Securing a sub route

[rltbg]

Hi! I was looking through the documentation here and I had a question regarding the callback configuration while securing a sub route.

Would it be possible to support a CallbackUri that can be set under a specific sub-route, so that the redirect and subsequent return stay within that sub-route?

For example, let’s say I want to secure the route /secure, which hosts a complete application. Ideally, the callback could then be /secure/oidc/callback instead of /oidc/callback. This way, after authentication, I’d be redirected back into /secure directly, without affecting other routes.

The main benefit would be in cases where multiple apps are hosted on different sub-routes (e.g. /secure, /dashboard, etc.), allowing each one to handle its own callback in isolation, without interfering with the others.

I’ve already tried a Kubernetes configuration following that idea:

apiVersion: traefik.io/v1alpha1
kind: Middleware
spec:
  plugin:
    traefik-oidc-auth:
      CallbackUri: ${DEPLOY_CALLBACK_URI}
      Provider:
        ClientId: ${DEPLOY_OIDC_CLIENT_ID}
        ClientSecret: "urn:k8s:secret:oidc-config:client-secret"
        Url: ${DEPLOY_KEYCLOAK_REALM_URL}
        UsePkce: true
        ValidAudience: "account"
      Scopes: ["openid", "profile", "email"]
      Secret: "urn:k8s:secret:oidc-config:cipher-secret"
      SessionCookie:
        Domain: ${DEPLOY_FQDN}
        Path: "/hub"
        
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`${DEPLOY_FQDN}`) && PathPrefix(`/hub`)
      kind: Rule
      middlewares:
        - name: traefik-oidc

However, when I test this setup, the login flow ends with a 502 error, and I never get redirected back into the app. This makes me think that handling callbacks under sub-routes is not (yet) supported by the plugin.

Would this be something possible to implement, or is there a limitation preventing it?

[sevensolutions]

Hi @rltbg
it should be possible if you do:

CallbackUri: "/secure/oidc/callback"

Constraining the session cookie to /secure is optional, but also possible:

SessionCookie:
  Path: "/secure"

[rltbg]

Thanks for your reply. I tried the suggested solution, but I’m still facing the same issue: it looks like Traefik is misinterpreting the configuration, and I keep getting a 502 error.

It still shows Keycloak’s URL instead of the one that was expected.

Config looks like this

  plugin:
    traefik-oidc-auth:
      CallbackUri: /secure/oidc/callback
      Provider:
        ClientId: secure_hub
        ClientSecret: urn:k8s:secret:oidc-config:client-secret
        Url: https://auth.example.com/realms/test
        UsePkce: false
        ValidAudience: account
      Scopes:
      - openid
      - profile
      - email
      Secret: urn:k8s:secret:oidc-config:cipher-secret
      SessionCookie:
        Path: /secure

[sevensolutions]

Do you have an Nginx in front of your keycloak?
Because we had a similar error when the header or buffer size was to small.
But the error page doesnt look like Nginx.
So i guess it really comming from Keycloak?

This happens after you have entered your credentials or before?

[rltbg]

Error happens after I log in. It is the redirection after logging in that breaks.
I don't have anything in front of my Keycloak server, only Traefik serving it.
Keycloak doesn't show anything in logs, i checked users events and it only shows my user logged in correctly without any issue.

[rltbg]

I checked traefik logs and i saw another problem that I wasn't getting before :

2025-08-29 15:38:48	2025-08-29 13:38:48 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://auth.example.com/realms/test/protocol/openid-connect/auth
2025-08-29 15:38:44	2025-08-29 13:38:44 [ERROR] [traefik-oidc-auth] exchangeAuthCode: received bad HTTP response from Provider: {"error":"invalid_grant","error_description":"Code not valid"}
2025-08-29 15:38:44	2025-08-29 13:38:44 [ERROR] [traefik-oidc-auth] Exchange Auth Code: invalid status code
2025-08-29 15:38:38	2025-08-29 13:38:38 [ERROR] [traefik-oidc-auth] exchangeAuthCode: received bad HTTP response from Provider: {"error":"invalid_grant","error_description":"Code not valid"}
2025-08-29 15:38:38	2025-08-29 13:38:38 [ERROR] [traefik-oidc-auth] Exchange Auth Code: invalid status code
2025-08-29 15:38:37	2025-08-29 13:38:37 [ERROR] [traefik-oidc-auth] exchangeAuthCode: received bad HTTP response from Provider: {"error":"invalid_grant","error_description":"Code not valid"}
2025-08-29 15:38:37	2025-08-29 13:38:37 [ERROR] [traefik-oidc-auth] Exchange Auth Code: invalid status code
2025-08-29 15:38:36	2025-08-29 13:38:36 [ERROR] [traefik-oidc-auth] Failed to parse token: token has invalid claims: token has invalid audience
2025-08-29 15:38:36	2025-08-29 13:38:36 [ERROR] [traefik-oidc-auth] Returned token is not valid: token has invalid claims: token has invalid audience
2025-08-29 15:38:29	2025-08-29 13:38:29 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://auth.example.com/realms/test/protocol/openid-connect/auth
2025-08-29 15:38:29	2025-08-29 13:38:29 [INFO] [traefik-oidc-auth] Verifying token: unable to read session cookie: named cookie not present

2025-08-29 15:38:48 2025-08-29 13:38:48 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://auth.example.com/realms/test/protocol/openid-connect/auth
2025-08-29 15:38:44 2025-08-29 13:38:44 [ERROR] [traefik-oidc-auth] exchangeAuthCode: received bad HTTP response from Provider: {"error":"invalid_grant","error_description":"Code not valid"}
2025-08-29 15:38:44 2025-08-29 13:38:44 [ERROR] [traefik-oidc-auth] Exchange Auth Code: invalid status code
2025-08-29 15:38:38 2025-08-29 13:38:38 [ERROR] [traefik-oidc-auth] exchangeAuthCode: received bad HTTP response from Provider: {"error":"invalid_grant","error_description":"Code not valid"}
2025-08-29 15:38:38 2025-08-29 13:38:38 [ERROR] [traefik-oidc-auth] Exchange Auth Code: invalid status code
2025-08-29 15:38:37 2025-08-29 13:38:37 [ERROR] [traefik-oidc-auth] exchangeAuthCode: received bad HTTP response from Provider: {"error":"invalid_grant","error_description":"Code not valid"}
2025-08-29 15:38:37 2025-08-29 13:38:37 [ERROR] [traefik-oidc-auth] Exchange Auth Code: invalid status code
2025-08-29 15:38:36 2025-08-29 13:38:36 [ERROR] [traefik-oidc-auth] Failed to parse token: token has invalid claims: token has invalid audience
2025-08-29 15:38:36 2025-08-29 13:38:36 [ERROR] [traefik-oidc-auth] Returned token is not valid: token has invalid claims: token has invalid audience
2025-08-29 15:38:29 2025-08-29 13:38:29 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://auth.example.com/realms/test/protocol/openid-connect/auth
2025-08-29 15:38:29 2025-08-29 13:38:29 [INFO] [traefik-oidc-auth] Verifying token: unable to read session cookie: named cookie not present