Support OpenPolicyAgent policies for authorization

[ieugen]

Hello,

I would love to see support for OpenPolicyAgent policies https://www.openpolicyagent.org/ .

I'm currently trying to implement authentication and authorization via OpenID Connect to protect static web pages.
But for this I need a way to trigger OpenID Connect authentication AND OpenPolicyAgent policies in the same place.

Static pages don't do the OpenID Connect dance and don't send the token.
So I am exploring Oauth2 proxy to handle OIDC and a OPA plugin traefik plugin to handle the policies https://github.com/unsoon/traefik-open-policy-agent .

OPA would be really cool to be supported.

• Authorization policies are external to the app
• They are much more powerful than whatever people can do via the options currently provided.
• OPA is also implemented in Go - so integration can be easy
• It might be possible to implement the OPA library directly instead of or in addition to the OPA rest API (which might be simpler to support)

Looking forward to hear your thoughts on this.

Thanks,
Eugen

[sevensolutions]

Hi @ieugen
thx for this suggestion. I haven't used OPA yet but saw this existing OPA Traefik Plugin.
Not that I wouldn't want to implement that, but i think it would be possible to stick this plugin after the OIDC plugin. At least as a workaround.

But because the OPA traefik plugin is also very popular, lots of people seem to use it so it might be a good idea to implement it directly.
We should definetely discuss if we should implement it directly or forward requests to an OPA server.
I need to do some research because traefik is very limited in which external libraries can be used because of the yaegi interpreter.

Sorry to mention you here @cdanis , but you also have a lot of opinions about this plugin. What do you think? Feel free to reply if you want 🙂

[sevensolutions]

@ieugen do you have a concrete use-case you want to use it for or was this just an idea?
Because authorization would be limited to whats contained in the access- or id-token.

[ieugen]

Hi, yes I have a use case - authorization policies for static websites.

Authorization can use full http request.

Sends request data to OPA server including:
HTTP method
Request path
Headers
Query parameters

OPA can also make http requests or use extra data that can be provided to the policy https://www.permit.io/blog/load-external-data-into-opa#3 .

Since https://plugins.traefik.io/plugins/67709f24f5aa5a721d14c9de/open-policy-agent-opa is also a middle ware, I can put oidc first and the opa next and this should be enough.

I'm working on this but I have an issue with using the groups claim in EntraID . I get an error on the plugin side. Not sure where the issue is yet.

2025-07-01 13:29:39 [INFO] [traefik-oidc-auth] Verifying token: unable to read session cookie: named cookie not present
2025-07-01 13:29:39 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider...
2025-07-01 13:29:39 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/REDACTED/oauth2/v2.0/authorize
2025-07-01 13:29:44 [WARN] [traefik-oidc-auth] Code is missing.

[ieugen]

It seems I get Microsoft EntraID group ID's in the IDToken but not Access Token.

This is the config I use and adds group ID's to IDToken but not access tokens

    entraid-auth:
      plugin:
        traefik-oidc-auth:
          LogLevel: DEBUG
          Secret: "REDACTED" # Please change this secret for your setup
          Provider:
            Url: https://login.microsoftonline.com/REDACTED/v2.0
            ClientId: REDACTED
            ClientSecret: REDACTED
            UsePkce: true
          Scopes: ["openid", "profile", "email"]
          # Scopes: ["openid", "profile", "email", "groups"]  # Adding "groups" or "group" scope breaks authentication with "Code is missing" 
          Headers:
            - Name: "Authorization"
              Value: "{{`Bearer {{ .accessToken }}`}}"
            - Name: "X-Oidc-Username"
              Value: "{{`{{ .claims.preferred_username }}`}}"
            - Name: "X-Oidc-IDToken"
              Value: "{{`{{ .idToken }}`}}"

