Init traefik auth proxy

Author: r-brown

traefik-auth-proxy/Dockerfile

@@ -0,0 +1,33 @@
+FROM python:3-alpine
+
+# Define build arguments
+ARG USER_ID=1064
+ARG GROUP_ID=1064
+ARG USER_NAME=l64user
+ARG GROUP_NAME=l64group
+
+# Create group and user with the specified IDs
+RUN addgroup -g ${GROUP_ID} ${GROUP_NAME} && \
+    adduser -D -u ${USER_ID} -G ${GROUP_NAME} ${USER_NAME}
+
+# Set working directory
+WORKDIR /home/${USER_NAME}
+
+# Copy the requirements file into the container at the working directory
+COPY --chown=${USER_NAME}:${GROUP_NAME} requirements.txt .
+
+# Copy the main FastAPI application file
+COPY --chown=${USER_NAME}:${GROUP_NAME} traefik-auth-proxy.py .
+
+# Install any needed packages specified in requirements.txt
+RUN python -m pip install --upgrade pip && \
+    pip install --no-cache-dir -r requirements.txt
+
+# Make port 8081 available outside this container
+EXPOSE 8081
+
+# Set user context
+USER ${USER_NAME}
+
+# Run the FastAPI application using Uvicorn
+CMD ["uvicorn", "traefik-auth-proxy:app", "--host", "0.0.0.0", "--port", "8081"]

traefik-auth-proxy/README.md

@@ -0,0 +1,45 @@
+<p align="center"><img src="https://raw.githubusercontent.com/Labs64/.github/refs/heads/master/assets/labs64-io-ecosystem.png"></p>
+
+## Traefik Auth (M2M) Middleware
+
+This repository contains a custom Traefik ForwardAuth middleware. The middleware is designed to verify M2M (Machine-to-Machine) JWT tokens issued by Keycloak and enforce path-based role-based access control (RBAC) for microservices deployed on Kubernetes.
+
+It receives incoming requests from Traefik, validates the JWT token, extracts user roles, and checks them against a configurable path/role mapping. If the request is authorized, it allows Traefik to forward the request to the backend service. Otherwise, it returns a `401 Unauthorized` or `403 Forbidden` response.
+
+## Features
+
+- JWT Verification: Validates tokens issued by Keycloak using public keys from the `.well-known` endpoint.
+- Role-Based Access Control (RBAC): Enforces access based on roles assigned to the user/client.
+- Configurable Role Mapping: Allows administrators to define a mapping of URL paths to required roles.
+- FastAPI Backend: A lightweight and performant backend for handling authentication logic.
+
+## Prerequisites
+
+- A running Kubernetes cluster.
+- Traefik installed as an Ingress Controller in your cluster.
+- A configured Keycloak instance.
+- Docker for building the middleware container image.
+
+## Configuration
+
+The middleware is configured using environment variables.
+
+- `KEYCLOAK_URL`: The base URL of your Keycloak instance (e.g., http://keycloak.default.svc.cluster.local:8080).
+- `KEYCLOAK_REALM`: The name of the realm in Keycloak (e.g., labs64io).
+- `KEYCLOAK_AUDIENCE`: The audience claim to verify in the JWT (e.g., labs64io_client).
+- `ROLE_MAPPING`: A JSON string defining the path-to-role mapping. This can be passed as a ConfigMap in a production environment.
+
+## Usage
+
+- Once deployed, Traefik will intercept any request to *whoami.example.com* and forward it to the auth-middleware for authentication.
+- For a request to be successful, it must include a valid JWT in the Authorization header with the format `Bearer <token>`. The roles contained in the JWT must match the required roles for the requested path as defined in your role mapping.
+- The role mapping is a key part of the middleware's logic. You would define a dictionary that maps a path prefix to a list of required roles.
+
+### For example:
+
+- A request to `/api/admin` would require the `admin` role.
+- A request to `/api/users` would require either the `user` or `admin` role.
+
+## License
+
+This project is licensed under the MIT License.

