Traefik OpenID With Keycloak

A somewhat easier way of integrating keycloak into your services proxied by Traefik that don't out-right support OpenID!

Traefik OpenID With Keycloak

This post builds off of the information found in an earlier blog post of mine here. The steps to create your client in Keycloak are the same, but now your ForwardAuth can be replaced with a really nifty Traefik plugin that makes setup a bit more painless.

On your instance running Traefik, you'll want to install the keycloakopenid plugin, made available by the GitHub user Gwojda. This seems to be a decent replacement to the Docker image mesosphere/traefik-forward-auth, with the last update being from 2022. While commit dates may not be the only factor in determining stability and security, at least one of these middlewares are being actively maintained.

☝️
If you haven't already, create your OID client by following steps 1 and 2 in my blog post here. You do NOT need to append /_oauth to your valid redirect URIs.

keycloakopenid installation

You can follow the installation instructions detailed in the plugin page itself, but just in case I'll reference them here:

  1. Add the plugin to your static traefik.yml or config file
experimental: # If you don't have an experimental section, create one
  plugins:
    keycloakopenid:
      moduleName: "github.com/Gwojda/keycloakopenid"
      version: "v0.1.34"
  1. Create the middleware in your dynamic config file
   middlewares:
     keycloakopenid-middleware:
       plugin:
         keycloakopenid:
           KeycloakURL: "idam.example.com"
           ClientID: "myclientid"
           ClientSecret: "mysecret"
           KeycloakRealm: "my-realm"
💡
According to the plugin documentation, you can configure secrets to be read in from a file or env file

And now you're done! Go ahead and bounce containers as you need.

Securing Traefik Services

Simply declare the middleware as part of the service deployment

- "traefik.http.routers.<my-service>.middlewares=keycloakopenid-middleware@file"