Skip to main content

Traefik proxy integration

Traefik is modern HTTP proxy and load balancer for microservices, oathkeeper can be integrated with via the ForwardAuth Middleware by making use of the available Access Control Decision API.

To achieve this,

  • configure traefik
    • to make use of the aforesaid ForwardAuth middleware by setting the address property to the decision URL endpoint and
    • by including the required header name(s), the oathkeeper sets in the HTTP responses into the authResponseHeaders property.
  • configure the route of your service to make use of this middleware

Example (using Docker labels):

edge-router:
  image: traefik
  # further configuration
  labels:
    - traefik.http.middlewares.oathkeeper.forwardauth.address=http://oathkeeper:4456/decisions
    - traefik.http.middlewares.oathkeeper.forwardauth.authResponseHeaders=X-Id-Token,Authorization
    # further labels

service:
  image: my-service
  # further configuration
  labels:
    - traefik.http.routers.service.middlewares=oathkeeper
    # further labels