Integrating Google Auth with Docker Containers


June 8, 2020

Integrating Google Auth with Docker Containers

As part of our strive to improve security we recently decided to add authentication to some of our docker containers.

We use Traefik, and I found this great blog: “Integrating Google OAuth with Traefik” that uses the project, “Traefik Forward Auth”, to add Google authentication for Traefik.

That blog was a great help, and showed us it was possible, but we did things a little differently. They use ‘Auth Host Mode’ whereas we went with ‘Overlay Mode’. The difference is explained in the read-me, but essentially, every domain we want to authorize has to be added to Google (which isn't a problem when you're only using one).

Creating the Google auth app is fairly straightforward, and the blog above does a great job explaining it. We added ours to our organisation and kept it ‘internal’.


Here's where things change. Our setup is a little different, first in our traefik.yml we added to the entrypoints:


Traefik Forward Auth

I then created a new file for the auth forwarding, rather than adding it to the Traefik config. I called it oauth.yml and put the following in it:

version: '3.4'

     name: kong

   image: thomseddon/traefik-forward-auth
   hostname: oauth
     - kong
     PROVIDERS_GOOGLE_CLIENT_ID: <client-id></client-id>
     PROVIDERS_GOOGLE_CLIENT_SECRET: <client-secret></client-secret>
     SECRET: <randomly-generated-secret></randomly-generated-secret>
     COOKIE_DOMAIN: <your-domain></your-domain>
     INSECURE_COOKIE: "false"
     URL_PATH: /_oauth/
     DOMAIN: <your-domain></your-domain>
     LOG_LEVEL: debug
     LIFETIME: 2592000 # 30 days
       traefik.enable: "true"
       traefik.port: 4181
       traefik.backend: oauth
       traefik.frontend.rule: PathPrefix:/_oauth/ kong
       traefik.frontend.auth.forward.address: "http://oauth:4181"
       traefik.frontend.auth.forward.authResponseHeaders: X-Forwarded-User
       traefik.frontend.auth.forward.trustForwardHeader: "true"
     - 4181

The 'CLIENT-ID' and 'CLIENT-SECRET' are provided by Google. The 'RANDOMLY-GENERATED-SECRET' can be generated from a terminal with "openssl rand -hex 16" or any other random hex generator. 'COOKIE_DOMAIN' is your domain i.e., and 'DOMAIN' is your e-mail domain, alternatively you can use the whitelist option for emails you want to have access.

Adding to a service

Finally, for you service to have authentication, just add these lines under ‘labels’:

traefik.frontend.auth.forward.address: "http://oauth:4181"
traefik.frontend.auth.forward.authResponseHeaders: X-Forwarded-User
traefik.frontend.auth.forward.trustForwardHeader: "true"

Now, after everything is deployed, when we go to our service “", we will be redirected to Google. After successfully logging in, we will be redirected again to our app!




Experienced developer in various languages, currently a product owner of leading the back end architecture.