Integrating Traefik with Oathkeeper

[dduzgun-security]

Hi all 👋 , I am having difficulties connecting Oathkeeper decisional API to Traefik using the traefik-forward-auth middleware to delegate authentication. Configured the mutator to check X-Forwarded-User header in Oathkeeper + Traefik and still no success on my end I keep getting an HTTP ERROR 500 when enabling the middleware.

Traefik configuration (docker-compose.yml)

traefik:
    image: "traefik:2.5"
    hostname: "traefik"
    command:
      [
        "--log.level=INFO",
        "--accesslog",
        "--api.insecure=true",
        "--providers.docker=true",
        "--providers.docker.exposedbydefault=false",
        "--entrypoints.web.address=:443",
        "--certificatesresolvers.myresolver.acme.tlschallenge=true",
        "[email protected]",
        "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
      ]
    ports:
      - "443:443"
      - "8080:8080"
    volumes:
      - "../config/letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_HOST:-traefik.local}`)"
      # Needs to be explicit due to multiple port exposure by the image
      - traefik.http.services.traefik.loadbalancer.server.port=8080
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.address=https://auth.local/oathkeeper"
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.trustForwardHeader=true"
    restart: "${EXTERNAL_SERVICES_RESTART_POLICY:-always}"

Oathkeeper configuration (docker-compose.yml)

oathkeeper:
    image: oryd/oathkeeper:v0.38.15-alpine
    depends_on:
      - kratos
      - hydra
    command:
      serve proxy -c "/etc/config/oathkeeper/oathkeeper.yml"
    environment:
      - LOG_LEVEL=debug
    volumes:
        -
            type: bind
            source: ${PWD}/../config/ory/oathkeeper
            target: /etc/config/oathkeeper
    ports:
      # - "4455" # Proxy port
      - "4456" # API port
    restart: on-failure
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.oathkeeper.rule=(Host(`auth.local`) && PathPrefix(`/oathkeeper`))"
      - "traefik.http.middlewares.oathkeeper-stripprefix.stripprefix.prefixes=/oathkeeper"
      - "traefik.http.routers.oathkeeper.middlewares=oathkeeper-stripprefix@docker"
      - "traefik.http.services.oathkeeper.loadbalancer.server.port=4456"
      - "traefik.http.routers.oathkeeper.tls.certresolver=myresolver"

Oathkeeper configuration (oathkeeper.yml)

serve:
  proxy:
    port: 4455 # run the proxy at port 4455
  api:
    port: 4456 # run the api at port 4456

access_rules:
  matching_strategy: regexp
  repositories:
    - file:///etc/config/oathkeeper/access-rules.json

errors:
  fallback:
    - json
  handlers:
    json:
      enabled: true
      config:
        verbose: true
    redirect:
      enabled: true
      config:
        to: https://auth.local/login
        when:
          -
            error:
              - unauthorized
              - forbidden
            request:
              header:
                accept:
                  - text/html
                  - application/json

mutators:
  header:
    enabled: true
    config:
      headers:
        X-Forwarded-User: "{{ print .Subject }}"
  noop:
    enabled: true
  id_token:
    enabled: true
    config:
      issuer_url: https://auth.local/oathkeeper
      jwks_url: file:///etc/config/oathkeeper/jwks.json
      claims: |
        {
          "session": {{ .Extra | toJson }}
        }

authorizers:
  allow:
    enabled: true
  deny:
    enabled: true

authenticators:
  anonymous:
    enabled: true
    config:
      subject: guest
  
  noop:
    enabled: true
  
  cookie_session:
    enabled: true
    config:
      check_session_url: https://auth.local/kratos/sessions/whoami
      preserve_path: true
      extra_from: "@this"
      subject_from: "identity.id"
      only:
        - ory_kratos_session

Access rules (access-rules.json)

[
  {
    "id": "ory:kratos:public",
    "match": {
      "url": "https://auth.local/kratos/<.*>",
      "methods": [
        "GET",
        "POST",
        "PUT",
        "PATCH",
        "DELETE"
      ]
    },
    "authenticators": [
      {
        "handler": "noop"
      }
    ],
    "authorizer": {
      "handler": "allow"
    },
    "mutators": [
      {
        "handler": "noop"
      }
    ]
  },
  {
    "id": "ory:authry:anonymous",
    "match": {
      "url": "https://auth.local/<error<.*>|settings<.*>|recovery<.*>|verify<.*>|login<.*>|register<.*>>",
      "methods": [
        "GET",
        "POST",
        "PUT",
        "PATCH",
        "DELETE"
      ]
    },
    "authenticators": [
      {
        "handler": "noop"
      }
    ],
    "authorizer": {
      "handler": "allow"
    },
    "mutators": [
      {
        "handler": "noop"
      }
    ]
  },
  {
    "id": "ory:authry:protected",
    "match": {
      "url": "https://auth.local/<debug|dashboard|settings|profile|robots.txt>",
      "methods": [
        "GET",
        "POST",
        "PUT",
        "PATCH",
        "DELETE"
      ]
    },
    "authenticators": [
      {
        "handler": "cookie_session"
      }
    ],
    "authorizer": {
      "handler": "allow"
    },
    "mutators": [
      {
        "handler": "header"
      }
    ]
  }
]

I am thinking that the issue is between Traefik and Oathkeeper but it can be my conf too.
Any hints to help me? 🙏

Thanks

[aeneasr]

Sorry to hear you're having trouble! It's been a while but there was a thread on Traefik here: #263

Do you have any error logs you could share that could point towards what's going wrong?

