PAT with traefik
Hi, I use traefik as reverse proxy and want to use Zitadel for authorization stuff.
I have some third party services I want to protect with Zitadel, which dont have OICD capabilities.
For the web based services I could make it work with oauth2proxy.
One of the clients, I use, sends a bearer token to the api endpoint of a service and I hoped to be able to use service users with PATs for this. I was trying to also use oauth2proxy for this. But I always get unauthorized.
In Zitadel, I set up a API app with basic authentication and created a service user with PAT.
Calling the introspect endpoint of the API app does validate the token as active. Oauth2proxy does probably not call the introspect point correctly.
5 Replies
Hey @Weltenbrand :gigipixel: Could you clarify where you'd like support?
Let me know if you've checked out the following doc as well: https://zitadel.com/docs/examples/identity-proxy/oauth2-proxy
ZITADEL Docs
OAuth2-proxy is a project which allows services to delegate the authentication flow to a IDP, for example ZITADEL
Hi. No I did not know the guide, but my setup for the web apps with oauth2proxy are basically the same and running.
I need help setting up an PAT (or api key, or hower one would like to call it) authentication/authorization for an API where the protected app does not have a native interface for an identity provider. It does not have to be a PAT, something I can pass through a Bearer header and can be granted/revoked. It does not has be through oauth2proxy, a similar service for tokens would be great.
I guessed, that I am not the first who wants to implement something like this and hoped some ones already has a solution.
I solved it now by a proxy service between traefik and zitadel which reads the bearer token from a forwardAuth and sends it to introspection endpoint of zitadel.
Thanks for sharing this outcome!
For whom it is of interest: https://gitlab.com/helper5214048/token-proxy
Nice, thanks for sharing!