Add forward authentication option #1972
Conversation
ldez
added
area/authentication
status/1-needs-design-review
and removed
status/0-needs-triage
labels
|
Wow, great job @drampelt ! |
auth/forward.go
Outdated
| return | ||
| } | ||
|
|
||
| defer forwardResponse.Body.Close() |
There was a problem hiding this comment.
I would move this line after the block:
if readError != nil {
...
}
defer forwardResponse.Body.Close()
Indeed, if readError is not nil, maybe the body will be empty, then the defered Close() would lead to a panic.
types/types.go
Outdated
| @@ -314,6 +315,11 @@ type Digest struct { | |||
| UsersFile string | |||
| } | |||
|
|
|||
| // Forward authentication | |||
| type Forward struct { | |||
| Address string | |||
There was a problem hiding this comment.
I think it would be great to add the possibility to connect in TLS (with an self-signed cert).
There was a problem hiding this comment.
I'm agree with @emilevauge for the TLS connection.
Indeed, for example, I tried to test the PR by connecting Traefik to a docker_auth server but this server allows only HTTPS connections...
There was a problem hiding this comment.
Yes I agree that would be useful. Unfortunately I'm not too familiar with Go yet and not really sure how to go about doing that - would anyone else be interested in implementing that?
There was a problem hiding this comment.
No problem @drampelt.
We can do the modifications for your 😉
auth/forward.go
Outdated
| func Forward(forward *types.Forward, w http.ResponseWriter, r *http.Request, next http.HandlerFunc) { | ||
| client := http.Client{} | ||
|
|
||
| forwardReq, err := http.NewRequest("GET", forward.Address, nil) |
auth/forward.go
Outdated
| return | ||
| } | ||
|
|
||
| if forwardResponse.StatusCode < 200 || forwardResponse.StatusCode >= 300 { |
There was a problem hiding this comment.
Could you replace:
200byhttp.StatusOK300byhttp.StatusMultipleChoices
There was a problem hiding this comment.
maybe the limit can be 400 instead of 300?
There was a problem hiding this comment.
I chose 300 to allow the auth server to redirect to a login page if necessary. For example if doing Google sign in, the auth server would need to redirect the user to Google by returning a 302.
middlewares/authenticator.go
Outdated
| "github.com/abbot/go-http-auth" | ||
| goauth "github.com/abbot/go-http-auth" | ||
|
|
||
| "github.com/containous/traefik/auth" |
There was a problem hiding this comment.
Sorry, could you clarify what order they should be in? I'm not too familiar with Go yet and gofmt seems to think that is fine.
|
@drampelt The code freeze for 1.4 will happen in 2 days (August 25th). Do you think you will be able to fix your PR in the meantime ? |
|
Thanks for the reviews, I have a fairly busy week but I'll see if I can get it fixed up by tomorrow. |
|
Fixed most of the issues I knew how to. |
traefiker
force-pushed
the
forward-auth
branch
from
d25a773
to
26f7121
Compare
|
Hi I used github as an example to test defaultEntryPoints = ["http"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.auth.forward]
address = "http://github.com/login/oauth/authorize"
[web]
address = ":8081"
[file]
[backends]
[backends.backend1]
[backends.backend1.servers.server1]
url = "http://localhost:8000"
[frontends]
[frontends.frontend1]
backend = "backend1"
passHostHeader = true
[frontends.frontend1.routes.example]
rule = "Host:localhost"If I try to hit localhost i simply hit my local server on port 8000 with no auth request. |
|
@RC1140 Thanks for your interest in Traefik 😃 Please discuss this in :
|
Description
This implements forward authentication, much like in
ngx_http_auth_request_module.Based on the discussion in #1030 and Proposal Doc, it's clear we needed to start with something simple and then build on it later. This implementation is a simplified version of @vladshub's implementation in #1030, removing the request and response body header/query parameter manipulation.
When forward auth is enabled, the request is first forwarded to the specified auth server. If the auth server responds with a 2XX status, the original request is performed. Otherwise, the response from the auth server is returned.
Next steps
If everyone agrees this is a good starting point, I think the next step would be either copying or renaming response headers from the auth server as request headers sent to the backend.
From what I can tell that seems to be the main use-case, the auth server provides authenticated user information in response headers and then the backend application uses that information to automatically authenticate the user. See oauth2_proxy with nginx as an example of this. I believe this would bring it to feature parity with
ngx_http_auth_request_module.See this commit for a potential implementation of header mapping.
Of course I'm open to discussion about how to proceed and interested in hearing other ideas.