Repository template taken from traefik/plugindemo.
Traefik supports an built-in middleware ForwardAuth which delegates authentication to an external service and only grants access if the upstream authentication returns a 2XX code and performs the original request.
This means that ForwardAuth expects the upstream authentication service to complete the entire authentication flow including managing success and failure redirects. However, vouch does not perform any redirects and instead returns 401 Unauthorized leaving redirects up to the user to perform. Originally, ingress-nginx had annotations that allowed for catching the 401 and then initiating the correct redirect to vouch to initiate the login request: https://vouch.yourdomain.com/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err.
experimental:
plugins:
traefik-vouch:
moduleName: github.com/assetnote/traefik-vouch-plugin
version: v0.1.0apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: vouch-auth
namespace: traefik
spec:
traefik-vouch:
AuthAddress: https://vouch.x.com/validate
SignInURL: https://vouch.x.com/login?url={{.URL}}&vouch-failcount={{.FailCount}}&vouch-err={{.Error}}&X-Vouch-Token={{.Token}}