traefik_oauth_upstream

README

Upstream OAuth - Traefik Middleare

This middleware adds OAuth headers to your requests so that for the upstream (service) the request is
OAuth-authenticated. Using other middleware layers you can configure any kind of downstream (client) authentication (E.g., Basic Auth) or leave it open to the internet! (not recommended)

After the client has signed in, tokens are kept cached and are automatically refreshed.

Typical flow

sequenceDiagram
  participant B as Downstream client
  participant O as OAuth Provider
  participant P as Traefik OAuth Plugin
  participant U as Upstream server

  alt First ever request
    B->>P: Plain request
    P->>B: 302
    B->>O: Auth request
    O->>B: Success redirect
    B->>+P: OAuth callback
    Note right of P: Token & refresh token stored
    P->>-B: Redirect back to original request
  end

  alt Token still valid
    B->>+P: Plain request
    Note right of P: Bearer token added
    P->>-U: Authorised request
    U->>P: Response
    P->>B: Response
  end

  alt Token expired
    B->>P: Plain request
    P->>O: Refresh token
    O->>+P: Refreshed tokens
    Note right of P: Tokens updated and bearer added
    P->>-U: Authorised request
    U->>P: Response
    P->>B: Response
  end
  

Config

You can set up different upstream OAuths by configuring different middlewares, or you can configure one middleware and reuse it with multiple routers/services.

Config example

Development

This repo is GitPod friendly.

Documentation

Overview

Package traefik_oauth_upstream - Traefik plugin to manage upstream OAuth.

Index

• Constants
• func CalcRefreshTimestamp(expiryUnix int64) int64
• func LoadTokenData(persistDir string) (*oauth2.Token, error)
• func New(ctx context.Context, next http.Handler, config *Config, name string) (http.Handler, error)
• func Persist(tokenData *oauth2.Token, persistDir string)
• func TokenDataExists(persistDir string) (bool, error)
• type Config
  • func CreateConfig() *Config
• type OauthUpstream
  • func (a *OauthUpstream) ServeHTTP(rw http.ResponseWriter, req *http.Request)

Constants

const CALLBACK_PATH = "/_oauth" //nolint:revive,stylecheck

const TOKEN_DATA_FILENAME = "token_data.json" //nolint:revive,stylecheck,gosec // Filename is hardcoded, but not the contents.

Functions

func CalcRefreshTimestamp

func CalcRefreshTimestamp(expiryUnix int64) int64

CalcRefreshTimestamp - calculate at what point the token should be refreshed.

func LoadTokenData

func LoadTokenData(persistDir string) (*oauth2.Token, error)

LoadTokenData - load token info from a file.

func New

func New(ctx context.Context, next http.Handler, config *Config, name string) (http.Handler, error)

New created a new Demo plugin.

func Persist

func Persist(tokenData *oauth2.Token, persistDir string)

Persist a token to a file.

func TokenDataExists

func TokenDataExists(persistDir string) (bool, error)

TokenDataExists - figures out whether token data exists on disk.

Types

type Config

type Config struct {
	ClientID     string   `json:"clientId"`
	ClientSecret string   `json:"clientSecret"`
	AuthURL      string   `json:"authUrl"`
	TokenURL     string   `json:"tokenUrl"`
	PersistDir   string   `json:"persistDir"`
	Scopes       []string `json:"scopes"`
}

Config - the plugin configuration.

func CreateConfig

func CreateConfig() *Config

CreateConfig - creates the default plugin configuration.

type OauthUpstream

type OauthUpstream struct {
	// contains filtered or unexported fields
}

OauthUpstream - information about upstream OAuth.

func (*OauthUpstream) ServeHTTP

func (a *OauthUpstream) ServeHTTP(rw http.ResponseWriter, req *http.Request)