traefik-forward-auth fails to fetch provider configuration

[alexsoin]

When using traefik-forward-auth with Keycloak and Traefik in a Docker Compose setup, the logs show the following error:

# docker logs traefik-forward-auth
time="2025-01-06T20:49:25Z" level=fatal msg="failed to get provider configuration for https://authsite.com/realms/traefik: Get \"https://authsite.com/realms/traefik/.well-known/openid-configuration\": dial tcp 127.0.0.1:443: connect: connection refused (hint: make sure https://authsite.com/realms/traefik is accessible from the cluster)"

Observations

• When testing the Keycloak endpoint directly with curl, the correct JSON response is returned.
• The traefik-forward-auth container is running in the same intranet network as Traefik and Keycloak.
• DISABLE_SSL_VERIFICATION=true is set, and other related configurations appear valid.

Relevant Configuration

Below is the configuration used for the traefik-forward-auth service in docker-compose.yml:

traefik-forward-auth:
    image: mesosphere/traefik-forward-auth
    container_name: traefik-forward-auth
    restart: on-failure
    depends_on:
      - traefik
      - keycloak
    environment:
      - TZ=${TZ}
      - SECRET=${FORWARD_AUTH_SECRET}
      - PROVIDER_URI=${FORWARD_AUTH_PROVIDER_URI}
      - CLIENT_ID=${FORWARD_AUTH_CLIENT_ID}
      - CLIENT_SECRET=${FORWARD_AUTH_CLIENT_SECRET}
      - ENCRYPTION_KEY=${FORWARD_AUTH_ENCRYPTION_KEY}
      - DISABLE_SSL_VERIFICATION=true # might be unnecessary
      - SCOPE=profile email openid
    networks:
        - intranet
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=intranet"
      - "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4181"
      - "traefik.http.routers.traefik-forward-auth.entrypoints=websecure"
      - "traefik.http.routers.traefik-forward-auth.middlewares=forwardauth"
      - "traefik.http.middlewares.forwardauth.forwardauth.address=http://traefik-forward-auth:4181"
      - "traefik.http.middlewares.forwardauth.forwardauth.authResponseHeaders=X-Forwarded-User"
      - "traefik.http.middlewares.forwardauth.forwardauth.trustForwardHeader=true"

Expected Behavior

The traefik-forward-auth service should successfully fetch the OpenID configuration from the Keycloak provider.

Actual Behavior

The traefik-forward-auth container fails to fetch the OpenID configuration, resulting in the error mentioned above.

[lgastler]

I just had the same issue, similar setup running in docker on the same network. For me, it was a docker networking issue, the PRODUCER_URI pointing to Keycloak was not correctly resolved to the Keycloak Container. I solved it for now (just a test system right now) by pointing the Keycloak domain to the Docker Gateway using (/etc/hosts).