Traefik Forward Auth v4

A simple service that provides authentication and SSO with OAuth2, OpenID Connect, and Tailscale Whois, for the Traefik reverse proxy.

✨ Highlights

• Supports authentication with Google, Microsoft Entra ID (formerly Azure AD), GitHub, and generic OpenID Connect providers (including Auth0, Okta, etc).
• Single Sign-On with Tailscale Whois (similarly to Tailscale's nginx-auth)
• Protect multiple Traefik services with a single instance of traefik-forward-auth.

👉 Releases

The Docker image is available on GitHub Packages. Container images are multi-arch and run on linux/amd64, linux/arm64, and linux/arm/v7.

Using the 4 tag is recommended:

ghcr.io/italypaleale/traefik-forward-auth:4

You can also pin to the latest patch release as found in the Releases page:

ghcr.io/italypaleale/traefik-forward-auth:4.x.x

📘 Docs

• 🚀 Quickstart
  • Authenticate with Google
  • Authenticate with Tailscale
• ⚙️ Configuration
  • Configuring Traefik Forward Auth
  • Exposing Traefik Forward Auth
• 📖 All configuration options
• 🛡️ Authentication portals
  • Configuring portals
  • Default portal
• 🔑 Supported providers
  • GitHub
  • Google
  • Microsoft Entra ID
  • Other OpenID Connect providers
  • Pocket ID
  • Tailscale Whois
• 🔐 Authorization conditions
  • Using conditions
  • Sessions and authorization conditions
• 🎓 Advanced configuration
  • Configure health checks
  • Observability: Logs, Traces, Metrics
  • Token signing keys
  • Configure session lifetime
  • Security hardening
  • Container health checks
• 📍 Endpoints
  • Profile routes
  • APIs

Migrating from a previous version of Traefik Forward Auth:

• Migrating from v3