### Start Local Development Server with Bun Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/website/README.md Starts a local development server for live previewing changes. Requires bun to be installed. ```bash $ bun start ``` -------------------------------- ### Install ajson CLI Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/vendor/github.com/spyzhov/ajson/README.md Install the ajson command-line interface tool using go get. ```shell go get github.com/spyzhov/ajson/cmd/ajson@v0.9.6 ``` -------------------------------- ### Install uuid Package Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/vendor/github.com/google/uuid/README.md Installs the uuid package using the go get command. ```sh go get github.com/google/uuid ``` -------------------------------- ### Install Dependencies with Bun Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/website/README.md Installs project dependencies using the bun package manager. Ensure bun is installed first. ```bash $ bun install ``` -------------------------------- ### Install Dependencies and Playwright Browsers Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/e2e/README.md Installs project dependencies using Bun and installs the necessary Playwright browser binaries. ```bash bun install bunx playwright install ``` -------------------------------- ### Run Traefik with Keycloak Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/README.md Starts the Traefik plugin with a pre-configured Keycloak instance for local development. Wait for services to initialize before accessing. ```bash task run:keycloak ``` -------------------------------- ### Environment Variable Configuration Example Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/website/docs/getting-started/middleware-configuration.md Demonstrates how to use environment variables for configuration properties. Supports single environment variables enclosed in ${}. Does not support templating within the variable. ```yaml Provider: Url: "${MY_PROVIDER_URL}" ClientSecret: "${MY_CLIENT_SECRET}" ``` -------------------------------- ### List Available Tasks Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/README.md Lists all available tasks for local development and testing using the Taskfile. Ensure Taskfile CLI and Docker are installed. ```bash task --list ``` -------------------------------- ### Get Kanidm Client Configuration Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/website/docs/identity-providers/kanidm.md Retrieve the current configuration for a Kanidm OAuth2 client to verify its settings. The example shows the output for a client named 'traefik-oauth2'. ```yaml class: account class: memberof class: oauth2_resource_server class: oauth2_resource_server_basic class: object directmemberof: idm_all_accounts@example.com displayname: Traefik OAuth es256_private_key_der: private_binary memberof: idm_all_accounts@example.com name: traefik-oauth2 oauth2_allow_insecure_client_disable_pkce: true oauth2_rs_basic_secret: hidden oauth2_rs_origin: https://login.example.com/oidc/callback oauth2_rs_origin_landing: https://login.example.com/ oauth2_rs_scope_map: idm_all_persons@example.com: {"email", "groups", "openid", "profile"} oauth2_rs_token_key: hidden oauth2_strict_redirect_uri: true spn: traefik-oauth2@example.com uuid: f1f4e707-832e-4beb-ba12-9410b883dddf ``` -------------------------------- ### Install Golang JWT Package Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/vendor/github.com/golang-jwt/jwt/v5/README.md Use this command to add the jwt-go package as a dependency in your Go program. ```shell go get -u github.com/golang-jwt/jwt/v5 ``` -------------------------------- ### Full Local Development Example with Multiple Services Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/website/docs/getting-started/callback-uri.md A comprehensive configuration for local development, setting up multiple services, authentication router, and using environment variables for provider details. It configures the callback URI and session cookie domain for a local development environment. ```yaml http: services: whoami: loadBalancer: servers: - url: http://whoami:80 middlewares: oidc-auth: plugin: traefik-oidc-auth: LogLevel: DEBUG Provider: Url: "${PROVIDER_URL}" ClientId: "${CLIENT_ID}" ClientSecret: "${CLIENT_SECRET}" UsePkce: false Scopes: ["openid", "profile", "email"] CallbackUri: "https://auth.127.0.0.1.sslip.io/oidc/callback" SessionCookie: Domain: ".127.0.0.1.sslip.io" routers: service1: entryPoints: ["websecure"] tls: {} rule: "Host(`service1.127.0.0.1.sslip.io`)" service: whoami middlewares: ["oidc-auth@file"] service2: entryPoints: ["websecure"] tls: {} rule: "Host(`service2.127.0.0.1.sslip.io`)" service: