Traefik Forward Auth
GitHub
Supported Providers /OpenID Connect

OpenID Connect

Traefik Forward Auth support generic OpenID Connect providers. This includes Auth0, Okta, etc.

To use an OpenID Connect provider for user authentication, create an application and configure the callback to https://<endpoint>/portals/<portal>/oauth2/callback (see examples depending on how Traefik Forward Auth is exposed).

Configure a provider with these options in the openIDConnect property:

  • tokenIssuer : Token issuer
    This is generally a URL like https://tenant.identityprovider.com/.
    Traefik Forward Auth will try to fetch the OpenID Configuration document at <tokenIssuer>/.well-known/openid-configuration; in this example, https://tenant.identityprovider.com/.well-known/openid-configuration.
  • clientID : Client ID of your application
  • clientSecret : Client secret of your application

The OpenID Connect provider supports additional configuration options that can be helpful to configure how Traefik Forward Auth communicates with the Identity Provider:

  • tlsInsecureSkipVerify : If true, skips validating TLS certificates when communicating with the Identity Provider. While this option can enable support for self-signed TLS certificates, it should be used with caution.
  • tlsCACertificatePEM : PEM-encoded CA certificate used when communicating with the Identity Provider.
  • tlsCACertificatepath : Path to a file containing the PEM-encoded CA certificate used when communicating with the Identity Provider.

Full list of configuration options for OpenID Connect and example

Edit this page on GitHub