{"id":42779492,"url":"https://github.com/wdonne/traefikoidc","last_synced_at":"2026-01-29T22:39:39.036Z","repository":{"id":222800410,"uuid":"758015351","full_name":"wdonne/traefikoidc","owner":"wdonne","description":null,"archived":false,"fork":false,"pushed_at":"2025-05-05T12:10:52.000Z","size":85,"stargazers_count":6,"open_issues_count":0,"forks_count":3,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-05-05T13:27:19.743Z","etag":null,"topics":["traefik-plugin"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-2-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/wdonne.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2024-02-15T13:07:37.000Z","updated_at":"2025-05-05T12:10:56.000Z","dependencies_parsed_at":"2024-03-12T05:17:34.297Z","dependency_job_id":"1d55fbd6-15b0-41c4-ab64-dab3cb9786e2","html_url":"https://github.com/wdonne/traefikoidc","commit_stats":null,"previous_names":["wdonne/traefik-oidc","wdonne/traefikoidc"],"tags_count":11,"template":false,"template_full_name":null,"purl":"pkg:github/wdonne/traefikoidc","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wdonne%2Ftraefikoidc","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wdonne%2Ftraefikoidc/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wdonne%2Ftraefikoidc/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wdonne%2Ftraefikoidc/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/wdonne","download_url":"https://codeload.github.com/wdonne/traefikoidc/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wdonne%2Ftraefikoidc/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28888428,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-29T21:06:44.224Z","status":"ssl_error","status_checked_at":"2026-01-29T21:06:42.160Z","response_time":59,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["traefik-plugin"],"created_at":"2026-01-29T22:39:38.890Z","updated_at":"2026-01-29T22:39:39.003Z","avatar_url":"https://github.com/wdonne.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# OpenID Connect Client\n\nThis middleware orchestrates the OpenID Connect authorization code flow. It intercepts requests and starts the flow if they don't bear a valid JWT. The ID token it obtains is used as an HTTP-only cookie called `access_token` to track the user. All forwarded requests will have a bearer token.\n\nSeveral IDPs can be configured. Requests can trigger the flow with the desired IDP by adding the URL query parameter `idp=\u003cname\u003e`. When this parameter is absent, the first segment of the domain name will be tried. If that IDP doesn't exist either, the IDP with the name `default` will be used. If there is no matching IDP, the request will result in status code 401 (Unauthorized).\n\nYou log out with the URL `https://\u003cyour-domain\u003e/\u003ccontextPath\u003e/logout`. If the IDP has an end-session endpoint, the user will also be logged out of the IDP.\n\n## Configuration\n\n|Field|Mandatory|Default value|Description|\n|---|---|---|---|\n|contextPath|No|Empty string|The value is a path that is the prefix of the callback and logout URL paths. It is also the path used for the token cookie.|\n|encryptionSecretFile|Yes|None|This is a path to a JSON file with the field `secret`, containing an AES-compatible key. The key should be either 16, 24 or 32 characters long. You can inject the JSON file with a Kubernetes secret. The secret is used to encrypt the `state` field in the authorization code flow. It is interpreted as plain bytes, so a US-ASCII string would work.|\n|idps|Yes|None|The array of IDP configurations.|\n|idps.clientSecretFile|Yes|None|The value is a path to a JSON file with the fields `clientID` and `clientSecret`. You can inject the JSON file with a Kubernetes secret.|\n|idps.name|Yes|None|The name of the IDP. If the value is `default`, then this IDP will be used when none is provided through the URL query parameter `idp`.|\n|idps.postLogoutUrl|Yes|None|This is the URL to which the user is redirected after logging out. If your IDP requires the URL to be pre-configured, it should match this field.|\n|idps.providerUrl|Yes|None|The OpenID Connect discovery URL.|\n|idps.scopes|No|The discovered values except `offline_access`|An array of scope names.|\n|lazyDiscovery|No|`false`|When set, it postpones the IDP discovery phase until the first request arrives.|\n|notBearerToken|No|`false`|Adds the \"Bearer \" prefix to the token header value.|\n|tokenHeader|No|Authorization|Sets the name of the HTTP header on the request that is forwarded. You can use this, for example, to emulate JWT Proxy by setting the name to `X-JWT-Assertion` and the configuration field `notBearerToken` to `true`.|\n\nThis is an example of a middleware configuration:\n\n```yaml\napiVersion: traefik.io/v1alpha1\nkind: Middleware\nmetadata:\n  name: my-oidc\n  namespace: traefik\nspec:\n  plugin:\n    traefikoidc:\n      contextPath: /api\n      encryptionSecretFile: /oidc/encryption/encryption_secret.json\n      idps:\n        - name: google\n          providerUrl: \"https://accounts.google.com\"\n          postLogoutUrl: \"https://my.domain/api?idp=google\"\n          clientSecretFile: /oidc/google/client.json\n          scopes:\n            - openid\n            - email\n        - name: default\n          providerUrl: \"https://login.microsoftonline.com/{tenant ID}/v2.0\"\n          postLogoutUrl: \"https://my.domain/api\"\n          clientSecretFile: /oidc/microsoft/client.json\n```\n\n## Deployment\n\nIn the Traefik values file you would add a volumes section like this:\n\n```yaml\nvolumes:\n  - name: oidc-client-google\n    type: secret\n    mountPath: /oidc/google\n  - name: oidc-client-microsoft\n    type: secret\n    mountPath: /oidc/microsoft\n  - name: oidc-encryption-secret\n    type: secret\n    mountPath: /oidc/encryption\n```\n\nIf you don't want to load the plugin through `github.com/wdonne/traefikoidc`, you can also use\nthe image `wdonne/traefikoidc:\u003cversion\u003e` with an init container and an `emptyDir` volume. The\ncontainer will copy the plugin to `/plugins-local`. You should add something like the following to\nthe Traefik values file:\n\n```yaml\nvolumes:\n  - name: traefikoidc\n    emptyDir: { }\n    mountPath: /plugins-local\ndeployment:\n  initContainers:\n    - name: traefikoidc\n      image: wdonne/traefikoidc:\u003cversion\u003e\n      volumeMounts:\n        - name: traefikoidc\n          mountPath: /plugins-local\nadditionalArguments:\n  - \"--experimental.localPlugins.traefikoidc.modulename=github.com/wdonne/traefikoidc\"\n```\n\n[![Ask DeepWiki](https://deepwiki.com/badge.svg)](https://deepwiki.com/wdonne/traefikoidc)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwdonne%2Ftraefikoidc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwdonne%2Ftraefikoidc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwdonne%2Ftraefikoidc/lists"}