whoami middlewares: ["oidc-auth@file"] auth: entryPoints: ["websecure"] tls: {} rule: "Host(`auth.127.0.0.1.sslip.io`)" service: noop@internal middlewares: ["oidc-auth@file"] ``` -------------------------------- ### Import Golang JWT Package Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/vendor/github.com/golang-jwt/jwt/v5/README.md Import the jwt-go library into your Go code to start using its functionalities. ```go import "github.com/golang-jwt/jwt/v5" ``` -------------------------------- ### Authorized Token Example Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/website/docs/getting-started/authorization.md An example of a JWT token that would be considered authorized by the 'admin' or 'media' roles assertion. ```json { "exp": 1749314471, "iat": 1749314411, "auth_time": 1749314411, "jti": "onrtac:3b5c0b13-8471-4e98-a329-226d6c1d0b78", "iss": "http://127-0-0-1.sslip.io:8000/realms/master", "aud": [ "master-realm", "account" ], "sub": "c0d6f5c3-d05f-474d-bf06-f590b0a397ad", "typ": "Bearer", "azp": "traefik", "sid": "758810d0-6be1-43a3-8c2b-7ae69e5eba00", "acr": "1", "scope": "openid email profile", "email_verified": false, "preferred_username": "admin", // highlight-next-line "roles": ["admin"] } ``` -------------------------------- ### JSONPath bracket notation example Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/vendor/github.com/spyzhov/ajson/README.md Demonstrates the bracket notation for accessing nested JSON properties, which is more general. ```jsonpath $['store']['book'][0]['title'] ``` -------------------------------- ### Update Import Path and Install JWT Go v4 Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/vendor/github.com/golang-jwt/jwt/v5/MIGRATION_GUIDE.md Update your project to use the new import path for JWT Go v4 and install the package. This is a common step for migrating to newer versions. ```bash go get github.com/golang-jwt/jwt/v4 go mod tidy ``` -------------------------------- ### Logout Link Example Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/website/docs/getting-started/how-it-works.md Use this HTML snippet to create a logout link. The link navigates to the configured logout route to initiate the logout flow. ```html Logout ``` -------------------------------- ### JSONPath dot notation example Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/vendor/github.com/spyzhov/ajson/README.md Illustrates the dot notation for accessing nested JSON properties. ```jsonpath $.store.book[0].title ``` -------------------------------- ### Run Traefik with External IdP Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/README.md Starts the Traefik plugin using the configuration from the .env file for an external identity provider. Access the service via http://localhost:9080. ```bash task run:external ``` -------------------------------- ### JSON Structure Example Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/website/docs/getting-started/authorization.md This is a sample JSON structure used for demonstrating complex assertions. It does not represent an actual JWT. ```json { "store": { "bicycle": { "color": "red", "price": 19.95 }, "book": [ { "author": "Herman Melville", "category": "fiction", "isbn": "0-553-21311-3", "price": 8.99, "title": "Moby Dick" }, { "author": "J. R. R. Tolkien", "category": "fiction", "isbn": "0-395-19395-8", "price": 22.99, "title": "The Lord of the Rings" } ] } } ``` -------------------------------- ### Unauthorized Token Example Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/website/docs/getting-started/authorization.md An example of a JWT token that would be considered unauthorized because its 'roles' claim does not match the required 'admin' or 'media' values. ```json { "exp": 1749314471, "iat": 1749314411, "auth_time": 1749314411, "jti": "onrtac:3b5c0b13-8471-4e98-a329-226d6c1d0b78", "iss": "http://127-0-0-1.sslip.io:8000/realms/master", "aud": [ "master-realm", "account" ], "sub": "c0d6f5c3-d05f-474d-bf06-f590b0a397ad", "typ": "Bearer", "azp": "traefik", "sid": "758810d0-6be1-43a3-8c2b-7ae69e5eba00", "acr": "1", "scope": "openid email profile", "email_verified": false, "preferred_username": "admin", // highlight-next-line "roles": ["user"] } ``` -------------------------------- ### Add Custom Not-Equals Operation Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/vendor/github.com/spyzhov/ajson/README.md Demonstrates how to add a custom operation to the script engine. This example adds a not-equals operator (`<>`) that returns a boolean node. ```go AddOperation("<>", 3, false, func(left *ajson.Node, right *ajson.Node) (node *ajson.Node, err error) { result, err := left.Eq(right) if err != nil { return nil, err } return BoolNode("neq", !result), nil }) ``` -------------------------------- ### JSONPath filter expression example Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/vendor/github.com/spyzhov/ajson/README.md Selects book titles where the price is less than 10 using a filter expression. ```jsonpath $.store.book[?