Redirect to auth:4181/provider

[evgnblkn]

When I try to open the service, for some reason I am redirected to http://auth:4181/gitea.example2.com/login/oauth/authorize?client_id=df33b482-149c-4cfc-be4b-&redirect_uri=https%3A%2F%2Fauth.example.com%2F_oauth&response_type=code&scope=profile+email&state=3ed5cfbf7dbb05bd8a1070%3Ageneric-oauth%3Ahttps%3A%2F%2Fwhoami.example.com%2F instead of redirecting to Gitea. I've already blown up the whole brain, I can't understand what's the matter.

auth container logs:

auth  | time="2022-09-29T21:09:20Z" level=debug msg="Authenticating request" cookies="[_oauth2_proxy_csrf=UdvzNP7wiF7r2XG9n_oD7RcA=|1664372017|VpzjRtVGYfpClxxpyfMbU_m4w= _forward_auth_csrf_869f7c=869f7cd82ff42a1 _forward_auth_csrf_f0344f=f0344fd2025e47c086655b _forward_auth_csrf_73710f=73710f094e94c4e6ad59 _forward_auth_csrf_c18753=c18adca68949f6 _forward_auth_csrf_28759f=28759f51d7b09621 _forward_auth_csrf_fe1f95=fe1f9555bae _forward_auth_csrf_ab1f84=ab1f84dc43c _forward_auth_csrf_fa4b0d=fa4b0dacc5081953d]" handler=Auth host=whoami.example.com method=GET proto=https rule=default source_ip=9.2.2.15 uri=/
auth  | time="2022-09-29T21:09:20Z" level=debug msg="Set CSRF cookie and redirected to provider login url" csrf_cookie="_forward_auth_csrf_3ed5cf=3ed5cfbf7db; Path=/; Domain=example.com; Expires=Thu, 29 Sep 2022 22:09:20 GMT; HttpOnly; Secure" handler=Auth host=whoami.example.com login_url="gitea.example2.com/login/oauth/authorize?client_id=df33b482-149c-4cfc-bb-f765ae&redirect_uri=https%3A%2F%2Fauth.example.com%2F_oauth&response_type=code&scope=profile+email&state=3ed5cfbf7dbb05bd6%3Ageneric-oauth%3Ahttps%3A%2F%2Fwhoami.example.com%2F" method=GET proto=https rule=default source_ip=9.2.2.15 uri=/

Service config:

services:                                                                                                                                                                                                                                                                                      [0/0]
  whoami:
    image: containous/whoami
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`whoami.example.com`)"
      - "traefik.http.routers.whoami.entrypoints=http, https"
      - "traefik.http.routers.whoami.tls=true"
      - "traefik.http.routers.whoami.tls.certresolver=le"
      - "traefik.http.routers.whoami.middlewares=oauth"

networks:
  default:
    external: true
    name: traefik_backend

Traefik && auth:

services:
  traefik:
    image: traefik:v2.8
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - backend
    ports:
      - 80:80
      - 443:443
    command:
      - "--log.level=DEBUG"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.endpoint=unix:///var/run/docker.sock"
      - "--entrypoints.http.address=:80"
      - "--entrypoints.http.http.redirections.entrypoint.to=https"
      - "--entrypoints.http.http.redirections.entrypoint.scheme=https"
      - "--entrypoints.https.address=:443"
      - "--certificatesresolvers.le.acme.httpchallenge=true"
      - "--certificatesresolvers.le.acme.httpchallenge.entrypoint=http"
      - "--certificatesresolvers.le.acme.email=postmaster@example.com"
      - "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json"
      - "--api.dashboard=true"
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - traefik-letsencrypt:/letsencrypt
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.api.entrypoints=https"
      - "traefik.http.routers.api.rule=Host(`proxy.example.com`)"
      - "traefik.http.routers.api.tls=true"
      - "traefik.http.routers.api.tls.certresolver=le"
      - "traefik.http.routers.api.middlewares=auth"
      - "traefik.http.routers.api.service=api@internal"
      - "traefik.http.middlewares.auth.basicauth.users=${TRAEFIK_PASSWORD:-}"
      - "traefik.http.services.traefik-traefik.loadbalancer.server.port=888"