traefik-auth-proxy/justfile

@@ -0,0 +1,34 @@
+APP_NAME := "traefik-auth-proxy"
+
+# build application
+docker:
+    docker build -t {{APP_NAME}}:latest .
+    docker tag {{APP_NAME}}:latest localhost:5005/{{APP_NAME}}:latest
+    docker push localhost:5005/{{APP_NAME}}:latest
+    docker images | grep "{{APP_NAME}}"
+
+# run docker image
+run: docker
+    docker run -p 8081:8081 \
+      -e KEYCLOAK_URL="http://keycloak.localhost" \
+      -e KEYCLOAK_REALM="labs64io" \
+      -e KEYCLOAK_AUDIENCE="labs64io" \
+      {{APP_NAME}}:latest
+
+# open documentation
+docu:
+    open "http://localhost:8081/redoc"
+    open "http://localhost:8081/docs"
+
+
+# open Keycloak well-known configuration
+test_show_well_known:
+    open "http://keycloak.localhost/realms/labs64io/.well-known/openid-configuration"
+
+# generate JWT token
+test_generate_jwt_token:
+    curl --location --request POST 'http://keycloak.localhost/realms/labs64io/protocol/openid-connect/token' \
+    --header 'Content-Type: application/x-www-form-urlencoded' \
+    --data-urlencode 'grant_type=client_credentials' \
+    --data-urlencode 'client_id=labs64io-api-gateway' \
+    --data-urlencode 'client_secret=mTEqlt1dDzcVyEOzFjBZV4X8jvEkaQnc'

traefik-auth-proxy/requirements.txt

@@ -0,0 +1,4 @@
+fastapi==0.116.1
+uvicorn==0.35.0
+python-jose==3.5.0
+requests==2.32.4

