Traefik OpenID With Keycloak
A somewhat easier way of integrating keycloak into your services proxied by Traefik that don't out-right support OpenID!
This post builds off of the information found in an earlier blog post of mine here. The steps to create your client in Keycloak are the same, but now your ForwardAuth can be replaced with a really nifty Traefik plugin that makes setup a bit more painless.
On your instance running Traefik, you'll want to install the keycloakopenid plugin, made available by the GitHub user Gwojda. This seems to be a decent replacement to the Docker image mesosphere/traefik-forward-auth, with the last update being from 2022. While commit dates may not be the only factor in determining stability and security, at least one of these middlewares are being actively maintained.
/_oauth to your valid redirect URIs.keycloakopenid installation
You can follow the installation instructions detailed in the plugin page itself, but just in case I'll reference them here:
- Add the plugin to your static
traefik.ymlor config file
experimental: # If you don't have an experimental section, create one
plugins:
keycloakopenid:
moduleName: "github.com/Gwojda/keycloakopenid"
version: "v0.1.34"- Create the middleware in your dynamic config file
middlewares:
keycloakopenid-middleware:
plugin:
keycloakopenid:
KeycloakURL: "idam.example.com"
ClientID: "myclientid"
ClientSecret: "mysecret"
KeycloakRealm: "my-realm"And now you're done! Go ahead and bounce containers as you need.
Securing Traefik Services
Simply declare the middleware as part of the service deployment
- "traefik.http.routers.<my-service>.middlewares=keycloakopenid-middleware@file"