(@.price < 10)].title ``` -------------------------------- ### Docker Labels for Role-Based Authorization Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/website/docs/getting-started/authorization.md This configuration uses Docker labels to achieve the same role-based authorization as the YAML example, allowing access for 'admin' or 'media' roles. ```docker traefik.http.middlewares.oidc-auth.traefik-oidc-auth.authorization.assertClaims[0].name=roles" traefik.http.middlewares.oidc-auth.traefik-oidc-auth.authorization.assertClaims[0].anyOf=admin,media" ``` -------------------------------- ### Traefik Middleware Configuration with Kanidm (Absolute URL, No PKCE, Forward Auth Headers) Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/website/docs/identity-providers/kanidm.md Configure Traefik middleware for Kanidm authentication using an absolute callback URL, disabling PKCE, and forwarding custom headers with user claims. This setup also includes router configuration. ```yaml http: middlewares: oidc-auth: plugin: traefik-oidc-auth: LogLevel: DEBUG CallbackUri: "https://login.example.com/oidc/callback" SessionCookie: Domain: ".example.com" Provider: Url: "https://idm.example.com/oauth2/openid/" ClientId: "" ClientSecret: "" UsePkce: false Scopes: ["openid", "profile", "email", "groups"] Headers: - Name: "Remote-User" Value: "{{`{{ .claims.preferred_username }}`}}" - Name: "Remote-Email" Value: "{{`{{ .claims.email }}`}}" - Name: "Remote-Groups" Value: "{{`{{ .claims.groups }}`}}" - Name: "Remote-Name" Value: "{{`{{ .claims.name }}`}}" routers: auth: rule: "Host(`login.example.com)" service: noop@internal middlewares: ["oidc-auth@file"] ``` -------------------------------- ### Set Absolute Callback URI and Session Cookie Domain Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/website/docs/getting-started/callback-uri.md Use an absolute URL for `CallbackUri` when protecting multiple hostnames. This example also demonstrates setting a shared session cookie domain for subdomains. ```yaml middlewares: oidc-auth: plugin: traefik-oidc-auth: CallbackUri: "https://login.example.com/oidc/callback" SessionCookie: Domain: ".example.com" Provider: Url: "https://ident.example.com/" ClientId: "" ClientSecret: "" Scopes: ["openid", "profile", "email"] ``` -------------------------------- ### Using 'avg' Function with JSON Array Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/vendor/github.com/spyzhov/ajson/README.md Calculates the average of numeric values in a JSON array using the 'avg' function. This example shows how to unmarshal JSON, evaluate an expression, and print the numeric result. ```go package main import ( "fmt" "github.com/spyzhov/ajson" ) func main() { json := []byte(`{"prices": [1, 2, 3, 4, 5, 6, 7, 8, 9, 10]}`) root, err := ajson.Unmarshal(json) if err != nil { panic(err) } result, err := ajson.Eval(root, `avg($.prices)`) if err != nil { panic(err) } fmt.Printf("Avg price: %0.1f", result.MustNumeric()) // Output: // Avg price: 5.5 } ``` -------------------------------- ### YAML Assertion: Expect array to contain a set of values (Failing Example) Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/website/docs/getting-started/authorization.md This assertion checks if the 'store.book[*].price' array contains all specified values. It fails because the value '1' is not present in the array. ```yaml Name: store.book[*].price AllOf: [ 22.99, 8.99, 1 ] ``` -------------------------------- ### Build Static Website with Bun Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/website/README.md Generates the static content for the website into the 'build' directory. This output can be hosted anywhere. ```bash $ bun run build ``` -------------------------------- ### Advanced Header Configuration with Helper Functions Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/website/docs/getting-started/middleware-configuration.md Demonstrates using Go-template helper functions like `withPrefix` and `mapToJsonArray` for advanced header value construction, suitable for both YAML and CRD configurations. ```yaml Headers: - Name: "Authorization" Value: "Bearer {{ .accessToken }}" - Name: "Impersonate-User" Value: "prefix:{{ .claims.preferred_username }}" - Name: "Impersonate-Group" Values: '{{ .claims.groups | withPrefix "prefix:" | mapToJsonArray }}' ``` -------------------------------- ### Evaluate JSON from a local file Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/vendor/github.com/spyzhov/ajson/README.md Process a local JSON file named 'example.json' using ajson with the root path selector. ```shell ajson "$" example.json ``` -------------------------------- ### Configure External Identity Provider Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/README.md Create a .env file in the 'workspaces/external-idp' directory to configure the plugin with your own identity provider. This requires PROVIDER_URL, CLIENT_ID, and CLIENT_SECRET. ```dotenv PROVIDER_URL=... CLIENT_ID=... CLIENT_SECRET=... VALIDATE_AUDIENCE=true ``` -------------------------------- ### Create Kanidm OAuth2 Client Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/website/docs/identity-providers/kanidm.md Use the `kanidm client` tool to create a new OAuth2 client. This command requires the client ID, display name, and landing page URL. ```shell kanidm system oauth2 create ``` -------------------------------- ### ZITADEL Middleware Configuration (With PKCE) Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/website/docs/identity-providers/zitadel.md Configure the traefik-oidc-auth middleware for ZITADEL when using the PKCE authentication flow. Ensure the Provider URL, ClientId, and Scopes are correctly set. ```yaml http: middlewares: oidc-auth: plugin: traefik-oidc-auth: Provider: Url: "https://your-instance.zitadel.cloud" ClientId: "" UsePkce: true Scopes: ["openid", "profile", "email"] ``` -------------------------------- ### ZITADEL Middleware Configuration (Without PKCE) Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/website/docs/identity-providers/zitadel.md Configure the traefik-oidc-auth middleware for ZITADEL when not using the PKCE authentication flow. This requires a ClientSecret in addition to the Provider URL, ClientId, and Scopes. ```yaml http: middlewares: oidc-auth: plugin: traefik-oidc-auth: Provider: Url: "https://your-instance.zitadel.cloud" ClientId: "" ClientSecret: "" Scopes: ["openid", "profile", "email"] ``` -------------------------------- ### Configure BypassAuthenticationRule in Traefik Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/website/docs/getting-started/bypass-authentication-rule.md This example demonstrates how to set the BypassAuthenticationRule in the traefik-oidc-auth middleware configuration. It bypasses authentication for requests matching '/public' path or specific IP headers. ```yaml http: middlewares: oidc-auth: plugin: traefik-oidc-auth: Provider: Url: "${PROVIDER_URL}" ClientId: "${CLIENT_ID}" ClientSecret: "${CLIENT_SECRET}" BypassAuthenticationRule: "PathPrefix(`/public`) || HeaderRegexp(`X-Real-Ip`, `^172\.18\.`)" ``` -------------------------------- ### Unmarshal and Marshal JSON Data with ajson Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/vendor/github.com/spyzhov/ajson/README.md Demonstrates how to unmarshal a JSON byte slice into an ajson object, evaluate a JSONPath expression to find the average price, append the result, and then marshal the modified object back into a JSON string. This is useful for dynamic JSON manipulation. ```go package main import ( "fmt" "github.com/spyzhov/ajson" ) func main() { json := []byte(`{"store": {"book": [ {"category": "reference", "author": "Nigel Rees", "title": "Sayings of the Century", "price": 8.95}, {"category": "fiction", "author": "Evelyn Waugh", "title": "Sword of Honour", "price": 12.99}, {"category": "fiction", "author": "Herman Melville", "title": "Moby Dick", "isbn": "0-553-21311-3", "price": 8.99}, {"category": "fiction", "author": "J. R. R. Tolkien", "title": "The Lord of the Rings", "isbn": "0-395-19395-8", "price": 22.99}], "bicycle": {"color": "red", "price": 19.95}, "tools": null}}`) root := ajson.Must(ajson.Unmarshal(json)) result := ajson.Must(ajson.Eval(root, "avg($..price)")) err := root.AppendObject("price(avg)", result) if err != nil { panic(err) } marshalled, err := ajson.Marshal(root) if err != nil { panic(err) } fmt.Printf("%s", marshalled) } ``` -------------------------------- ### YAML Configuration for Role-Based Authorization Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/website/docs/getting-started/authorization.md This YAML configuration demonstrates how to set up an authorization rule to allow access only to users with 'admin' or 'media' roles. ```yaml http: middlewares: oidc-auth: plugin: traefik-oidc-auth: Provider: Url: "https://your-idp.com" ClientId: "" UsePkce: true Scopes: ["openid", "profile", "email"] # highlight-start Authorization: AssertClaims: - Name: roles AnyOf: ["admin", "media"] # highlight-end ``` -------------------------------- ### Filter JSON Array for True Values Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/vendor/github.com/spyzhov/ajson/README.md Filters a JSON array to find all elements that are strictly equal to the boolean `true`. This example uses the predefined `true` constant within a JSONPath expression. ```go package main import ( "fmt" "github.com/spyzhov/ajson" ) func main() { json := []byte(`{"foo": [true, null, false, 1, "bar", true, 1e3], "bar": [true, "baz", false]}`) result, _ := ajson.JSONPath(json, `$..