Skip to content

Lightweight Traefik middleware plugin that enable users to authenticate on specific domains using GitHub OAuth

License

Notifications You must be signed in to change notification settings

luizfonseca/traefik-github-oauth-plugin

Repository files navigation

Traefik GitHub OAuth Plugin

This is a fork of MuXiu1997 repository. This fork is mostly fixing some of the security concerns I wanted to address. This will be kept synced with the main repo.

This is a Traefik middleware plugin that allows users to authenticate using GitHub OAuth.

The plugin is intended to be used as a replacement for the BasicAuth middleware,

providing a more secure way for users to access protected routes.

process

Quick Start (Docker)

  1. Create a GitHub OAuth App

  2. Run the Traefik GitHub OAuth server

    docker run -d --name traefik-github-oauth-server \
      --network <traefik-proxy-network> \
      -e 'GITHUB_OAUTH_CLIENT_ID=<client-id>' \
      -e 'GITHUB_OAUTH_CLIENT_SECRET=<client-secret>' \
      -e 'API_BASE_URL=http://<traefik-github-oauth-server-host>' \
      -l 'traefik.http.services.traefik-github-oauth-server.loadbalancer.server.port=80' \
      -l 'traefik.http.routers.traefik-github-oauth-server.rule=Host(`<traefik-github-oauth-server-host>`)' \
      luizfonseca/traefik-github-oauth-server
  3. Install the Traefik GitHub OAuth plugin

    Add this snippet in the Traefik Static configuration

    experimental:
      plugins:
        github-oauth:
          moduleName: "github.com/luizfonseca/traefik-github-oauth-plugin"
          version: <version>
  4. Run your App

    docker run -d --whoami test \
      --network <traefik-proxy-network> \
      --label 'traefik.http.middlewares.whoami-github-oauth.plugin.github-oauth.apiBaseUrl=http://traefik-github-oauth-server' \
      --label 'traefik.http.middlewares.whoami-github-oauth.plugin.github-oauth.whitelist.logins[0]=luizfonseca' \
      --label 'traefik.http.routers.whoami.rule=Host(`whoami.example.com`)' \
      --label 'traefik.http.routers.whoami.middlewares=whoami-github-oauth' \
     traefik/whoami

Configuration

Server configuration

Environment Variable Description Default Required
GITHUB_OAUTH_CLIENT_ID The GitHub OAuth App client id Yes
GITHUB_OAUTH_CLIENT_SECRET The GitHub OAuth App client secret Yes
API_BASE_URL The base URL of the Traefik GitHub OAuth server Yes
API_SECRET_KEY The api secret key. You can ignore this if you are using the internal network No
SERVER_ADDRESS The server address :80 No
DEBUG_MODE Enable debug mode and set log level to debug false No
LOG_LEVEL The log level, Available values: debug, info, warn, error info No

Middleware Configuration

# The base URL of the Traefik GitHub OAuth server
apiBaseUrl: http://<traefik-github-oauth-server-host>
# The api secret key. You can ignore this if you are using the internal network
apiSecretKey: optional_secret_key_if_not_on_the_internal_network
# The path to redirect to after the user has authenticated, defaults to /_auth
# Note: This path is not GitHub OAuth App's Authorization callback URL
authPath: /_auth
# optional jwt secret key, if not set, the plugin will generate a random key
jwtSecretKey: optional_secret_key
# The log level, defaults to info
# Available values: debug, info, warn, error
logLevel: info
# whitelist
whitelist:
  # The list of GitHub user ids that in the whitelist
  ids:
    - 996
  # The list of GitHub user logins that in the whitelist
  logins:
    - luizfonseca

License

MIT