  auth:
    container_name: auth
    hostname: auth
    image: thomseddon/traefik-forward-auth
    restart: unless-stopped
    depends_on:
      - traefik
    environment:
      - "SECRET=DWs07aQgYIvLIkToUbbiM"
      - "DEFAULT_PROVIDER=generic-oauth"
      - "PROVIDERS_GENERIC_OAUTH_AUTH_URL=gitia.example2.com/login/oauth/authorize"
      - "PROVIDERS_GENERIC_OAUTH_TOKEN_URL=gitea.example2.com/login/oauth/access_token"
      - "PROVIDERS_GENERIC_OAUTH_USER_URL=gitea.example2.com/api/v1/user"
      - "PROVIDERS_GENERIC_OAUTH_CLIENT_ID=df33b482-149c-4cfc-be4b"
      - "PROVIDERS_GENERIC_OAUTH_CLIENT_SECRET=gto_fwq67nlxxufei5uyy6qswowykmq"
      - "PROVIDERS_GENERIC_OAUTH_TOKEN_STYLE=query"
      - "LOG_LEVEL=debug"
      - "AUTH_HOST=auth.example.com"
      - "COOKIE_DOMAIN=example.com"
    networks:
      - backend
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.auth.entrypoints=http, https"
      - "traefik.http.routers.auth.rule=Path(`auth.example.com`)"
      - "traefik.http.routers.auth.tls=true"
      - "traefik.http.routers.auth.tls.certresolver=le"
      - "traefik.http.routers.auth.middlewares=oauth"
      - "traefik.http.routers.auth.service=oauth"
      - "traefik.http.services.oauth.loadbalancer.server.port=4181"

      - "traefik.http.middlewares.oauth.forwardauth.address=http://auth:4181"
      - "traefik.http.middlewares.oauth.forwardauth.trustForwardHeader=true"
      - "traefik.http.middlewares.oauth.forwardauth.authResponseHeaders=X-Forwarded-User"

volumes:
  traefik-letsencrypt:

networks:
  backend:
    driver: bridge
    ipam:
      config:
        - subnet: ${TRAEFIK_SUBNET:-172.16.16.0/24}

[evgnblkn]

In the Traefik log when accessing whoami:
level=debug msg="Remote error http://auth:4181. StatusCode: 307" middlewareName=oauth@docker middlewareType=ForwardedAuthType

[Rathna-K]

Did you figure it out?
Here is what worked for me:
# labels:
# - 'traefik.enable=true'
# - 'traefik.port=xxx'
# - "traefik.http.middlewares.whoami.redirectscheme.scheme=https"
# - "traefik.http.routers.whoami.middlewares=auth"
# - "traefik.http.routers.whoami-insecure.rule=Host(domain.com)"
# - "traefik.http.routers.whoami-insecure.middlewares= whoami"
# - "traefik.http.routers.whoami.rule=Host(domain.com)"
# - "traefik.http.routers.whoami.entrypoints=websecure"
# - "traefik.http.routers.whoami.tls.certresolver=myresolver"
# - "traefik.http.services.whoami.loadBalancer.server.port=xxx"
I do use a different OIDC though.

@thomseddon great work btw, several years after the service still going strong. Are you still using this or moved away?

[nikolai-in]

Same problem with gitea. @evgnblkn, did you manage to fix it?

[oblq]

I don't know if this is the cause but:
- "PROVIDERS_GENERIC_OAUTH_AUTH_URL=gitia.example2.com/login/oauth/authorize"
------------------------------------> gitia 👆🏼

[monsdar]

You configure traefik.http.middlewares.auth.basicauth, shouldn't it be of type traefik.http.middlewares.auth.forwardauth instead? That way you can also correctly configure address, authResponseHeaders and trustForwardHeader.

UPDATE: Nevermind, just saw that you configure both middleware-types and apply the oauth middleware as needed.