Integrating Google Auth with Docker Containers

As part of our strive to improve security we recently decided to add authentication to some of our docker containers.

We use Traefik, and I found this great blog: “Integrating Google OAuth with Traefik” that uses the project, “Traefik Forward Auth”, to add Google authentication for Traefik.

That blog was a great help, and showed us it was possible, but we did things a little differently. They use ‘Auth Host Mode’ whereas we went with ‘Overlay Mode’. The difference is explained in the read-me, but essentially, every domain we want to authorize has to be added to Google (which isn't a problem when you're only using one).

Creating the Google auth app is fairly straightforward, and the blog above does a great job explaining it. We added ours to our organisation and kept it ‘internal’.

Traefik

Here's where things change. Our setup is a little different, first in our traefik.yml we added to the entrypoints:

Auth.Forward.AuthResponseHeaders:X-forwarded-user
Auth.Forward.TrustForwardHeader:true

Traefik Forward Auth

I then created a new file for the auth forwarding, rather than adding it to the Traefik config. I called it oauth.yml and put the following in it:

version: '3.4'

networks:
 kong:
   external:
     name: kong

services:
 oauth:
   image: thomseddon/traefik-forward-auth
   hostname: oauth
   networks:
     - kong
   environment:
     PROVIDERS_GOOGLE_CLIENT_ID: <client-id></client-id>
     PROVIDERS_GOOGLE_CLIENT_SECRET: <client-secret></client-secret>
     SECRET: <randomly-generated-secret></randomly-generated-secret>
     COOKIE_DOMAIN: <your-domain></your-domain>
     INSECURE_COOKIE: "false"
     URL_PATH: /_oauth/
     DOMAIN: <your-domain></your-domain>
     LOG_LEVEL: debug
     LIFETIME: 2592000 # 30 days
   deploy:
     labels:
       traefik.enable: "true"
       traefik.port: 4181
       traefik.backend: oauth
       traefik.frontend.rule: PathPrefix:/_oauth/
       traefik.docker.network: kong
       traefik.frontend.auth.forward.address: "http://oauth:4181"
       traefik.frontend.auth.forward.authResponseHeaders: X-Forwarded-User
       traefik.frontend.auth.forward.trustForwardHeader: "true"
   ports:
     - 4181

The 'CLIENT-ID' and 'CLIENT-SECRET' are provided by Google. The 'RANDOMLY-GENERATED-SECRET' can be generated from a terminal with "openssl rand -hex 16" or any other random hex generator. 'COOKIE_DOMAIN' is your domain i.e. example.com, and 'DOMAIN' is your e-mail domain, alternatively you can use the whitelist option for emails you want to have access.

Adding to a service

Finally, for you service to have authentication, just add these lines under ‘labels’:

traefik.frontend.auth.forward.address: "http://oauth:4181"
traefik.frontend.auth.forward.authResponseHeaders: X-Forwarded-User
traefik.frontend.auth.forward.trustForwardHeader: "true"

Now, after everything is deployed, when we go to our service “app.example.com", we will be redirected to Google. After successfully logging in, we will be redirected again to our app!

Resources

https://github.com/thomseddon/traefik-forward-auth#simple

https://sysadmins.co.za/integrating-google-oauth-with-traefik/

https://console.developers.google.com/apis/

‍