Nextcloud as OAuth2-Provider for any Traefik Forward-Auth possible?

(I have experience with OAuth2 (a/b), this is a somewhat advanced question.)

In my quest to authenticate more things against my nextcloud, I would like to combine it with a Traefik middleware: ForwardAuth.

I am not entirely sure that this can work out of the box, I certainly couldn’t get it working in a few hours of trying. I have already consulted examples that use ForwardAuth+Google and ForwardAuth+Authelia, but I couldn’t put all the pieces together, apparently.

What’s working:

• my nextcloud, including other services that authenticate against it successfully
• my traefik, including tls certificates, routes and services
• the middleware in my traefik, redirecting me towards nextcloud

What isn’t working:
I am not sure how, after allowing authentication on the nextcloud page, this should continue, which way the traefik proxy would be notified of the authentication result. Currently, I am stuck in an endless loop on my nextcloud page.

What I tried:

• I added another shiny OAuth2-Client to my nextcloud setup:
  
  

  another oauth client1431×230 13.7 KB
• I added one of the most basic examples to my server:

  # docker-compose.yml
  version: "3.3"
  
  services:
    whoami:
      image: "traefik/whoami"
      container_name: "simple-service"
      labels:
        - "traefik.docker.network=traefik_proxy"
        - "traefik.enable=true"
        - "traefik.http.routers.whoami.rule=Host(`some.example.com`)"
        - "traefik.http.routers.whoami.entrypoints=websecure"
        - "traefik.http.routers.whoami.tls.certresolver=myhttpchallenge"
        - "traefik.http.routers.whoami.middlewares=auth-nextcloud"
        - "traefik.http.middlewares.auth-nextcloud.forwardauth.address=https://nc.example.com/apps/oauth2/authorize?response_type=code&client_id=nt---full-client-id---m8&redirect_url=https%3A%2F%2Fsome.example.com"
        - "traefik.http.middlewares.auth-nextcloud.forwardauth.trustForwardHeader=true"
      networks:
        traefik_proxy:
  
  networks:
    traefik_proxy:
      external: true
  

now, when I go to some.example.com, I am redirected to my nc.example.com site correctly, and there I get these screens, on which I am then stuck:

• 

  grafik728×505 91.5 KB
• 

  grafik766×392 57.6 KB

and then I’m back to the first one. The amount i can configure in both nextcloud and traefik is very small. I don’t really see where to go next. If you have read this far, maybe you can help me?

Turns out I did miss a large piece of the puzzle. ForwardAuth is not directly talking to nextcloud, but this here goes in between: https://github.com/thomseddon/traefik-forward-auth

It’s not running, yet, but once I get it to run, I’ll post an example, of course.

neat: I can now put anything behind traefik / forwardauth and have the authentication performed by nextcloud!

These are my settings in nextcloud:

grafik1259×327 13.8 KB

Here’s a minimal example of the typical whoami service:

version: "3.3"

services:
  whoami:
    image: "traefik/whoami"
    restart: unless-stopped
    labels:
      # your network may have a different name!
      - "traefik.docker.network=traefik_proxy"
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`whoami.example.com`)"
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.tls.certresolver=myhttpchallenge"
      - "traefik.http.routers.whoami.middlewares=traefik-forward-auth"
    networks:
      traefik_proxy:

  traefik-forward-auth:
    image: thomseddon/traefik-forward-auth
    restart: unless-stopped
    environment:
      - DEFAULT_PROVIDER=generic-oauth
      - PROVIDERS_GENERIC_OAUTH_AUTH_URL=https://nc.example.com/apps/oauth2/authorize
      - PROVIDERS_GENERIC_OAUTH_TOKEN_URL=https://nc.example.com/apps/oauth2/api/v1/token
      - PROVIDERS_GENERIC_OAUTH_USER_URL=https://nc.example.com/ocs/v2.php/cloud/user?format=json
      - PROVIDERS_GENERIC_OAUTH_CLIENT_ID=A5BI---get-these-from-nextcloud-admin---OQuw
      - PROVIDERS_GENERIC_OAUTH_CLIENT_SECRET=BtA---get-these-from-nextcloud-admin---Ieh
      - SECRET=123456-your-random-stuff-can-be-anything-really-but-please-change
      ## use these in case you need to debug something:
      #- LOG_LEVEL=debug
      #- LOG_FORMAT=text
    labels:
      # contrary to other examples, this would not run without traefik.enable in place
      - "traefik.enable=true"
      # the rest is identical to all the tutorials
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.address=http://traefik-forward-auth:4181"
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
      - "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4181"
    # contrary to all tutorials, I needed to specify my network
    networks:
      traefik_proxy:

networks:
  traefik_proxy:
    external: true

One thing that I haven’t nailed, yet, is: I’m not getting the X-Forwarded-User header right. Currently that’s just empty. In my other configs, there’s a way to parse this out of the JSON response. I don’t see a possibility to do that in traefik-forward-auth, but I’ll try to ask that on their community forum.

Update: new issue raised here: https://github.com/thomseddon/traefik-forward-auth/issues/191#issue-711733290