKcgkkhRzE
    apQnIDm0Ea/HVzX/PiSOGuertwIDAQABMAsGCSqGSIb3DQEBBQOBgQBzMJdAV4QP
    Awel8LzGx5uMOshezF/KfP67wJ93UW+N7zXY6AwPgoLj4Kjw+WtU684JL8Dtr9FX
    ozakE+8p06BpxegR4BR3FMHf6p+0jQxUEAkAyb/mVgm66TyghDGC6/YkiKoZptXQ
    98TwDIK/39WEB/V607As+KoYazQG8drorw==
    -----END CERTIFICATE-----
  key: |-
    -----BEGIN EC PRIVATE KEY-----
    MHcCAQEEIC8CsJ/B115S+JtR1/l3ZQwKA3XdXt9zLqusF1VXc/KloAoGCCqGSM49
    AwEHoUQDQgAEpwUmRIZHFt8CdDHYm1ikScCScd2q6QVYXxJu+G3fQZ78ScGtN7fu
    KXMnQqVjXVRAr8qUY8yipVKuMCepnPXScQ==
    -----END EC PRIVATE KEY-----

`clientConfig.timeoutSeconds`

Field	Description	Default	Required
`clientConfig.timeoutSeconds`	Defines the time before giving up requests to the authorization server.	5	No

Increasing the timeout
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: test-oauth-intro
spec:
  plugin:
    oAuthIntrospection:
      clientConfig:
        timeoutSeconds: 15

`clientConfig.maxRetries`

Field	Description	Default	Required
`clientConfig.maxRetries`	Defines the number of retries for requests to authorization server that fail.	3	No

Increasing the maximum number of retries
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: test-oauth-intro
spec:
  plugin:
    oAuthIntrospection:
      clientConfig:
        maxRetries: 5

`clientConfig.url`

Field	Description	Default	Required
`clientConfig.url`	Defines the introspection endpoint URL. It must include the scheme and path.	""	Yes

Defining the introspection endpoint URL
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: test-oauth-intro
spec:
  plugin:
    oAuthIntrospection:
      clientConfig:
        url: https://localhost/oauth2/introspect

`clientConfig.headers`

Field	Description	Default	Required
`clientConfig.headers`	Defines the headers to send in every introspection request. Values can be plain strings or a valid Go template. Currently, a variable of type `Request` corresponding to the request being introspected is accessible in templates.	""	No

Defining headers to send in every introspection request
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: test-oauth-intro
spec:
  plugin:
    oAuthIntrospection:
      clientConfig:
        headers:
          Authorization: Basic dGVzdDp0ZXN0
          Request-Host: {{ .Request.Host }}
          Request-Header-Foo: {{ .Request.Header.Get "Foo" }}
          Request-Query-Bar: {{ .Request.URL.Query.Get "bar" }}

`clientConfig.tokenTypeHint`

Field	Description	Default	Required
`clientConfig.tokenTypeHint`	Defines the type of token being introspected, sent as a hint to the introspection server. Please refer to the official documentation for more details.	""	No

Introscpecting access tokens
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: test-oauth-intro
spec:
  plugin:
    oAuthIntrospection:
      clientConfig:
        tokenTypeHint: access_token

`forwardHeaders`

Field	Description	Default	Required
`forwardHeaders`	Defines the HTTP headers to add to requests and populates them with values extracted from the access token claims returned by the authorization server.	[]	No

note

Claims to be forwarded that are not found in the JWT result in empty headers.

note

The forwardHeaders option can only be used with JWT-formatted token.

Forwarding the grp and exp claims as HTTP headers
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: test-oauth-intro
spec:
  plugin:
    oAuthIntrospection:
      forwardHeaders:
        Group: grp
        Expires-At: exp

`forwardAuthorization`

Field	Description	Default	Required
`forwardAuthorization`	Defines whether the authorization header will be forwarded or stripped from a request after it has been approved by the middleware.	false	No

Forwarding the authorization header
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: test-oauth-intro
spec:
  plugin:
    oAuthIntrospection:
      forwardAuthorization: true

`claims`

Field	Description	Default	Required
`claims`	Defines the claims to validate in order to authorize the request.	""	No

note

The claims option can only be used with JWT-formatted token.

