{"id":17931096,"url":"https://github.com/andrewkroh/google-oidc-auth-middleware","last_synced_at":"2026-01-18T00:47:24.833Z","repository":{"id":223573212,"uuid":"760868393","full_name":"andrewkroh/google-oidc-auth-middleware","owner":"andrewkroh","description":"Google OAuth Middleware plugin for Traefik proxy","archived":false,"fork":false,"pushed_at":"2025-04-02T23:18:50.000Z","size":43,"stargazers_count":12,"open_issues_count":0,"forks_count":2,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-03T00:20:37.395Z","etag":null,"topics":["traefik-plugin"],"latest_commit_sha":null,"homepage":"https://plugins.traefik.io/plugins/65d5360746079255c9ffd1e2/google-oidc-auth","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/andrewkroh.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-02-20T20:41:00.000Z","updated_at":"2025-04-02T23:18:53.000Z","dependencies_parsed_at":"2024-04-18T04:31:29.295Z","dependency_job_id":"736ed326-3afb-41db-837c-916bde411574","html_url":"https://github.com/andrewkroh/google-oidc-auth-middleware","commit_stats":null,"previous_names":["andrewkroh/google-oidc-auth-middleware"],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andrewkroh%2Fgoogle-oidc-auth-middleware","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andrewkroh%2Fgoogle-oidc-auth-middleware/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andrewkroh%2Fgoogle-oidc-auth-middleware/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andrewkroh%2Fgoogle-oidc-auth-middleware/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/andrewkroh","download_url":"https://codeload.github.com/andrewkroh/google-oidc-auth-middleware/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andrewkroh%2Fgoogle-oidc-auth-middleware/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":259164529,"owners_count":22815372,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["traefik-plugin"],"created_at":"2024-10-28T21:19:40.340Z","updated_at":"2026-01-18T00:47:24.820Z","avatar_url":"https://github.com/andrewkroh.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Traefik Google OIDC Auth Middleware\n\nThis is a Traefik middleware plugin that authenticates users with Google OpenID\nConnect, and then checks that their email address or Google Workspace domain is \nauthorized.\n\n## Requirements\n\n- Setup a new project in the Google API console to obtain a client ID and \nclient secret. See the [Google developer docs](https://developers.google.com/identity/openid-connect/openid-connect).\n- Install the plugin to Traefik using static config.\n- Configure the middleware in dynamic config.\n- Associate a service to the middleware.\n\n## Configuration\n\n| Option             | Default        | Required | Description                                                                                                                                                                       |\n|--------------------|----------------|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| oidc.clientID      |                | X        | OAuth client ID                                                                                                                                                                   |\n| oidc.clientSecret  |                | X        | OAuth client secret                                                                                                                                                               |\n| oidc.callbackPath  | /oidc/callback |          | The path where the OIDC provider will redirect the user after authenticating.                                                                                                     |\n| oidc.redirectHost  |                |          | Optional host override for the OIDC redirect URI. Use this to configure a single, central redirect URI for multiple subdomains (e.g., `auth.example.com`). Requires `cookie.domain` to be set for cookie sharing. |\n| oidc.prompt        |                |          | A space-delimited, case-sensitive list of prompts to present the user. Possible values are: `none`, `consent`, `select_account`. See [Google's docs](https://developers.google.com/identity/protocols/oauth2/web-server#httprest_1) for more info. |\n| cookie.name        | oidc_auth      |          | Name of the cookie. It can be customized to avoid collisions when running multiple instances of the middleware.                                                                   |\n| cookie.path        | /              |          | You can use this to limit the scope of the cookie to a specific path. Defaults to '/'.                                                                                            |\n| cookie.secret      |                | X        | Secret is the HMAC key for cookie signing, and helps provide integrity protection for cookies.                                                                                    |\n| cookie.duration    | 24h            |          | Validity period for new cookies. Users are granted access for this length of time regardless of changes to user's account in the OIDC provider. Uses the Go time.Duration format. |\n| cookie.insecure    | false          |          | Set to true to omit the `Secure` attribute from cookies.                                                                                                                          |\n| cookie.sameSite    | Lax            |          | SameSite attribute for cookies. Options: `Strict`, `Lax`, `None`. `Lax` provides CSRF protection while allowing cookies on top-level navigation.                                  |\n| cookie.domain      |                |          | Domain attribute for cookies. Use this to share cookies across subdomains (e.g., `.example.com`). Must start with a dot. Required when using `oidc.redirectHost`.                  |\n| authorized.emails  |                | X        | List of allowed email addresses.                                                                                                                                                  |\n| authorized.domains |                | X        | List of allowed domains.                                                                                                                                                          |\n| debug              | false          |          | Enable debug logging to stdout.\n\n## Headers\n\n*X-Forwarded-User*\n\nWhen the middleware proxies a request it adds an `X-Fowarded-User` header\ncontaining the user's email address. This can be used by the downstream service\nto identify the authenticated user.\n\nIf you want your JSON access logs to include the user's email address then\nconfigure the access log to retain the `X-Forwarded-User` header. Here is a\nCLI example:\n\n```\n# Adding X-Forwarded-User to JSON access logs.\n--accesslog\n--accesslog.format=json\n--accesslog.fields.headers.names.X-Forwarded-User=keep\n```\n\nThe resulting access log will contain a `request_X-Forwarded-User` field.\n\n```json\n    \"request_X-Forwarded-User\": \"name@gmail.com\"\n```\n\nSee [Limiting the Fields/Including Headers](https://doc.traefik.io/traefik/observability/access-logs/#limiting-the-fieldsincluding-headers) for more details.\n\n\n## Example config\n\nStatic config\n\n```yaml\n# traefik.yml\n\nexperimental:\n  plugins:\n    google-oidc-auth-middleware:\n      moduleName: \"github.com/andrewkroh/google-oidc-auth-middleware\"\n      # Populate this with the latest release tag.\n      version: vX.Y.Z\n```\n\nDynamic config\n\n```yaml\n# dynamic.yml\n\nhttp:\n  middlewares:\n    oidc-auth:\n      plugin:\n        google-oidc-auth-middleware:\n          oidc:\n            clientID: example.apps.googleusercontent.com\n            clientSecret: fake-secret\n          cookie:\n            secret: mySecretKey\n          authorized:\n            emails:\n              - name@gmail.com\n            domains:\n              - example.com\n  routers:\n    my-router:\n      rule: host(`localhost`)\n      service: service-foo\n      entryPoints:\n        - web\n      middlewares:\n        - oidc-auth\n```\n\n## Multi-Subdomain Configuration\n\nWhen protecting multiple subdomains (e.g., `app1.example.com`, `app2.example.com`, `app3.example.com`) under the same parent domain, you can configure a single central redirect URI instead of registering each subdomain individually with your OAuth provider.\n\n### Configuration\n\nThis feature requires two settings:\n\n1. **`oidc.redirectHost`**: Set this to a central host that will handle all OIDC callbacks (e.g., `auth.example.com`)\n2. **`cookie.domain`**: Set this to share cookies across all subdomains (e.g., `.example.com`)\n\n### Example\n\n```yaml\n# dynamic.yml\n\nhttp:\n  middlewares:\n    oidc-auth:\n      plugin:\n        google-oidc-auth-middleware:\n          oidc:\n            clientID: example.apps.googleusercontent.com\n            clientSecret: fake-secret\n            redirectHost: auth.example.com  # Central callback host\n            callbackPath: /oidc/callback\n          cookie:\n            secret: mySecretKey\n            domain: .example.com  # Share cookies across *.example.com\n          authorized:\n            emails:\n              - name@gmail.com\n            domains:\n              - example.com\n\n  routers:\n    # Router for the central callback host\n    auth-callback:\n      rule: Host(`auth.example.com`) \u0026\u0026 Path(`/oidc/callback`)\n      service: noop@internal\n      entryPoints:\n        - web\n      middlewares:\n        - oidc-auth\n      #tls: ...\n\n    # Routers for protected subdomains\n    app1:\n      rule: Host(`app1.example.com`)\n      service: service-app1\n      entryPoints:\n        - web\n      middlewares:\n        - oidc-auth\n\n    app2:\n      rule: Host(`app2.example.com`)\n      service: service-app2\n      entryPoints:\n        - web\n      middlewares:\n        - oidc-auth\n\n    app3:\n      rule: Host(`app3.example.com`)\n      service: service-app3\n      entryPoints:\n        - web\n      middlewares:\n        - oidc-auth\n```\n\n### Google OAuth Setup\n\nIn your Google OAuth console, you only need to register **one** authorized redirect URI:\n\n```\nhttps://auth.example.com/oidc/callback\n```\n\nInstead of having to register:\n- `https://app1.example.com/oidc/callback`\n- `https://app2.example.com/oidc/callback`\n- `https://app3.example.com/oidc/callback`\n\n### How It Works\n\n1. User visits `https://app1.example.com`\n2. Middleware redirects to Google OAuth with `redirect_uri=https://auth.example.com/oidc/callback`\n3. User authenticates with Google\n4. Google redirects to `https://auth.example.com/oidc/callback`\n5. Middleware sets a cookie with `Domain=.example.com` (shared across all subdomains)\n6. Middleware redirects user back to original URL: `https://app1.example.com`\n7. User can now access any subdomain without re-authenticating (cookie is shared)\n\n### Requirements\n\n- All protected sites must be under the same eTLD+1 (e.g., `*.example.com`)\n- Sharing cookies across different apex domains (e.g., `example.com` vs `example.org`) is not supported\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fandrewkroh%2Fgoogle-oidc-auth-middleware","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fandrewkroh%2Fgoogle-oidc-auth-middleware","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fandrewkroh%2Fgoogle-oidc-auth-middleware/lists"}