Skip to content

FAForever/traefik-hydra-forward-auth

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
.github/workflows
.github/workflows
 
 
app
app
 
 
mock-hydra
mock-hydra
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
compose.yaml
compose.yaml
 
 

Repository files navigation

Traefik <-> Hydra Middleware for forward authentication

Architecture background

The FAForever project uses Traefik as its reverse proxy of choice and Ory Hydra as the OAuth2 api.

The more services we add to the architecture, the more services need to implement token verification logic. So far we used JWTs with embedded roles in the extension of the token. However, this brings some drawbacks on the lifetime and their invalidation. This is why the Hydra docs suggest to use Opaque tokens instead. Still, we do not want to implement the token introspection into every service when there can be a centralized solution.

Features

The Traefik ForwardAuth middleware allows us to add a middleware (the application in this repo) to run the authentication and also add new headers.

This app sets the following headers, when the middleware is used:

  • X-User-Id
  • X-User-Name
  • X-User-Roles (whitespace separated)
  • X-Client-Id
  • X-Client-Scopes (whitespace separated)

There are 2 modes, that can be used as separate Traefik middlewares (see compose.yaml file for reference):

  • /enforce-auth requires a valid authentication Bearer token and returs 401 otherwise
  • /enrich-auth provides authentication headers only, if an authentication header is present and valid

Testing

You can test the cases with the compose.yaml:

# Successful authentication on /enforce-auth
curl -v --location --request POST 'localhost:8080' \
--header 'Host: whoami-enforce.localhost' \
--header 'Authorization: Bearer test'

# Missing authentication fails on /enforce-auth
curl -v --location --request POST 'localhost:8080' \
--header 'Host: whoami-enforce.localhost'

# Successful authentication on /enrich-auth
curl -v --location --request POST 'localhost:8080' \
--header 'Host: whoami-enrich.localhost' \
--header 'Authorization: Bearer test'

# Missing authentication passes on /enrich-auth
curl -v --location --request POST 'localhost:8080' \
--header 'Host: whoami-enrich.localhost'

# No header injection possible on present authentication
curl -v --location --request POST 'localhost:8080' \
--header 'Host: whoami-enrich.localhost' \
--header 'X-User-Id: 666' \
--header 'Authorization: Bearer test'

# No header injection possible on missing authentication
curl -v --location --request POST 'localhost:8080' \
--header 'Host: whoami-enrich.localhost' \
--header 'X-User-Id: 666'

About

No description, website, or topics provided.

Resources

Readme

License

MIT license

Code of conduct

Code of conduct
Activity
Custom properties

Stars

0 stars

Watchers

4 watching

Forks

0 forks
Report repository

Releases 1

1.0.0 Latest
May 4, 2025

Sponsor this project

Packages

No packages published

Languages