[?(@ == true)]`) fmt.Printf("Count of `true` values: %d", len(result)) ``` -------------------------------- ### Run Playwright Tests in Interactive UI Mode Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/e2e/README.md Launches the Playwright interactive UI for running tests. ```bash bunx playwright test --ui ``` -------------------------------- ### Filter JSON Objects by Email Regex Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/vendor/github.com/spyzhov/ajson/README.md Filters a JSON array of objects to find those where the 'mail' field matches a specific email regex pattern. This example utilizes the regex matching operator (`=~`). ```go package main import ( "fmt" "github.com/spyzhov/ajson" ) func main() { json := []byte(`[{"name":"Foo","mail":"foo@example.com"},{"name":"bar","mail":"bar@example.org"}]`) result, err := ajson.JSONPath(json, `$.[?(@.mail =~ '.+@example\.com')]`) if err != nil { panic(err) } fmt.Printf("JSON: %s", result[0].Source()) // Output: // JSON: {"name":"Foo","mail":"foo@example.com"} ``` -------------------------------- ### Example Decoded JWT Token Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/website/docs/getting-started/authorization.md This JSON object represents a decoded JWT token, showcasing various claims like expiration time, issuer, audience, subject, roles, and user information. It's useful for understanding the data available for authorization. ```json { "exp": 1749314471, "iat": 1749314411, "auth_time": 1749314411, "jti": "onrtac:3b5c0b13-8471-4e98-a329-226d6c1d0b78", "iss": "http://127-0-0-1.sslip.io:8000/realms/master", "aud": [ "master-realm", "account" ], "sub": "c0d6f5c3-d05f-474d-bf06-f590b0a397ad", "typ": "Bearer", "azp": "traefik", "sid": "758810d0-6be1-43a3-8c2b-7ae69e5eba00", "acr": "1", "realm_access": { "roles": [ "create-realm", "default-roles-master", "offline_access", "admin", "uma_authorization" ] }, "resource_access": { "master-realm": { "roles": [ "view-realm", "view-identity-providers", "query-groups" ] }, "account": { "roles": [ "manage-account", "manage-account-links", "view-profile" ] } }, "scope": "openid email profile", "email_verified": false, "preferred_username": "admin" } ``` -------------------------------- ### Traefik Middleware Configuration with Kanidm (Relative URL, PKCE) Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/website/docs/identity-providers/kanidm.md Configure Traefik middleware to use Kanidm for authentication with a relative URL and PKCE enabled. This is the recommended secure approach. ```yaml http: middlewares: oidc-auth: plugin: traefik-oidc-auth: Provider: Url: "https://idm.example.com/oauth2/openid/" ClientId: "" UsePkce: true Scopes: ["openid", "profile"] ``` -------------------------------- ### Unmarshal, JSONPath, and Modify JSON Data Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/vendor/github.com/spyzhov/ajson/README.md Demonstrates how to unmarshal JSON, find elements using JSONPath, modify numeric values, append new key-value pairs, and marshal the modified JSON back. This is useful for dynamic JSON manipulation when the structure is not strictly defined. ```go package main import ( "fmt" "github.com/spyzhov/ajson" ) func main() { json := []byte(`...`) root, _ := ajson.Unmarshal(json) nodes, _ := root.JSONPath("$..price") for _, node := range nodes { node.SetNumeric(node.MustNumeric() * 1.25) node.Parent().AppendObject("currency", ajson.StringNode("", "EUR")) } result, _ := ajson.Marshal(root) fmt.Printf("%s", result) } ``` -------------------------------- ### Custom Claims with Application-Specific Validation Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/vendor/github.com/golang-jwt/jwt/v5/MIGRATION_GUIDE.md Demonstrates how to extend custom claims with application-specific validation logic using the new ClaimsValidator interface. Errors from this method are appended to standard validation. ```go // MyCustomClaims includes all registered claims, plus Foo. type MyCustomClaims struct { Foo string `json:"foo"` jwt.RegisteredClaims } // Validate can be used to execute additional application-specific claims // validation. func (m MyCustomClaims) Validate() error { if m.Foo != "bar" { return errors.New("must be foobar") } return nil } ``` -------------------------------- ### Run