Validating that clients are in the admin group
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: test-oauth-intro
spec:
  plugin:
    oAuthIntrospection:
      claims: Equals(`grp`, `admin`)

Syntax

The following functions are supported in claims:

Function	Description	Example
Equals	Validates the equality of the value in `key` with `value`.	Equals(`grp`, `admin`)
Prefix	Validates the value in `key` has the prefix of `value`.	Prefix(`referrer`, `http://example.com\`)
Contains (string)	Validates the value in `key` contains `value`.	Contains(`referrer`, `/foo/`)
Contains (array)	Validates the `key` array contains the `value`.	Contains(`areas`, `home`)
SplitContains	Validates the value in `key` contains the `value` once split by the separator.	SplitContains(`scope`, ` `, `writer`)
OneOf	Validates the `key` array contains one of the `values`.	OneOf(`areas`, `office`, `lab`)

All functions can be joined by boolean operands. The supported operands are:

Operand	Description	Example
&&	Compares two functions and returns true only if both evaluate to true.	Equals(`grp`, `admin`) && Equals(`active`, `true`)
\|\|	Compares two functions and returns true if either evaluate to true.	Equals(`grp`, `admin`) \|\| Equals(`active`, `true`)
!	Returns false if the function is true, otherwise returns true.	!Equals(`grp`, `testers`)

All examples will return true for the following data structure:

JSON
{
  "active": true,
  "grp": "admin",
  "scope": "reader writer deploy",
  "referrer": "http://example.com/foo/bar",
  "areas": [
    "office",
    "home"
  ]
}

Nested Claims

Nested claims are supported by using a . between keys. For example:

Key

user.name

Claims
{
  "active": true,
  "grp": "admin",
  "scope": "reader writer deploy",
  "referrer": "http://example.com/foo/bar",
  "areas": [
    "office",
    "home"
  ],
  "user" {
    "name": "John Snow",
    "status": "undead"
  }
}

Result

John Snow

Handling keys that contain a '.'

If the key contains a dot, the dot can be escaped using \.

Handling a key that contains a ''

If the key contains a \, it needs to be doubled \\.

`usernameClaim`

Field	Description	Default	Required
`usernameClaim`	Defines the claim that will be evaluated to populate the `clientusername` in the access logs.	""	No

note

The usernameClaim option can only be used with JWT-formatted token.

Defining the claim used to log the clientusername
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: test-oauth-intro
spec:
  plugin:
    oAuthIntrospection:
      usernameClaim: userId

Advanced Configuration Example

Below is an advanced configuration example using custom claims validation and forward headers:

Using custom claims validation and forward headers
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: test-oauth-intro
spec:
  plugin:
    oAuthIntrospection:
      tokenSource:
        header: Authorization
        headerAuthScheme: Bearer
      tokenTypeHint: access_token
      forwardHeaders:
        Group: grp
        Expires-At: exp
      claims: Equals(`grp`, `admin`)

Configuration Options​

tokenSource​

clientConfig​

clientConfig.tls​

clientConfig.timeoutSeconds​

clientConfig.maxRetries​

clientConfig.url​

clientConfig.headers​

clientConfig.tokenTypeHint​

forwardHeaders​

forwardAuthorization​

claims​

Syntax​

Nested Claims​

usernameClaim​

Advanced Configuration Example​

Configuration Options

`tokenSource`

`clientConfig`

`clientConfig.tls`

`clientConfig.timeoutSeconds`

`clientConfig.maxRetries`

`clientConfig.url`

`clientConfig.headers`

`clientConfig.tokenTypeHint`

`forwardHeaders`

`forwardAuthorization`

`claims`

Syntax

Nested Claims

`usernameClaim`

Advanced Configuration Example