A minimal service that provides authentication and SSO with OAuth2, OpenID Connect, and Tailscale Whois, for the Traefik reverse proxy.

This project began as a fork of thomseddon/traefik-forward-auth. Since version 3, it has been completely rewritten and is not compatible with the upstream project anymore.

• Supports authentication with Google, Microsoft Entra ID (formerly Azure AD), GitHub, and generic OpenID Connect providers (including Auth0, Okta, etc).
• Single Sign-On with Tailscale Whois (similarly to Tailscale's nginx-auth)
• Protect multiple Traefik services with a single instance of traefik-forward-auth.

The Docker image is available on GitHub Packages. Container images are multi-arch and run on linux/amd64, linux/arm64, and linux/arm/v7.

Using the 3 tag is recommended:

ghcr.io/italypaleale/traefik-forward-auth:3

You can also pin to the latest patch release as found in the Releases page:

ghcr.io/italypaleale/traefik-forward-auth:3.x.x

• 🚀 Quickstart
  • Authenticate with Google
  • Authenticate with Tailscale
• ⚙️ Configuration
  • Configuring Traefik Forward Auth
  • Exposing Traefik Forward Auth
• 📖 All configuration options
• 🔑 Authentication providers
  • GitHub
  • Google
  • Microsoft Entra ID
  • Other OpenID Connect providers
  • Tailscale Whois
• 🎓 Advanced configuration
  • Configure health checks
  • Metrics
  • Token signing keys
  • Configure session lifetime
  • Security hardening
• 📍 Endpoints
  • Profile route
  • APIs