{"id":15396930,"url":"https://github.com/luizfonseca/traefik-github-oauth-plugin","last_synced_at":"2025-04-15T22:31:14.545Z","repository":{"id":209736771,"uuid":"724063572","full_name":"luizfonseca/traefik-github-oauth-plugin","owner":"luizfonseca","description":"Lightweight Traefik middleware plugin that enable users to authenticate on specific domains using GitHub OAuth","archived":false,"fork":false,"pushed_at":"2025-04-07T09:29:56.000Z","size":17140,"stargazers_count":8,"open_issues_count":1,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-07T10:29:57.686Z","etag":null,"topics":["docker-swarm","golang","traefik","traefik-plugin"],"latest_commit_sha":null,"homepage":"https://plugins.traefik.io/plugins/65646fb989090d725bcb75b7/git-hub-o-auth-plugin","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/luizfonseca.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-11-27T10:19:57.000Z","updated_at":"2025-04-07T09:29:54.000Z","dependencies_parsed_at":"2023-11-28T23:20:14.806Z","dependency_job_id":"c4657ef2-f758-4588-968f-aea70ec1b2eb","html_url":"https://github.com/luizfonseca/traefik-github-oauth-plugin","commit_stats":{"total_commits":82,"total_committers":5,"mean_commits":16.4,"dds":0.6463414634146342,"last_synced_commit":"baeaceb6d883ea1fdfe3847cd6a86a0568b7475c"},"previous_names":["luizfonseca/traefik-github-oauth-plugin"],"tags_count":8,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/luizfonseca%2Ftraefik-github-oauth-plugin","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/luizfonseca%2Ftraefik-github-oauth-plugin/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/luizfonseca%2Ftraefik-github-oauth-plugin/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/luizfonseca%2Ftraefik-github-oauth-plugin/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/luizfonseca","download_url":"https://codeload.github.com/luizfonseca/traefik-github-oauth-plugin/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249166001,"owners_count":21223361,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["docker-swarm","golang","traefik","traefik-plugin"],"created_at":"2024-10-01T15:35:23.300Z","updated_at":"2025-04-15T22:31:14.537Z","avatar_url":"https://github.com/luizfonseca.png","language":"Go","readme":"# Traefik GitHub OAuth Plugin\n\n\u003e This is a fork of [MuXiu1997](https://github.com/MuXiu1997/traefik-github-oauth-plugin) repository. This fork is mostly fixing some of the security concerns I wanted to address. This will be kept synced with the main repo.\n\nThis is a Traefik middleware plugin that allows users to authenticate using GitHub OAuth.\n\nThe plugin is intended to be used as a replacement for the BasicAuth middleware,\n\nproviding a more secure way for users to access protected routes.\n\n![process](https://user-images.githubusercontent.com/49554020/216764214-4097f8da-33d2-49ef-9f12-0194d671bd92.svg)\n\n## Quick Start (Docker)\n\n1. Create a GitHub OAuth App\n\n   - See: https://docs.github.com/en/developers/apps/building-oauth-apps/creating-an-oauth-app\n   - Set the Authorization callback URL to `http://\u003ctraefik-github-oauth-server-host\u003e/oauth/redirect`\n\n2. Run the Traefik GitHub OAuth server\n\n   ```sh\n   docker run -d --name traefik-github-oauth-server \\\n     --network \u003ctraefik-proxy-network\u003e \\\n     -e 'GITHUB_OAUTH_CLIENT_ID=\u003cclient-id\u003e' \\\n     -e 'GITHUB_OAUTH_CLIENT_SECRET=\u003cclient-secret\u003e' \\\n     -e 'API_BASE_URL=http://\u003ctraefik-github-oauth-server-host\u003e' \\\n     -l 'traefik.http.services.traefik-github-oauth-server.loadbalancer.server.port=80' \\\n     -l 'traefik.http.routers.traefik-github-oauth-server.rule=Host(`\u003ctraefik-github-oauth-server-host\u003e`)' \\\n     luizfonseca/traefik-github-oauth-server\n   ```\n\n3. Install the Traefik GitHub OAuth plugin\n\n    Add this snippet in the Traefik Static configuration\n\n   ```yaml\n   experimental:\n     plugins:\n       github-oauth:\n         moduleName: \"github.com/luizfonseca/traefik-github-oauth-plugin\"\n         version: \u003cversion\u003e\n   ```\n\n4. Run your App\n\n   ```sh\n   docker run -d --whoami test \\\n     --network \u003ctraefik-proxy-network\u003e \\\n     --label 'traefik.http.middlewares.whoami-github-oauth.plugin.github-oauth.apiBaseUrl=http://traefik-github-oauth-server' \\\n     --label 'traefik.http.middlewares.whoami-github-oauth.plugin.github-oauth.whitelist.logins[0]=luizfonseca' \\\n     --label 'traefik.http.middlewares.whoami-github-oauth.plugin.github-oauth.whitelist.teams[0]=827726' \\\n     --label 'traefik.http.routers.whoami.rule=Host(`whoami.example.com`)' \\\n     --label 'traefik.http.routers.whoami.middlewares=whoami-github-oauth' \\\n    traefik/whoami\n   ```\n\n## Configuration\n\n### Server configuration\n\n| Environment Variable         | Description                                                                   | Default | Required |\n|------------------------------|-------------------------------------------------------------------------------|---------|----------|\n| `GITHUB_OAUTH_CLIENT_ID`     | The GitHub OAuth App client id                                                |         | Yes      |\n| `GITHUB_OAUTH_CLIENT_SECRET` | The GitHub OAuth App client secret                                            |         | Yes      |\n| `GITHUB_OAUTH_SCOPES`        | Additional scopes to be added to the Oauth workflow.                          |         | No       |\n| `API_BASE_URL`               | The base URL of the Traefik GitHub OAuth server                               |         | Yes      |\n| `API_SECRET_KEY`             | The api secret key. You can ignore this if you are using the internal network |         | No       |\n| `SERVER_ADDRESS`             | The server address                                                            | `:80`   | No       |\n| `DEBUG_MODE`                 | Enable debug mode and set log level to debug                                  | `false` | No       |\n| `LOG_LEVEL`                  | The log level, Available values: debug, info, warn, error                     | `info`  | No       |\nYou can append `_FILE` to any of the environment variable names to load the value from a file.\n\nE.g. `GITHUB_OAUTH_CLIENT_SECRET_FILE=/run/secrets/github_oauth_client_SECRET` where the content of the file `/run/secrets/github_oauth_client_SECRET` will be used as the environment variable.\n\n### Middleware Configuration\n\n```yaml\n# The base URL of the Traefik GitHub OAuth server\napiBaseUrl: http://\u003ctraefik-github-oauth-server-host\u003e\n# The api secret key. You can ignore this if you are using the internal network\napiSecretKey: optional_secret_key_if_not_on_the_internal_network\n# The path to redirect to after the user has authenticated, defaults to /_auth\n# Note: This path is not GitHub OAuth App's Authorization callback URL\nauthPath: /_auth\n# optional jwt secret key, if not set, the plugin will generate a random key\njwtSecretKey: optional_secret_key\n# optional jwt expiration in hours, defaults to 24 hours\njwtExpirationInHours: 24\n\n# The log level, defaults to info\n# Available values: debug, info, warn, error\nlogLevel: info\n\n# whitelist\nwhitelist:\n  # The list of GitHub user ids that are whitelisted to access the resources\n  ids:\n    - 996\n\n  # The list of GitHub user logins that are whitelisted to access the resources\n  logins:\n    - luizfonseca\n\n  # The list of Github Teams that are whitelisted to access the resources\n  teams:\n    - 988772\n```\n\n### OAuth Configuration\n\nFor the OAuth configuration, you need to create a GitHub OAuth App.\nYou can follow the steps in the [GitHub documentation](https://docs.github.com/en/developers/apps/building-oauth-apps/creating-an-oauth-app) to create it and obtain the `GITHUB_OAUTH_CLIENT_ID` and `GITHUB_OAUTH_CLIENT_SECRET` values.\n\n#### OAuth Scopes\n- For `ids` and `logins` you don't need extra scopes.\n- For `teams` you might need to request the `read:org` scope from the user. See the [documentation](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).\n    - You can do so by updating the `GITHUB_OAUTH_SCOPES` environment variable with the desired additional scopes, e.g. `GITHUB_OAUTH_SCOPES=\"read:org\"` via the **Server Configuration**.\n\n\n## License\n\n[MIT](./LICENSE)\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fluizfonseca%2Ftraefik-github-oauth-plugin","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fluizfonseca%2Ftraefik-github-oauth-plugin","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fluizfonseca%2Ftraefik-github-oauth-plugin/lists"}