Playwright Tests with Headed Browser Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/e2e/README.md Runs Playwright tests with the browser window visible. ```bash bunx playwright test --headed ``` -------------------------------- ### Traefik Middleware Configuration with Kanidm (Relative URL, No PKCE) Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/website/docs/identity-providers/kanidm.md Configure Traefik middleware to use Kanidm for authentication with a relative URL, disabling PKCE. This requires the client secret to be provided. ```yaml http: middlewares: oidc-auth: plugin: traefik-oidc-auth: Provider: Url: "https://idm.example.com/oauth2/openid/" ClientId: "" ClientSecret: "" Scopes: ["openid", "profile"] ``` -------------------------------- ### Unmarshal JSON Data and Calculate Average Price in Go Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/vendor/github.com/spyzhov/ajson/README.md Demonstrates how to unmarshal JSON data into an ajson object and iterate through its elements to calculate the average price of items. This is useful for processing heterogeneous JSON structures. ```go package main import ( "fmt" "github.com/spyzhov/ajson" ) func main() { data := []byte(`{"store": {"book": [ {"category": "reference", "author": "Nigel Rees", "title": "Sayings of the Century", "price": 8.95}, {"category": "fiction", "author": "Evelyn Waugh", "title": "Sword of Honour", "price": 12.99}, {"category": "fiction", "author": "Herman Melville", "title": "Moby Dick", "isbn": "0-553-21311-3", "price": 8.99}, {"category": "fiction", "author": "J. R. R. Tolkien", "title": "The Lord of the Rings", "isbn": "0-395-19395-8", "price": 22.99}], "bicycle": {"color": "red", "price": 19.95}, "tools": null}}`) root, err := ajson.Unmarshal(data) if err != nil { panic(err) } store := root.MustKey("store").MustObject() var prices float64 size := 0 for _, objects := range store { if objects.IsArray() && objects.Size() > 0 { size += objects.Size() for _, object := range objects.MustArray() { prices += object.MustKey("price").MustNumeric() } } else if objects.IsObject() && objects.HasKey("price") { size++ prices += objects.MustKey("price").MustNumeric() } } if size > 0 { fmt.Println("AVG price:", prices/float64(size)) } else { fmt.Println("AVG price:", 0) } } ``` -------------------------------- ### Combined Router Rule for Secure Path and Callback Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/website/docs/config-samples/secured-sub-route.md This alternative router rule combines the '/secure' path and the OIDC callback path into a single rule using an OR condition. This can simplify the configuration when both paths require similar handling. ```yaml rule: "HostRegexp(`.+`) && (PathPrefix(`/secure`) || PathPrefix(`/oidc/callback`))" ``` -------------------------------- ### Enable Traefik OIDC Auth Plugin Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/website/docs/getting-started/index.md Enable the plugin in your traefik static configuration. Ensure you specify the correct module name and version. ```yaml experimental: plugins: traefik-oidc-auth: moduleName: "github.com/sevensolutions/traefik-oidc-auth" version: "v0.20.1" ``` -------------------------------- ### Creating a Validator Instance Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/vendor/github.com/golang-jwt/jwt/v5/MIGRATION_GUIDE.md Users can now create a Validator independently using jwt.NewValidator to perform validation. This replaces direct calls to the old Valid function on claims. ```go var v = jwt.NewValidator(jwt.WithLeeway(5*time.Second)) v.Validate(myClaims) ``` -------------------------------- ### Configure OIDC Auth Middleware (Kubernetes) Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/website/docs/getting-started/index.md Configure OIDC authentication using Kubernetes resources, including a Secret for sensitive values and a Middleware CRD. The IngressRoute then applies this middleware. ```yaml apiVersion: v1 kind: Secret metadata: name: oidc-secret namespace: traefik type: Opaque stringData: pluginSecret: "MLFs4TT99kOOq8h3UAVRtYoCTDYXiRcZ" providerClientSecret: "" --- apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: oidc namespace: traefik spec: plugin: traefik-oidc-auth: # same key as in the static configuration Secret: "urn:k8s:secret:oidc-secret:pluginSecret" Provider: ClientId: "abcd-12345" ClientSecret: "urn:k8s:secret:oidc-secret:providerClientSecret" --- apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: whoami namespace: traefik spec: routes: - kind: Rule match: Host(`whoami.mycluster.com`) middlewares: - name: oidc services: - kind: Service name: whoami port: 80 ``` -------------------------------- ### Pipe