traefik-forward-auth icon indicating copy to clipboard operation
traefik-forward-auth copied to clipboard

Published 20 hours ago verified publisher icon thomseddon

Feature request: Support multiple auth-host's

Open hexeth opened this issue 4 years ago • 8 comments

I've been using your app for some time in auth_host mode for subdomains without any troubles, but am really struggling to add a second domain to the list. Once I add a second domain to cookie_domain everything seems to break down. Would you be able to provide an example of the correct way to set up ouath for more than one tld?

hexeth avatar Apr 24 '20 15:04 hexeth

I was about to open an issue, I am experiencing similar troubles. I have been using AUTH_HOST for a long time with subdomains but today I added a new top level domain and the oauth consent screen is redirecting to the wrong auth endpoint on my new domain instead of the one at AUTH_HOST.

starcraft66 avatar Apr 25 '20 17:04 starcraft66

At the moment there isn's support for multiple auth-host's. I will leave this open as a feature request, I think it makes sense and shouldn't be hard to implement.

@starcraft66 because cookies aren't shared across domains, by design traefik-forward-auth will fallback to using the domain of the original request if it can't use an auth-host. I would suggest adding any new domains that don't fall under your auth-host to your provider for now - in the future we will support multiple auth-hosts

thomseddon avatar Apr 30 '20 20:04 thomseddon

I would suggest adding any new domains that don't fall under your auth-host to your provider for now.

This is not a solution for me because I have traefik listening on both my public and private domains. Since all endpoints (30+ of them) are listening on both, I would need to add every single endpoint on my IdP which is the same level of effort needed that AUTH_HOST solves for one domain.

Is there work going on for this? If not, I can whip up a PR

Looks like this is where stuff should change: https://github.com/thomseddon/traefik-forward-auth/blob/c4317b7503fb0528d002eb1e5ee43c4a37f055d0/internal/auth.go#L147 https://github.com/thomseddon/traefik-forward-auth/blob/c4317b7503fb0528d002eb1e5ee43c4a37f055d0/internal/auth.go#L140

adyanth avatar Feb 18 '22 21:02 adyanth

@adyanth thanks for the hard work on this one as I'm using it in the same scenario with both public/private domains and the PR is greatly appreciated. Looking forward to testing it out.

LukeEvansTech avatar Mar 10 '22 12:03 LukeEvansTech

I can add test cases and push it out, I was waiting for @thomseddon to check if the implementation is okay.

I am waiting to use it as well :)

adyanth avatar Mar 10 '22 12:03 adyanth

Added the test cases too, waiting for the PR to be accepted. @thomseddon can you have a look at this?

adyanth avatar Mar 12 '22 06:03 adyanth

I am currently using it successfully with no changes other than adding another AUTH_HOST (comma separated, exactly like COOKIE_DOMAIN) in my cluster.

Here is a copy of the PR for people eager to use it: https://hub.docker.com/r/adyanth/traefik-forward-auth/tags

Just use adyanth/traefik-forward-auth:2 instead of thomseddon/traefik-forward-auth:2 for now. Remember to change it back once this PR is merged since I do not plan on maintaining that fork. I just needed this to work :)

adyanth avatar Mar 17 '22 09:03 adyanth

Thank you - I hope this gets merged

nakermann1973 avatar Jun 30 '23 15:06 nakermann1973