This is the OPA plugin config I use with an echo service

    echo-demo-opa:
      plugin:
        open-policy-agent:
          url: "http://localhost:8181/v1/data/example/echo"
          allowField: "allow"
          errorResponse:
            statusCode: 403
            contentType: "application/json"
            headers:
              X-Error-Type: "authorization_failed"
            body:
              error: "Access denied by policy"

and the traefik router config

        traefik.http.routers.echo-https.middlewares: entraid-auth@file, echo-demo-opa@file

[ieugen]

I got OPA authorization workgin with the following configuration:

Declare plugins in traefik static config:

traefik.yml

experimental:
  plugins:
    traefik-maintenance:
      moduleName: github.com/TRIMM/traefik-maintenance
      version: v1.0.1
    traefik-oidc-auth:
      moduleName: "github.com/sevensolutions/traefik-oidc-auth"
      version: "v0.12.0"
    open-policy-agent:
      moduleName: "github.com/unsoon/traefik-open-policy-agent"
      version: "v1.2.0"

Configure middlewares in traefik dynamic configuration:

dynamic.yml

    entraid-auth:
      plugin:
        traefik-oidc-auth:
          LogLevel: DEBUG
          Secret: "REDACTED" # Please change this secret for your setup
          Provider:
            Url: https://login.microsoftonline.com/REDACTED/v2.0
            ClientId: REDACTED
            ClientSecret: REDACTED
            UsePkce: true
          Scopes: ["openid", "profile", "email"]
          Headers:
            - Name: "Authorization"
              Value: "{{`Bearer {{ .accessToken }}`}}"
            - Name: "X-Oidc-Username"
              Value: "{{`{{ .claims.preferred_username }}`}}"
            - Name: X-Oidc-Groups
              # Value: '{{ `{{ .claims.groups }}` }}'
              Value: '{{`{{with .claims.groups}}{{ range $i, $g := . }}{{if $i}},{{end}}{{js $g}}{{end}}{{end}}`}}'
    echo-demo-opa:
      plugin:
        open-policy-agent:
          url: "http://infra1.net.drevidence.com:8181/v1/data/example/echo"
          allowField: "allow"
          errorResponse:
            statusCode: 403
            contentType: "application/json"
            headers:
              X-Error-Type: "authorization_failed"
            body:
              error: "Access denied by policy"

The rego policy

echo-demo.rego

package example.echo

default allow = false

result := {
    "group_key": "aaa" in [
      "aaa",
      "bbb",
      "ccc"
    ]
}
allow if {
  input.path[0] == "InfraTeam"
  # user is in InfraTeam group "b925b894-6583-5de0-9397-360ae587cda2"
  contains(input.headers["X-Oidc-Groups"][0],"b925b894-6583-5de0-9397-360ae587cda2")
}

Sample input for CLI testing (for testing with curl HTTP it needs to be inside an {"input": } )

entra-id-groups.json

{
  "path": ["InfraTeamUsers", "b"],
  "method": "GET",
  "headers": {
    "X-Oidc-Groups": [
      "e7ff4b27-d5b4-4d85-b966-5df7bbccea92,b925b894-6583-4de0-9397-360ae587cda3,f1c30196-9289-410c-b813-4c6cca9db70d,b6838d9b-f8aa-4629-8e99-082fd05f232d"
    ]
  }
}

Local rego testing:
opa eval -f pretty -d echo-demo.rego -i entra-id-groups.json 'data.example.echo'

I think this can be closed, and people/you can use this as documentation.

[sevensolutions]

Hi @ieugen
perfect 😁 and thx for providing the sample.
Yeah i never thougth about using the entire request for the validation but in this case it really makes more sense to keep this out of the plugin and by doing this kind of authorization in a dedicated plugin.

If you think this example config can be helpful for others too i would very much appreciate it if you submit a PR for documenting it in the config samples area of the documentation page.
Just create a new sub page there.

[ieugen]

I agree, keeping it separate might be a better option.
I'll try to make some time, but things are a bit hectic .

[sevensolutions]

Take your time, no pressure at all :)