OpenID Connect for
Traefik

Production-ready OIDC authentication middleware. Drop-in replacement for oauth2-proxy and forward-auth with support for 9+ identity providers.

Get Started View on GitHub
Version License Go Report Coverage

Features

Enterprise-grade authentication for your Traefik deployments

Universal Provider Support

Works with Google, Azure AD, Auth0, Okta, Keycloak, Cognito, GitLab, and any OIDC-compliant provider

Auto-Detection

Automatically detects and configures provider-specific settings from OIDC discovery

Dynamic Registration

RFC 7591 Dynamic Client Registration for automatic client setup without manual configuration

Automatic Scope Filtering

Intelligently filters OAuth scopes based on provider capabilities from discovery documents

Security Headers

Comprehensive security headers including CORS, CSP, HSTS, and customizable profiles

Domain & User Restrictions

Limit access to specific email domains, individual users, or role-based groups

Role-Based Access

Restrict access based on roles and groups from OIDC claims

Automatic Token Refresh

Secure session handling with proactive token refresh before expiry

Rate Limiting

Built-in protection against brute force attacks with configurable limits

Custom Headers

Template-based headers using OIDC claims and tokens for downstream services

PKCE Support

Proof Key for Code Exchange for enhanced security in authorization code flow

Memory Management

Bounded caches with LRU eviction, automatic cleanup, and zero goroutine leaks

Supported Providers

Works with all major identity providers out of the box

Google

Full OIDC

Azure AD

Full OIDC

A0

Auth0

Full OIDC

OK

Okta

Full OIDC

KC

Keycloak

Full OIDC

AWS Cognito

Full OIDC

GitLab

Full OIDC

GitHub

OAuth 2.0

Feature Google Azure AD Auth0 Okta Keycloak
ID Tokens
Refresh Tokens
Auto-Configuration
Custom Claims Limited
Group/Role Claims Limited
Self-Hosted

Installation

Get started in under 5 minutes

1 Enable the Plugin

Add to your Traefik static configuration:

# traefik.yml
experimental:
  plugins:
    traefikoidc:
      moduleName: github.com/lukaszraczylo/traefikoidc
      version: v0.7.10

2 Configure the Middleware

Create your middleware configuration:

# dynamic/middleware.yml
http:
  middlewares:
    oidc-auth:
      plugin:
        traefikoidc:
          providerURL: "https://accounts.google.com"
          clientID: "your-client-id"
          clientSecret: "your-client-secret"
          callbackURL: "/oauth2/callback"
          sessionEncryptionKey: "your-32-byte-secret-key-here!!"
          scopes:
            - "openid"
            - "profile"
            - "email"

3 Apply to Your Routes

Use the middleware on your services:

# dynamic/routers.yml
http:
  routers:
    my-secure-app:
      rule: "Host(`app.example.com`)"
      service: my-service
      middlewares:
        - oidc-auth
      tls:
        certResolver: letsencrypt

Configuration

Flexible options for any deployment scenario

Required Parameters

Parameter Description
providerURL Base URL of your OIDC provider
clientID OAuth 2.0 client identifier
clientSecret OAuth 2.0 client secret
sessionEncryptionKey 32+ byte key for session encryption
callbackURL OAuth callback path (e.g., /oauth2/callback)

Popular Optional Parameters

Parameter Default Description
forceHTTPS false Required for TLS termination at load balancer
allowedUserDomains none Restrict to specific email domains
allowedRolesAndGroups none Restrict to users with specific roles
excludedURLs none Paths that bypass authentication
enablePKCE false Enable PKCE for enhanced security
rateLimit 100 Maximum requests per second

Example: Google Workspace with Domain Restriction

http:
  middlewares:
    google-oidc:
      plugin:
        traefikoidc:
          providerURL: "https://accounts.google.com"
          clientID: "1234567890.apps.googleusercontent.com"
          clientSecret: "your-client-secret"
          callbackURL: "/oauth2/callback"
          sessionEncryptionKey: "your-32-byte-encryption-key!!"
          allowedUserDomains:
            - "yourcompany.com"
            - "subsidiary.com"
          excludedURLs:
            - "/health"
            - "/metrics"
            - "/api/public"
          forceHTTPS: true
          logLevel: "info"

Security First

Built with enterprise security requirements in mind

Token Security

  • • JWT signature verification with JWK rotation
  • • Replay attack detection via JTI claims
  • • Strict audience and issuer validation
  • • Automatic token refresh before expiry
  • • Token revocation on logout

Session Security

  • • AES-256-GCM encrypted session cookies
  • • CSRF protection with state parameter
  • • Secure, HttpOnly, SameSite cookies
  • • Configurable session timeouts
  • • Bounded session cache with LRU eviction

Security Headers

  • • Content Security Policy (CSP)
  • • HTTP Strict Transport Security (HSTS)
  • • X-Frame-Options, X-Content-Type-Options
  • • CORS configuration
  • • Customizable header profiles

Rate Limiting

  • • Configurable request rate limits
  • • Protection against brute force attacks
  • • Per-client rate limiting
  • • Graceful handling of limit exceeded
  • • Customizable response codes

Why Choose Traefik OIDC?

A better alternative to oauth2-proxy and forward-auth

Feature Traefik OIDC oauth2-proxy forward-auth
Native Plugin
No Extra Service
Auto Provider Detection
Dynamic Client Registration
Automatic Scope Filtering
Built-in Security Headers
Template Headers
Memory Efficient LRU caches Varies Varies

Ready to Secure Your Applications?

Get started with Traefik OIDC in minutes. Full documentation and examples available on GitHub.

View on GitHub Documentation