traefik-auth-proxy/traefik-auth-proxy.py

@@ -0,0 +1,192 @@
+# filename: main.py
+import os
+import json
+import requests
+from typing import Dict, List, Any
+import logging
+
+# Third-party imports
+from fastapi import FastAPI, Request, HTTPException, status
+from jose import jwt, jwk
+from jose.exceptions import ExpiredSignatureError, JWTError
+
+# --- Configuration ---
+KEYCLOAK_URL = os.getenv("KEYCLOAK_URL", "http://keycloak:8080")
+KEYCLOAK_REALM = os.getenv("KEYCLOAK_REALM", "my_realm")
+KEYCLOAK_AUDIENCE = os.getenv("KEYCLOAK_AUDIENCE", "my_client")
+
+# --- Path-to-role mapping ---
+ROLE_MAPPING: Dict[str, List[str]] = {
+    "/api/admin": ["admin-role"],
+    "/api/manager": ["manager-role", "admin-role"],
+    "/api/public": ["authenticated-user"], # Anyone with a valid token
+    "/api/v2/special": ["special-role"]
+}
+
+# JWKS Cache
+JWKS_CACHE: Dict[str, Any] = {}
+
+# Configure logging
+logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s')
+app_logger = logging.getLogger(__name__)
+
+app = FastAPI(
+    title="Traefik Auth (M2M) Middleware",
+    description="Custom Traefik ForwardAuth service to verify Keycloak JWT tokens and enforce role-based access control.",
+    version="1.0.0"
+)
+
+# --- JWKS and JWT Validation Functions ---
+def get_jwks() -> Dict[str, Any]:
+    """
+    Fetches and caches the public keys (JWKS) from the Keycloak server.
+    """
+    global JWKS_CACHE
+    if not JWKS_CACHE:
+        jwks_url = f"{KEYCLOAK_URL}/realms/{KEYCLOAK_REALM}/protocol/openid-connect/certs"
+        app_logger.info(f"get_jwks::jwks_url: {jwks_url}")
+        try:
+            response = requests.get(jwks_url, timeout=5)
+            app_logger.info(f"get_jwks::response: {response}")
+            response.raise_for_status()
+            JWKS_CACHE = response.json()
+        except requests.exceptions.RequestException as e:
+            app_logger.error(f"get_jwks: '{str}': {e}")
+            raise HTTPException(
+                status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+                detail=f"Could not fetch JWKS from Keycloak: {e}"
+            )
+    app_logger.info(f"get_jwks::JWKS_CACHE: {JWKS_CACHE}")
+    return JWKS_CACHE
+
+def get_public_key(kid: str) -> str:
+    """
+    Extracts the public key from the JWKS cache using the key ID (kid).
+    """
+    jwks = get_jwks()
+    keys = jwks.get("keys", [])
+    for key in keys:
+        if key.get("kid") == kid:
+            return json.dumps(key)
+    raise HTTPException(
+        status_code=status.HTTP_401_UNAUTHORIZED,
+        detail="No public key found for the given kid in the JWT header"
+    )
+
+def verify_token(token: str) -> Dict[str, Any]:
+    """
+    Verifies the JWT token and returns its payload if valid.
+    """
+    try:
+        # Get the key ID from the token header to find the right public key.
+        unverified_header = jwt.get_unverified_header(token)
+        kid = unverified_header.get("kid")
+        app_logger.info(f"verify_token::unverified_header: {unverified_header}")
+        if not kid:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="JWT header is missing 'kid' claim"
+            )
+
+        public_key_json = get_public_key(kid)
+        public_key = jwk.JWK.from_json(public_key_json).public_key()
+
+        # Decode and verify the token.
+        # Keycloak JWTs use RS256 algorithm.
+        payload = jwt.decode(
+            token,
+            public_key,
+            algorithms=["RS256"],
+            audience=KEYCLOAK_AUDIENCE,
+            options={"verify_aud": True, "verify_signature": True}
+        )
+        return payload
+    except ExpiredSignatureError:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Token has expired"
+        )
+    except JWTError as e:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail=f"Invalid token: {e}"
+        )
+    except Exception as e:
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail=f"An error occurred during token validation: {e}"
+        )
+
+# --- FastAPI Endpoint for Traefik ForwardAuth ---
+@app.get("/auth")
+@app.post("/auth")
+async def authenticate(request: Request):
+    """
+    Endpoint for Traefik's ForwardAuth middleware.
+    Authenticates the request and authorizes based on path and roles.
+    """
+    auth_header = request.headers.get("Authorization")
+    if not auth_header or not auth_header.startswith("Bearer "):
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Authorization header is missing or malformed"
+        )
+
+    token = auth_header.split(" ")[1]
+    app_logger.info(f"Parsed token: {token}")
+
+    # Verify the JWT token
+    payload = verify_token(token)
+    app_logger.info(f"Payload: {payload}")
+
+    # Extract roles from the token. Keycloak typically puts roles under
+    # realm_access.roles or resource_access.<client_id>.roles.
+    token_roles = set()
+    realm_access = payload.get("realm_access", {})
+    if realm_access and isinstance(realm_access, dict):
+        token_roles.update(realm_access.get("roles", []))
+
+    resource_access = payload.get("resource_access", {})
+    client_roles = resource_access.get(KEYCLOAK_AUDIENCE, {}).get("roles", [])
+    token_roles.update(client_roles)
+
+    if not token_roles:
+        # A valid token with no roles might not be enough for any path.
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Token does not contain any roles"
+        )
+
+    # Get the request path from the Traefik header
+    forwarded_uri = request.headers.get("X-Forwarded-Uri", "/")
+
+    # Find the required roles for the current path
+    required_roles: List[str] = []
+    # Find the most specific match for the path
+    best_match = ""
+    for path_prefix, roles in ROLE_MAPPING.items():
+        if forwarded_uri.startswith(path_prefix) and len(path_prefix) > len(best_match):
+            best_match = path_prefix
+            required_roles = roles
+
+    # If no matching path is found in the mapping, assume it's unauthorized
+    if not required_roles:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail=f"Path '{forwarded_uri}' is not configured for access control"
+        )
+
+    # Check if the user has any of the required roles
+    if not token_roles.intersection(required_roles):
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail=f"Insufficient permissions. Required roles: {required_roles}"
+        )
+
+    # If all checks pass, return a 200 OK.
+    return {
+        "message": "Authentication successful",
+        "user_id": payload.get("sub"),
+        "roles": list(token_roles)
+    }
+