{"id":47815045,"url":"https://github.com/radicand/forwardauth-rs","last_synced_at":"2026-04-15T04:01:39.126Z","repository":{"id":348941329,"uuid":"1200087662","full_name":"radicand/forwardauth-rs","owner":"radicand","description":"Rust-based drop-in replacement for traefik-forward-auth0 - forward authentication service for Traefik with Auth0/OIDC support","archived":false,"fork":false,"pushed_at":"2026-04-11T03:01:57.000Z","size":239,"stargazers_count":1,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-11T04:29:39.053Z","etag":null,"topics":["auth0","authentication","forward-auth","jwt","kubernetes","oidc","rust","traefik"],"latest_commit_sha":null,"homepage":"https://github.com/radicand/forwardauth-rs","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/radicand.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-03T02:54:10.000Z","updated_at":"2026-04-11T03:01:48.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/radicand/forwardauth-rs","commit_stats":null,"previous_names":["radicand/forwardauth-rs"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/radicand/forwardauth-rs","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/radicand%2Fforwardauth-rs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/radicand%2Fforwardauth-rs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/radicand%2Fforwardauth-rs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/radicand%2Fforwardauth-rs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/radicand","download_url":"https://codeload.github.com/radicand/forwardauth-rs/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/radicand%2Fforwardauth-rs/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31825515,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-14T18:05:02.291Z","status":"online","status_checked_at":"2026-04-15T02:00:06.175Z","response_time":63,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["auth0","authentication","forward-auth","jwt","kubernetes","oidc","rust","traefik"],"created_at":"2026-04-03T18:26:25.425Z","updated_at":"2026-04-15T04:01:39.116Z","avatar_url":"https://github.com/radicand.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ForwardAuth-RS\n\n[![CI](https://github.com/radicand/forwardauth-rs/actions/workflows/ci.yml/badge.svg)](https://github.com/radicand/forwardauth-rs/actions/workflows/ci.yml)\n[![Docker](https://github.com/radicand/forwardauth-rs/actions/workflows/docker.yml/badge.svg)](https://github.com/radicand/forwardauth-rs/actions/workflows/docker.yml)\n[![License: GPL v3](https://img.shields.io/badge/License-GPLv3-blue.svg)](https://www.gnu.org/licenses/gpl-3.0)\n\nA high-performance forward authentication service for [Traefik](https://traefik.io/) with [Auth0](https://auth0.com/) / OIDC support, written in Rust. Drop-in replacement for [dniel/traefik-forward-auth0](https://github.com/dniel/traefik-forward-auth0).\n\n## Why?\n\nThe original [traefik-forward-auth0](https://github.com/dniel/traefik-forward-auth0) is a JVM-based Spring Boot application that hasn't been actively maintained. This Rust rewrite provides:\n\n- **Drop-in compatible** — same configuration format, same endpoints, same cookie names\n- **Tiny footprint** — ~10MB Docker image vs ~200MB+ JVM image, ~5MB RSS vs ~200MB+\n- **Fast startup** — milliseconds vs seconds\n- **Modern security** — up-to-date dependencies, secure defaults, OWASP best practices\n\n## Features\n\n- Centralized auth-host mode for Traefik forward authentication\n- Multiple application support with per-host configuration\n- Auth0 Authorization Code flow with PKCE-ready architecture\n- Client Credentials flow via Basic Auth header\n- JWT token verification with JWKS key rotation support\n- Permission-based access control via Auth0 API permissions\n- Configurable HTTP method restrictions\n- Claims forwarding as `x-forwardauth-*` headers\n- CSRF protection via nonce cookies\n- Secure cookie handling (HttpOnly, SameSite=Lax, Secure)\n- JWKS and token caching for performance\n- Health check endpoint\n\n## Quick Start\n\n### Docker\n\n```bash\ndocker run -d \\\n  -p 8080:8080 \\\n  -v /path/to/application.yaml:/config/application.yaml:ro \\\n  ghcr.io/radicand/forwardauth-rs:latest\n```\n\n### Helm\n\n```bash\nhelm install forwardauth ./helm/forwardauth \\\n  --set applicationYaml.domain=https://YOUR_TENANT.auth0.com/ \\\n  --set applicationYaml.token-endpoint=https://YOUR_TENANT.auth0.com/oauth/token \\\n  --set applicationYaml.authorize-url=https://YOUR_TENANT.auth0.com/authorize \\\n  --set applicationYaml.userinfo-endpoint=https://YOUR_TENANT.auth0.com/userinfo \\\n  --set applicationYaml.logout-endpoint=https://YOUR_TENANT.auth0.com/v2/logout\n```\n\nOr use a values file — see [helm/forwardauth/values.yaml](helm/forwardauth/values.yaml).