JSON to ajson for processing Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/vendor/github.com/spyzhov/ajson/README.md Use curl to fetch JSON data and pipe it to ajson for extracting coordinate information. ```shell curl -s "https://randomuser.me/api/?results=10" | ajson "$..coordinates" ``` -------------------------------- ### Configure Pocket ID Middleware Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/website/docs/identity-providers/pocket-id.md Basic configuration for Traefik's OIDC auth middleware using Pocket ID. Ensure the Client ID and Client Secret are correctly set. ```yaml http: middlewares: oidc-auth: plugin: traefik-oidc-auth: Provider: Url: "https://pocket-id.mydomain.com/" ClientId: "" ClientSecret: "" Scopes: ["openid", "profile", "email"] # "groups" also supported ``` -------------------------------- ### Add Custom Function to ajson Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/vendor/github.com/spyzhov/ajson/README.md Demonstrates how to add a new custom function named 'trim' to the ajson package. This function removes leading and trailing whitespace from a string node. ```go AddFunction("trim", func(node *ajson.Node) (result *Node, err error) { if node.IsString() { return StringNode("trim", strings.TrimSpace(node.MustString())), nil } return }) ``` -------------------------------- ### Configure OIDC Auth Middleware (YAML) Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/website/docs/getting-started/index.md Configure the OIDC authentication middleware using a YAML file. It is highly recommended to change the default encryption secret. ```yaml http: services: whoami: loadBalancer: servers: - url: http://whoami:80 middlewares: oidc-auth: plugin: traefik-oidc-auth: Secret: "MLFs4TT99kOOq8h3UAVRtYoCTDYXiRcZ" # Please change this secret for your setup Provider: Url: "https://" ClientId: "" ClientSecret: "" #UsePkce: true # Or use PKCE if your Provider supports this Scopes: ["openid", "profile", "email"] routers: whoami: entryPoints: ["web"] rule: "HostRegexp(`.+`)" service: whoami middlewares: ["oidc-auth"] ``` -------------------------------- ### Evaluate mathematical expression on piped input Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/vendor/github.com/spyzhov/ajson/README.md Pipe a number to ajson and evaluate a mathematical expression involving pi and the input value. ```shell echo "3" | ajson "2 * pi * $" ``` -------------------------------- ### Export Keycloak Master Realm Configuration Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/e2e/README.md Exports the current master realm configuration from a running Keycloak instance to a JSON file. ```bash docker compose exec -it keycloak /opt/keycloak/bin/kc.sh export --file /opt/keycloak/data/import/master-realm.json --realm master ``` -------------------------------- ### Evaluate JSON from URL with JSONPath Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/vendor/github.com/spyzhov/ajson/README.md Fetch JSON data from a URL and evaluate it using a JSONPath expression to calculate the average of registered ages. ```shell ajson "avg($..registered.age)" "https://randomuser.me/api/?results=5000" ``` -------------------------------- ### Run All Playwright Tests Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/e2e/README.md Executes all defined Playwright end-to-end tests. ```bash bunx playwright test ``` -------------------------------- ### YAML Header Configuration with Escaped Go-Templates Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/website/docs/getting-started/middleware-configuration.md Use this configuration when defining headers in Traefik's YAML configuration files. Go-templates must be escaped using backticks and outer curly braces. ```yaml Headers: - Name: "Authorization" Value: "{{`Bearer {{ .accessToken }}`}}" - Name: "X-Oidc-Username" Value: "{{`{{ .claims.preferred_username }}`}}" ``` -------------------------------- ### Add Custom Constant to Script Engine Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/vendor/github.com/spyzhov/ajson/README.md Demonstrates how to add a new constant to the script engine using the `AddConstant` function. This is useful for defining custom values that can be used within JSONPath expressions. ```go AddConstant("c", NumericNode("speed of light in vacuum", 299_792_458)) ``` -------------------------------- ### Process Docker logs with multiline JSON and filtering Source: https://github.com/sevensolutions/traefik-oidc-auth/blob/main/vendor/github.com/spyzhov/ajson/README.md Filter Docker logs for 'ERROR' messages with severity using multiline input and quiet mode. ```shell docker logs image-name -f | ajson -qm 'root($[?(@=="ERROR" && key(@)=="severity")])' ```