-
Notifications
You must be signed in to change notification settings - Fork 48
Open
Description
When using traefik-forward-auth with Keycloak and Traefik in a Docker Compose setup, the logs show the following error:
# docker logs traefik-forward-auth
time="2025-01-06T20:49:25Z" level=fatal msg="failed to get provider configuration for https://authsite.com/realms/traefik: Get \"https://authsite.com/realms/traefik/.well-known/openid-configuration\": dial tcp 127.0.0.1:443: connect: connection refused (hint: make sure https://authsite.com/realms/traefik is accessible from the cluster)"Observations
- When testing the Keycloak endpoint directly with
curl, the correct JSON response is returned. - The
traefik-forward-authcontainer is running in the sameintranetnetwork as Traefik and Keycloak. DISABLE_SSL_VERIFICATION=trueis set, and other related configurations appear valid.
Relevant Configuration
Below is the configuration used for the traefik-forward-auth service in docker-compose.yml:
traefik-forward-auth:
image: mesosphere/traefik-forward-auth
container_name: traefik-forward-auth
restart: on-failure
depends_on:
- traefik
- keycloak
environment:
- TZ=${TZ}
- SECRET=${FORWARD_AUTH_SECRET}
- PROVIDER_URI=${FORWARD_AUTH_PROVIDER_URI}
- CLIENT_ID=${FORWARD_AUTH_CLIENT_ID}
- CLIENT_SECRET=${FORWARD_AUTH_CLIENT_SECRET}
- ENCRYPTION_KEY=${FORWARD_AUTH_ENCRYPTION_KEY}
- DISABLE_SSL_VERIFICATION=true # might be unnecessary
- SCOPE=profile email openid
networks:
- intranet
labels:
- "traefik.enable=true"
- "traefik.docker.network=intranet"
- "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4181"
- "traefik.http.routers.traefik-forward-auth.entrypoints=websecure"
- "traefik.http.routers.traefik-forward-auth.middlewares=forwardauth"
- "traefik.http.middlewares.forwardauth.forwardauth.address=http://traefik-forward-auth:4181"
- "traefik.http.middlewares.forwardauth.forwardauth.authResponseHeaders=X-Forwarded-User"
- "traefik.http.middlewares.forwardauth.forwardauth.trustForwardHeader=true"Expected Behavior
The traefik-forward-auth service should successfully fetch the OpenID configuration from the Keycloak provider.
Actual Behavior
The traefik-forward-auth container fails to fetch the OpenID configuration, resulting in the error mentioned above.
Reactions are currently unavailable
Metadata
Metadata
Assignees
Labels
No labels