\n\n## Configuration\n\nConfiguration is loaded from a YAML file. Set `CONFIG_FILE` environment variable to specify the path (default: `/config/application.yaml`).\n\nThe configuration format is **fully compatible** with the original traefik-forward-auth0:\n\n```yaml\ndomain: https://YOUR_TENANT.auth0.com/\ntoken-endpoint: https://YOUR_TENANT.auth0.com/oauth/token\nauthorize-url: https://YOUR_TENANT.auth0.com/authorize\nuserinfo-endpoint: https://YOUR_TENANT.auth0.com/userinfo\nlogout-endpoint: https://YOUR_TENANT.auth0.com/v2/logout\n\ndefault:\n  name: www.example.com\n  client-id: YOUR_CLIENT_ID\n  client-secret: YOUR_CLIENT_SECRET\n  audience: https://api.example.com\n  scope: \"profile openid email\"\n  redirect-uri: https://www.example.com/oauth2/signin\n  token-cookie-domain: example.com\n  return-to: https://www.example.com\n  restricted-methods:\n    - DELETE\n    - GET\n    - HEAD\n    - OPTIONS\n    - PATCH\n    - POST\n    - PUT\n  required-permissions: []\n  claims:\n    - sub\n    - name\n    - email\n\napps:\n  - name: admin.example.com\n    audience: https://api.admin.example.com\n    required-permissions:\n      - admin:access\n```\n\nSee [example/application.yaml](example/application.yaml) for a full example.\n\n## Endpoints\n\n| Endpoint     | Method | Description                                      |\n|--------------|--------|--------------------------------------------------|\n| `/authorize` | GET    | Main forward-auth endpoint (called by Traefik)   |\n| `/signin`    | GET    | OAuth2 callback from Auth0                       |\n| `/signout`   | GET    | Logout endpoint (clears cookies, calls Auth0)    |\n| `/userinfo`  | GET    | Returns authenticated user info from Auth0       |\n| `/health`    | GET    | Health check (returns 200 OK)                    |\n\n### Response Codes\n\n**`/authorize`**:\n- `204 No Content` — Access granted (with `Authorization` and `x-forwardauth-*` headers)\n- `307 Temporary Redirect` — Redirect to Auth0 for authentication\n- `401 Unauthorized` — Authentication required (API requests)\n- `403 Forbidden` — Insufficient permissions\n\n## Traefik Configuration\n\n### Traefik v2 (Docker labels)\n\n```yaml\nlabels:\n  - \"traefik.http.middlewares.forwardauth.forwardauth.address=http://forwardauth:8080/authorize\"\n  - \"traefik.http.middlewares.forwardauth.forwardauth.authResponseHeaders=Authorization,x-forwardauth-sub,x-forwardauth-email,x-forwardauth-name\"\n  - \"traefik.http.middlewares.forwardauth.forwardauth.trustForwardHeader=true\"\n```\n\n### Traefik v2 (Kubernetes IngressRoute)\n\n```yaml\napiVersion: traefik.containo.us/v1alpha1\nkind: Middleware\nmetadata:\n  name: forwardauth\nspec:\n  forwardAuth:\n    address: http://forwardauth:80/authorize\n    authResponseHeaders:\n      - Authorization\n      - x-forwardauth-sub\n      - x-forwardauth-email\n      - x-forwardauth-name\n    trustForwardHeader: true\n```\n\n## Environment Variables\n\n| Variable     | Default                      | Description              |\n|--------------|------------------------------|--------------------------|\n| `CONFIG_FILE`| `/config/application.yaml`   | Path to config file      |\n| `PORT`       | `8080`                       | Server listen port       |\n| `RUST_LOG`   | `info,forwardauth_rs=debug`  | Log level configuration  |\n\n## Migration from traefik-forward-auth0\n\n1. Use the same `application.yaml` configuration file\n2. Replace the Docker image: `dniel/forwardauth` → `ghcr.io/radicand/forwardauth-rs`\n3. The port is `8080` (same as original)\n4. All endpoints and cookie names are identical\n\n## Development\n\n```bash\n# Run tests\ncargo test\n\n# Run with example config\nCONFIG_FILE=example/application.yaml cargo run\n\n# Build release\ncargo build --release\n\n# Run clippy\ncargo clippy -- -D warnings\n```\n\n## License\n\n[GPL-3.0](LICENSE) — same as the original traefik-forward-auth0.\n\n## Acknowledgments\n\nThis project is a Rust rewrite of [dniel/traefik-forward-auth0](https://github.com/dniel/traefik-forward-auth0), preserving full configuration and API compatibility.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fradicand%2Fforwardauth-rs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fradicand%2Fforwardauth-rs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fradicand%2Fforwardauth-rs/lists"}