🚀 Feature: Add support of ForwardAuth #341

New Issue

Closed

opened 2025-10-07 00:11:18 +03:00 by OVERLORD · 1 comment

OVERLORD commented 2025-10-07 00:11:18 +03:00

Owner

Copy Link

Originally created by @im2R on GitHub.

Feature description

Implementation of ForwardAuth to protect applications not supporting OIDC through reverse proxies

Pitch

Hi,

I use Traefik as a reverse proxy to expose Docker containerized services to the internet. For securing access to these applications, I currently use Authelia, which supports forward authentication. This allows me to protect services that don't natively support OIDC using Traefik's ForwardAuth middleware.

I request that Pocket ID implements support for forward authentication, this would allow seamless integration with Traefik (or other reverse proxies) and provide a more native and well-integrated solution compared to alternatives like traefik-oidc-auth or oauth2-proxy.

Use Case Example

With Authelia, I can set up forward authentication using the following Traefik labels:

For the authentication service:

- traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/authz/forward-auth
- traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true
- traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email

For the protected applications:

- traefik.http.routers.whoami.middlewares=authelia@docker

Thanks!

Originally created by @im2R on GitHub. ### Feature description Implementation of ForwardAuth to protect applications not supporting OIDC through reverse proxies ### Pitch Hi, I use Traefik as a reverse proxy to expose Docker containerized services to the internet. For securing access to these applications, I currently use Authelia, which supports forward authentication. This allows me to protect services that don't natively support OIDC using [Traefik's ForwardAuth middleware](https://doc.traefik.io/traefik/middlewares/http/forwardauth/). I request that Pocket ID implements support for forward authentication, this would allow seamless integration with Traefik (or other reverse proxies) and provide a more native and well-integrated solution compared to alternatives like [traefik-oidc-auth](https://github.com/sevensolutions/traefik-oidc-auth) or [oauth2-proxy](https://github.com/oauth2-proxy/oauth2-proxy). ### Use Case Example With Authelia, I can set up forward authentication using the following Traefik labels: For the authentication service: ``` - traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/authz/forward-auth - traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true - traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email ``` For the protected applications: ``` - traefik.http.routers.whoami.middlewares=authelia@docker ``` Thanks!

OVERLORD added the feature label 2025-10-07 00:11:18 +03:00

OVERLORD closed this issue 2025-10-07 00:11:19 +03:00

OVERLORD commented 2025-10-07 00:11:20 +03:00

Author

Owner

Copy Link

@stonith404 commented on GitHub:

As Pocket ID is solely an OIDC provider I don't think this makes sense to directly implement this into Pocket ID. I understand that it might be not the ideal solution to use non native solution like oauth2-proxy but the goal of Pocket ID is to stay simple.

@stonith404 commented on GitHub: As Pocket ID is solely an OIDC provider I don't think this makes sense to directly implement this into Pocket ID. I understand that it might be not the ideal solution to use non native solution like oauth2-proxy but the goal of Pocket ID is to stay simple.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

i18n_crowdin

breaking/v2

v2/use-item-component

default-env-db-keys

slog-gorm

v1.16.0

v1.15.0

v1.14.2

v1.14.1

v1.14.0

v1.13.1

v1.13.0

v1.12.0

v1.11.2

v1.11.1

v1.11.0

v1.10.0

v1.9.1

v1.9.0

v1.8.1

v1.8.0

v1.7.0

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.0

v1.4.1

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.53.0

v0.52.0

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.0

v0.45.0

v0.44.0

v0.43.1

v0.43.0

v0.42.1

v0.42.0

v0.41.0

v0.40.1

v0.40.0

v0.39.0

v0.38.0

v0.37.0

v0.36.0

v0.35.6

v0.35.5

v0.35.4

v0.35.3

v0.35.2

v0.35.1

v0.35.0

v0.34.0

v0.33.0

v0.32.0

v0.31.0

v0.30.0

v0.29.0

v0.28.1

v0.28.0

v0.27.2

v0.27.1

v0.27.0

v0.26.0

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.0

v0.22.0

v0.21.0

v0.20.1

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.0

v0.13.1

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.1

v0.4.0

v0.3.1

v0.3.0

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels

breaking

bug

documentation

feature

needs more upvotes

open to pull requests

pull-request

Mirrored from GitHub Pull Request

No Label feature

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pocket-id#341