Forward auth

[AndreKR]

Maybe it's already supported, but if not: I think it should be possible to use Zitadel for forward auth authentication, for example with Traefik, nginx or Caddy.

[fabius]

It's possible to hook up proxies like oauth2-proxy to do just that. It is sparsely documented over here in the Zitadel docs. It works though!

[kekalainen]

@arthurgeek I can confirm that oauth2-proxy v7.4.0 works with Zitadel v2.30.0 and Traefik v3.0.0-beta3's ForwardAuth middleware (tested with the api@internal service on Docker v24.0.4 swarm mode).

[Jozefiel]

hi @kekalainen .
Can you post an example of configuration?
It can be a great source of knowledge.

Thanks

[kekalainen]

Hey @Jozefiel, here's an example based on the swarm mode service configuration I used.

[tafaust]

Hey @kekalainen, so I'd need to forwardauth from traefik to oauth2-proxy which handles oidc auth with zitadel? Can't it be done without oauth2-proxy? Thanks for your example!

[LeVraiRoiDHyrule]

Hi, I'm very interested into what you did. I am trying to do the same thing with Caddy. I've set caddy this way:

radarr.example.com {
        @except not path /api*
        reverse_proxy radarr:7878
        reverse_proxy /oauth2/* oauth2-radarr:4180
        forward_auth @except oauth2-radarr:4180 {
                copy_headers Authorization
                uri /oauth2/auth
        }
}

And Oauth2-proxy this way:

      - OAUTH2_PROXY_HTTP_ADDRESS=0.0.0.0:4180
      - OAUTH2_PROXY_EMAIL_DOMAINS=*
      - OAUTH2_PROXY_PROVIDER=oidc
      - OAUTH2_PROXY_REDIRECT_URL=https://radarr.${DOMAIN}/oauth2/callback
      - OAUTH2_PROXY_OIDC_ISSUER_URL=https://auth.${DOMAIN}
      - OAUTH2_PROXY_WHITELIST_DOMAIN=.${DOMAIN}
      - OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true
      - OAUTH2_PROXY_CLIENT_ID=${RADARR_CLIENT_ID}
      - OAUTH2_PROXY_CLIENT_SECRET=dummy #${RADARR_CLIENT_SECRET}
      - OAUTH2_PROXY_CODE_CHALLENGE_METHOD=S256
      - OAUTH2_PROXY_OIDC_GROUPS_CLAIM=groups
      - OAUTH2_PROXY_SCOPE="openid profile email groups"
      - OAUTH2_PROXY_COOKIE_SECRET=${OAUTH2_PROXY_COOKIE_SECRET}

This is based on your config, I just changed code challenge method to PKCE as it is recommended by Zitadel.

But I am having the error "Unauthorized" from oauth2-proxy, I don't know more about that (I am also having this error when not using PKCE). Would you know what could cause this ?

Do I need to have a subdomain for Oauth2-proxy ?
How did you set your app in Zitadel ? Did you do anything besides creating the app and using the clientid/secret Zitadel gave you ?

Thanks in advance for any answer and have a great day

[K-J-VV]

@kekalainen would you be able to share how you setup your application within Zitadel to work with this setup? I have managed to get Zitadel working work with OAuth2 Proxy and NGINX-Proxy-Manager, but can't seem to figure out how to have Zitadel authorize access to the original URL I am trying to protect.

To clarify, I've attached an image of the general flow being used and below is what is happening/my issue:

1. Navigate to app.domain.com
2. Redirected to auth.domain.com to login to Zitadel instance

Expected result after successful login:
3. Redirected to app.domain.com

What is happening:
3. Redirected to a URL that generally follows this: auth.domain.com/oauth2/auth/code=${RANDOMSTRING}%https%app.domain.com%
The webpage itself is a black page that simply states 'Unauthorized' on the top left.

I believe my problem is simply I haven't correctly told Zitadel that the user I am logging in as is allowed to access app.domain.com . However, I can't seem to figure out how to do this. I'm hoping I can use this setup to set Zitadel as a front for any of the apps I am self-hosting (AdGuardHome, FileBrowser, etc.). Integrating Zitadel's userbase with the logins of the apps themselves is a later project/task.

[muhlemmer]

Redirect URI configuration is documented here: https://zitadel.com/docs/guides/manage/console/applications#redirect-uris

If you use a Oauth2 proxy, I can imagine it doesn't support OpenID Connect discovery, so you'll need to somehow configure the authorization server endpoints manually. If you get an Unauthorized back it might be that the introspection endpoint is not configured correctly.

[LeVraiRoiDHyrule]

Hi,
I am a begginer with Zitadel, I was using Authentik before that integrates a proxy that I used for forward_auth with Caddy. Did someone suceed to set up forward_auth with caddy and oauth2-proxy ? I can't find any example and I don't know where to begin to set this up.

[ad-on-is]

hey @LeVraiRoiDHyrule Have you found any solution to this? I'm struggling myself with it.

Running caddy, zitadel and oauth2-proxy. But no matter what config I try, it doesn't work. The one I use right now, authenticates me successfully, but does not redirect properly to app.example.com, oauth2proxy throws "Rejecting invalid redirect" errors.

[LeVraiRoiDHyrule]

I did not do another attemps on Oauth2-proxy + Zitadel, I am currently focused on apps natively supporting OpenID. But I will still need it for some apps on my homelab so I will give another try. However, I am no longer using caddy and switched a nginx-based reverse proxy (bunkerweb). So I won't be able to help for caddy x oauth2-proxy. But I have seen on the oauth2-proxy github issues examples from people using it with caddy, I will try to find that. oauth2-proxy x zitadel seems easier thogh, I succeeded to connect it using PKCE.

[ad-on-is]

@LeVraiRoiDHyrule I got it working!!!

I switched from using ENV-variables to a cfg-file. In case you want to give it a shot... Here's my setup.

provider = "oidc"
user_id_claim = "sub" #uses the subject as ID instead of the email
provider_display_name = "ZITADEL"
redirect_url = "https://oauth2proxy.example.com/oauth2/callback"
oidc_issuer_url = "https://zitadel.example.com"
upstreams = []
email_domains = [
    "*"
]
client_id = "xxxx"
client_secret = "xxxxx"
code_challenge_method = "S256"
pass_access_token = true
cookie_secret = "xxxxx"
skip_provider_button = true
cookie_secure = false #localdev only false
http_address = "0.0.0.0:4180" #localdev only
whitelist_domains = ".example.com"
cookie_domains = ".example.com"
reverse_proxy = true
set_xauthrequest = true

Caddyfile

(secureoauth) {
  reverse_proxy /oauth2/* oauth2proxy:4180
  handle {
  forward_auth oauth2proxy:4180 {
    uri /oauth2/auth
    copy_headers Authorization X-Auth-Request-User X-Auth-Request-Email
    @bad status 4xx
    handle_response @bad {
      redir https://oauth2proxy.example.com/oauth2/start?rd={scheme}://{host}{path}?{query}
    }
  }
  }
}

@bin host bin.example.com
handle @bin {
  import secureoauth
  reverse_proxy microbin:8080
}

oauth2proxy:
    image: quay.io/oauth2-proxy/oauth2-proxy
    container_name: oauth2proxy
    user: 1000:1000
    restart: always
    volumes:
      - /srv/docker/oauth2proxy/oauth2-proxy.cfg:/etc/oauth2-proxy.cfg
    depends_on:
      - zitadel
    command: ["oauth2proxy", "--config=/etc/oauth2-proxy.cfg"]