I’m using TinyAuth for forwardauth but the service I’m trying to use consistently is saying the headers are not set (and I can verify, they’re not there.)
Traefik: in static config
entryPoints:
web:
address: ':80'
transport:
respondingTimeouts:
readTimeout: 600s
idleTimeout: 600s
writeTimeout: 600s
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: ':443'
http:
tls:
certResolver: letsencrypt
domains:
- main: domain.tld
sans:
- '*.domain.tld'
forwardedHeaders:
trustedIPs:
- [TinyAuth IP]
in dynamic config:
tinyauth-auth:
forwardAuth:
address: "http://[TinyAuth IP]:3000/api/auth/traefik"
trustForwardHeader: true
authResponseHeaders:
- Remote-User
- Remote-Groups
- Remote-Name
- Remote-Email
This is set as a middleware in the app I’m trying to use.
in tinyauth:
TINYAUTH_APPURL=https://tinyapp.domain.tld/
TINYAUTH_AUTH_TRUSTEDPROXIES=[Traefik IP]
TINYAUTH_APPS_APP_CONFIG_DOMAIN='app.domain.tld'
TINYAUTH_APPS_APP_RESPONSE_HEADERS='Remote-User,Remote-Email,Remote-Group,Remote-Name,X-Remote-Name,X-Remote-User,X-Remote-Group,X-Remote-Email,Forwarded-Host,Forwarded-URI'
(I kept adding response headers hoping something would change)
PocketID is set as an OAuth provider and seems to be working fine, but I can provide further detail if needed.
Curiously, I tried changing the address in the traefik config to “https://tinyauth.domain.tld/” and the headers came through properly, but the redirect went to https://tinyauth.domain.tld/api/auth/traefik.
I think this is actually my issue but they never posted their solution.
By curiosity, since you’re already using Traefik and Pocket ID, what does Tinyauth provide? Traefik can already do forward auth through a plugin. It redirect to picket ID directly
Just preference using Tinyauth over the plugin. It’s got a beautiful login screen.
https://tinyauth.app/tinyauth-dark.png