JuliusFreudenberger/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add Remote-User authentication from mTLS with headers

Browse source
This commit is contained in:
JuliusFreudenberger 2026-01-09 22:01:10 +01:00
parent b65effa878
commit a70450af2a
1 changed files with 25 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

26
modules/traefik.nix
View file

@ -75,6 +75,27 @@ in {
description = "Whether to allow bypassing OIDC protection when a verified client certificate is presented."; description = "Whether to allow bypassing OIDC protection when a verified client certificate is presented.";
type = lib.types.bool; type = lib.types.bool;
}; };
useClaimsFromUserInfo = lib.mkOption {
default = false;
description = "When enabled, an additional request to the provider's userinfo_endpoint is made to validate the token and to retrieve additional claims. The userinfo claims are merged directly into the token claims, with userinfo values overriding token values for non-security-critical claims.";
type = lib.types.bool;
};
headers = lib.mkOption {
default = [];
description = "Headers to be added to the upstream request. Templating is possible. Documentation can be found here: https://traefik-oidc-auth.sevensolutions.cc/docs/getting-started/middleware-configuration";
type = lib.types.listOf (lib.types.submodule {
options = {
Name = lib.mkOption {
description = "The name of the header which should be added to the upstream request.";
type = lib.types.str;
};
Value = lib.mkOption {
description = "The value of the header, which can use Go-Templates.";
type = lib.types.str;
};
};
});
};
}; };
} }
); );
@ -90,7 +111,7 @@ in {
"--providers.docker.exposedByDefault=false" "--providers.docker.exposedByDefault=false"
"--providers.docker.network=traefik" "--providers.docker.network=traefik"
"--providers.file.directory=/dynamic-config" "--providers.file.directory=/dynamic-config"
"--log.level=DEBUG" "--log.level=INFO"
"--api=true" "--api=true"
"--ping=true" "--ping=true"
"--entrypoints.web.address=:80" "--entrypoints.web.address=:80"
@ -143,11 +164,14 @@ in {
ClientId = ''{{ env "${mapOidcClientNameToEnv oidcClientName}_OIDC_AUTH_PROVIDER_CLIENT_ID" }}''; ClientId = ''{{ env "${mapOidcClientNameToEnv oidcClientName}_OIDC_AUTH_PROVIDER_CLIENT_ID" }}'';
ClientSecret = ''{{ env "${mapOidcClientNameToEnv oidcClientName}_OIDC_AUTH_PROVIDER_CLIENT_SECRET" }}''; ClientSecret = ''{{ env "${mapOidcClientNameToEnv oidcClientName}_OIDC_AUTH_PROVIDER_CLIENT_SECRET" }}'';
UsePkce = oidcClientConfig.usePkce; UsePkce = oidcClientConfig.usePkce;
UseClaimsFromUserInfo = oidcClientConfig.useClaimsFromUserInfo;
}; };
Scopes = oidcClientConfig.scopes; Scopes = oidcClientConfig.scopes;
LoginUrl = ''{{ env "OIDC_AUTH_PROVIDER_URL" }}''; LoginUrl = ''{{ env "OIDC_AUTH_PROVIDER_URL" }}'';
} // (lib.attrsets.optionalAttrs oidcClientConfig.enableBypassUsingClientCertificate { } // (lib.attrsets.optionalAttrs oidcClientConfig.enableBypassUsingClientCertificate {
BypassAuthenticationRule = "HeaderRegexp(`X-Forwarded-Tls-Client-Cert`, `.+`)"; BypassAuthenticationRule = "HeaderRegexp(`X-Forwarded-Tls-Client-Cert`, `.+`)";
}) // (lib.attrsets.optionalAttrs ((lib.length oidcClientConfig.headers) > 0) {
Headers = oidcClientConfig.headers;
}); });
} }
) cfg.oidcClients; ) cfg.oidcClients;