{"id":24692879,"url":"https://github.com/asaintsever/traefik-forwardauth-authcode-pkce","last_synced_at":"2026-04-13T21:31:24.686Z","repository":{"id":75289646,"uuid":"271535001","full_name":"asaintsever/traefik-forwardauth-authcode-pkce","owner":"asaintsever","description":"Simple implementation of a Traefik ForwardAuth middleware supporting Authorization Code with PKCE flow","archived":false,"fork":false,"pushed_at":"2020-10-02T13:56:04.000Z","size":1842,"stargazers_count":3,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-09-27T09:16:19.832Z","etag":null,"topics":["auth0","authorization","authorization-code-grant","forwardauth","oauth2","oidc","pkce","traefik","traefik-forwardauth-middleware","traefik2"],"latest_commit_sha":null,"homepage":"https://asaintsever.github.io/traefik-forwardauth-authcode-pkce/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/asaintsever.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-06-11T12:00:34.000Z","updated_at":"2024-11-27T12:19:21.000Z","dependencies_parsed_at":"2023-06-06T01:00:09.686Z","dependency_job_id":null,"html_url":"https://github.com/asaintsever/traefik-forwardauth-authcode-pkce","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/asaintsever/traefik-forwardauth-authcode-pkce","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/asaintsever%2Ftraefik-forwardauth-authcode-pkce","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/asaintsever%2Ftraefik-forwardauth-authcode-pkce/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/asaintsever%2Ftraefik-forwardauth-authcode-pkce/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/asaintsever%2Ftraefik-forwardauth-authcode-pkce/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/asaintsever","download_url":"https://codeload.github.com/asaintsever/traefik-forwardauth-authcode-pkce/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/asaintsever%2Ftraefik-forwardauth-authcode-pkce/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31771799,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-13T20:17:16.280Z","status":"ssl_error","status_checked_at":"2026-04-13T20:17:08.216Z","response_time":93,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["auth0","authorization","authorization-code-grant","forwardauth","oauth2","oidc","pkce","traefik","traefik-forwardauth-middleware","traefik2"],"created_at":"2025-01-26T20:17:29.189Z","updated_at":"2026-04-13T21:31:24.666Z","avatar_url":"https://github.com/asaintsever.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Traefik ForwardAuth middleware for Authorization Code with PKCE flow\n\nSimple implementation of a Traefik ForwardAuth middleware supporting Authorization Code with PKCE flow.\n\n- Traefik documentation on ForwardAuth: \u003chttps://docs.traefik.io/middlewares/forwardauth/\u003e\n- Proof Key for Code Exchange by OAuth Public Clients: \u003chttps://tools.ietf.org/html/rfc7636\u003e\n\n## Prerequisites\n\n- Kubernetes cluster (Minikube for e.g.)\n- Traefik v2.x deployed (using Helm chart for e.g.: \u003chttps://docs.traefik.io/getting-started/install-traefik/#use-the-helm-chart\u003e)\n- An OIDC/OAuth 2 provider (we will use Auth0 here)\n\n## Setup your OIDC/OAuth 2 provider\n\nAs mentioned, we pick Auth0 as our OIDC/OAuth 2.0 provider but the middleware must work with any compliant OIDC/OAuth 2.0 provider.\n\nFirst step is to create a new Traefik application on Auth0. Pay attention to supported grants (we need Authorization Code), callback(s) (whitelist all URLs Auth0 may call for code exchange) and make sure Token Endpoint Authentication Method is set to `None` as we will use the PKCE extension of the Authorization Code flow, a flow well suited for public applications that cannot securely handle client secrets.\n\n![](config/auth0-app-create.png)\n\n![](config/auth0-app-token-endpoint-auth.png)\n\n![](config/auth0-app-set-callbacks.png)\n\n![](config/auth0-app-enable-authcode.png)\n\n## Deploy ForwardAuth middleware\n\nDeploy provided Kubernetes [manifest](deploy/manifest.yaml) in your cluster:\n\n```sh\nkubectl apply -f deploy/manifest.yaml\n```\n\n## Test\n\nWith manifest deployed, check Traefik Dashboard to look after our middleware on the `/whoami` route. Open a new browser tab and navigate to `http://\u003cTraefik LoadBalancer IP\u003e/whoami`: you should be automatically redirected to your OIDC provider's login screen to authenticate. After successful authentication you'll be redirected to the `/whoami` service. While your session is valid, you'll not have to authenticate again.\n\n![](traefik-forwardauth-authcode-pkce-demo.gif)\n\n## Appendix\n\n### Local tests without Traefik and Kubernetes\n\n1) Two methods:\n   1) Either build code locally (you need Golang installed):\n\n    ```sh\n    $ cd src\n    $ go build -v -o app .\n\n    # You can then run the ForwardAuth middleware\n    $ APP_URL=https://www.google.com AUTH_CALLBACK_URL=http://localhost:3000/auth/callback OIDC_PROVIDER_URL=\u003cAuth0 tenant URL\u003e TRAEFIK_APP_CLIENT_ID=\u003capp client id\u003e ./app\n    Listening on 0.0.0.0:3000\n    ```\n\n   2) Or using public image available on [Docker Hub](https://hub.docker.com/r/asaintsever/traefik-forwardauth-authcode-pkce):\n\n    ```sh\n    $ docker run --rm -e APP_URL=https://www.google.com -e AUTH_CALLBACK_URL=http://localhost:3000/auth/callback -e OIDC_PROVIDER_URL=\u003cAuth0 tenant URL\u003e -e TRAEFIK_APP_CLIENT_ID=\u003capp client id\u003e -p 3000:3000 asaintsever/traefik-forwardauth-authcode-pkce\n    Listening on 0.0.0.0:3000\n    ```\n2) You can then perform some tests. Open your web browser and navigate to `http://localhost:3000` for e.g. You'll be redirected on Auth0 login screen and then on the app url (Google here) if authentication is ok. Meanwhile, you can see issued tokens in the console output of the ForwardAuth middleware:\n\n```sh\n2020/06/11 10:21:54 ==== New authentication request to OIDC provider\n2020/06/11 10:21:54 Authorize URL: https://\u003cAuth0 tenant URL\u003e/authorize?client_id=\u003cyour app client id\u003e\u0026code_challenge=GSBnTYmwPmCVwWz8YAthCWPA-JTSL2IsMk0YLIcI0Ok\u0026code_challenge_method=S256\u0026redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fcallback\u0026response_type=code\u0026scope=openid+profile+email\u0026state=6aOtpqwF8vGoNGECciA5Fcn8mrzpwAKkgiSfhxAmQyc%3D\n2020/06/11 10:21:55 == ID Token: \u003cJWT ID Token issued by Auth0\u003e\n2020/06/11 10:21:55 == Access Token: \u003cOpaque Access Token issued by Auth0 because no audience in authorize call\u003e\n2020/06/11 10:21:55 == Profile: \u003cID Token claims\u003e\n...\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fasaintsever%2Ftraefik-forwardauth-authcode-pkce","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fasaintsever%2Ftraefik-forwardauth-authcode-pkce","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fasaintsever%2Ftraefik-forwardauth-authcode-pkce/lists"}