[designermonkey]

I have hit the same wall here. How would I use the next gen branch as a docker container?

[dduzgun-security]

@designermonkey In the docker-compose file, you can specify to build the Dockerfile of the next-gen branch from the GitHub repository. However, it's worth keeping in mind that this branch is many commits behind master.

oathkeeper:
    image: oathkeeper-next-gen-branch
    build: https://raw.githubusercontent.com/ory/oathkeeper/next-gen/Dockerfile
    # ...

[designermonkey]

Great I'll give that a go, thanks.

[dduzgun-security]

Error logs from traefik

time="2022-01-28T17:50:00Z" level=debug msg="vulcand/oxy/roundrobin/rr: begin ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/decisions/dashboard\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-US,en;q=0.9\"],\"Sec-Ch-Ua\":[\"\\\" Not;A Brand\\\";v=\\\"99\\\", \\\"Google Chrome\\\";v=\\\"97\\\", \\\"Chromium\\\";v=\\\"97\\\"\"],\"Sec-Ch-Ua-Mobile\":[\"?0\"],\"Sec-Ch-Ua-Platform\":[\"\\\"macOS\\\"\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"none\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36\"],\"X-Forwarded-Host\":[\"auth.local\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Prefix\":[\"/oathkeeper\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"traefik\"],\"X-Real-Ip\":[\"172.18.0.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"auth.local\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"172.18.0.1:61770\",\"RequestURI\":\"/decisions/dashboard\",\"TLS\":null}"
time="2022-01-28T17:50:00Z" level=debug msg="vulcand/oxy/roundrobin/rr: Forwarding this request to URL" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/decisions/dashboard\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-US,en;q=0.9\"],\"Sec-Ch-Ua\":[\"\\\" Not;A Brand\\\";v=\\\"99\\\", \\\"Google Chrome\\\";v=\\\"97\\\", \\\"Chromium\\\";v=\\\"97\\\"\"],\"Sec-Ch-Ua-Mobile\":[\"?0\"],\"Sec-Ch-Ua-Platform\":[\"\\\"macOS\\\"\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"none\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36\"],\"X-Forwarded-Host\":[\"auth.local\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Prefix\":[\"/oathkeeper\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"traefik\"],\"X-Real-Ip\":[\"172.18.0.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"auth.local\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"172.18.0.1:61770\",\"RequestURI\":\"/decisions/dashboard\",\"TLS\":null}" ForwardURL="http://172.18.0.4:4456"
time="2022-01-28T17:50:00Z" level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/decisions/dashboard\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-US,en;q=0.9\"],\"Sec-Ch-Ua\":[\"\\\" Not;A Brand\\\";v=\\\"99\\\", \\\"Google Chrome\\\";v=\\\"97\\\", \\\"Chromium\\\";v=\\\"97\\\"\"],\"Sec-Ch-Ua-Mobile\":[\"?0\"],\"Sec-Ch-Ua-Platform\":[\"\\\"macOS\\\"\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"none\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36\"],\"X-Forwarded-Host\":[\"auth.local\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Prefix\":[\"/oathkeeper\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"traefik\"],\"X-Real-Ip\":[\"172.18.0.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"auth.local\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"172.18.0.1:61770\",\"RequestURI\":\"/decisions/dashboard\",\"TLS\":null}"
172.18.0.1 - - [28/Jan/2022:17:50:00 +0000] "GET /oathkeeper/decisions/dashboard HTTP/2.0" 302 47 "-" "-" 52 "oathkeeper@docker" "http://172.18.0.4:4456" 3ms
time="2022-01-28T17:50:00Z" level=debug msg="Error calling https://auth.local/oathkeeper. Cause: Get \"https://auth.local/oathkeeper\": dial tcp 172.18.0.9:443: connect: connection refused" middlewareType=ForwardedAuthType middlewareName=traefik-forward-auth@docker
172.18.0.1 - - [28/Jan/2022:17:50:00 +0000] "GET /login HTTP/2.0" 500 0 "-" "-" 53 "authry@docker" "-" 4ms

[dduzgun-security]

@aeneasr this would be a great solution: #904 🎉

[dduzgun-security]

This merge solves it : #904