Comments (55)
I don't think this should be closed. I run into this problem frequently. It may be because we need a traefik header
from traefik-forward-auth.
I can confirm I have the same error even after deleting my cookies...
from traefik-forward-auth.
I experience the same issue intermittently in auth host mode, via both desktop and mobile browsers.
time="2019-03-22T13:48:49Z" level=warning msg="Error validating csrf cookie: CSRF cookie does not match state" RemoteAddr="x.x.x.x:xxxx" csrf=<xyz> state="<zyx>:https://<domain>/"
As @robertbaker stated, this seems to happen most frequently when re-selecting an account which has been authorized (in my case, via WHITELIST) after the session lifetime has expired. Perhaps a token refresh issue?
from traefik-forward-auth.
@bekoeppel I have created an issue to track that specific pattern as I think there could be a better way of handling it.
I believe a lot of people here will have run into #103 whereby Google will not offer up the account selection by default on subsequent requests, so if you select the wrong account you have to wait for that selection to expire on Google's side before having another go (which is why some people have said you just need to wait and clearing cookies is not enough).
Beyond the two instances above, I think the most common cause will be a misconfiguration. I have opened #114 to improve debug logging to help track these down
@frankforpresident I will confirm when #114 is merged, if you could send your debug logs again following that, it would be greatly appreciated.
from traefik-forward-auth.
FWIW I've been struggling with this issue for months with no good workaround except to logout of all google accounts, delete all google related cookies and cache, and close and re-open the browser. It happens every month or so and it's incredibly annoying.
The incognito mode fix does work for me though so I think it's safe to say it's something to do with caching and tokens. When I get the "not authorized" message I also get the CSRF error log mentioned by @726a67. I hope we come up with a fix for this soon.
from traefik-forward-auth.
Getting the same error intermittently, completely closing chrome didnt fix it
from traefik-forward-auth.
Just tried it, still getting the error. My log level is set to debug, let me know what to look for
from traefik-forward-auth.
Can you double check you're running the image with the tag: 3e6ccc8
I wasn't able to come up with a good way to check this. The only docker tag on that is latest and there apparently isn't a shell in the container I could use to check the source. I restarted a couple of times, so it should have pulled the image.
Do you get any logs with the 401?
I actually do not have any 401 errors in the log
I have
logger.Warn("Missing csrf cookie")
I was grepping on "401" before, I didn't realize the logs dont actually include the http status code.
from traefik-forward-auth.
@thomseddon, I did my best to gather some information for you. My setup was based on: https://www.smarthomebeginner.com/google-oauth-with-traefik-docker/
Description:
Open chrome in incognite mode (or normal). Visit the configured url and login with configured email address.
Expected: Proper redirection after the authentication. Content is visible.
Actual: After login the webpage redirects and returns with 401 Not authorized.
Note: I did changed some personal data and revoked the 0auth cert just after this run.
Logs:
time="2020-01-20T22:20:42Z" level=debug msg="Starting with options: {\"LogLevel\":\"debug\",\"LogFormat\":\"text\",\"AuthHost\":\"oauth.fakedomainforissue31.com\",\"CookieDomains\":[{\"Domain\":\"fakedomainforissue31.com\",\"DomainLen\":16,\"SubDomain\":\".fakedomainforissue31.com\",\"SubDomainLen\":17}],\"InsecureCookie\":true,\"CookieName\":\"_forward_auth\",\"CSRFCookieName\":\"_forward_auth_csrf\",\"DefaultAction\":\"auth\",\"Domains\":null,\"LifetimeString\":0,\"Path\":\"/_oauth\",\"Whitelist\":[\"[email protected]\"],\"Providers\":{\"Google\":{\"ClientId\":\"xxxxxxxxxxxxx.apps.googleusercontent.com\",\"Scope\":\"https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email\",\"Prompt\":\"\",\"LoginURL\":{\"Scheme\":\"https\",\"Opaque\":\"\",\"User\":null,\"Host\":\"accounts.google.com\",\"Path\":\"/o/oauth2/auth\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"TokenURL\":{\"Scheme\":\"https\",\"Opaque\":\"\",\"User\":null,\"Host\":\"www.googleapis.com\",\"Path\":\"/oauth2/v3/token\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"UserURL\":{\"Scheme\":\"https\",\"Opaque\":\"\",\"User\":null,\"Host\":\"www.googleapis.com\",\"Path\":\"/oauth2/v2/userinfo\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"}}},\"Rules\":{},\"Lifetime\":0,\"CookieDomainsLegacy\":null,\"CookieSecureLegacy\":\"\",\"ClientIdLegacy\":\"\",\"PromptLegacy\":\"\"}"
time="2020-01-20T22:20:42Z" level=info msg="Listening on :4181"
time="2020-01-20T22:21:10Z" level=debug msg="Authenticating request" headers="map[Accept:[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9] Accept-Encoding:[gzip, deflate, br] Accept-Language:[en-US,en;q=0.9,nl;q=0.8,af;q=0.7] Sec-Fetch-Mode:[navigate] Sec-Fetch-Site:[none] Sec-Fetch-User:[?1] Upgrade-Insecure-Requests:[1] User-Agent:[Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36] X-Forwarded-For:[192.168.0.1] X-Forwarded-Host:[debug.fakedomainforissue31.com] X-Forwarded-Method:[GET] X-Forwarded-Proto:[https] X-Forwarded-Uri:[/]]" rule=default source_ip=192.168.0.1
time="2020-01-20T22:21:10Z" level=debug msg="Set CSRF cookie and redirecting to google login" source_ip=192.168.0.1
time="2020-01-20T22:21:10Z" level=debug msg=Done source_ip=192.168.0.1
time="2020-01-20T22:21:13Z" level=debug msg="Handling callback" headers="map[Accept:[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9] Accept-Encoding:[gzip, deflate, br] Accept-Language:[en-US,en;q=0.9,nl;q=0.8,af;q=0.7] Referer:[https://accounts.google.com/signin/oauth/oauthchooseaccount?client_id=xxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com&as=siqf3xKp8E6XuK8hiWhYSw&destination=https%3A%2F%2Foauth.fakedomainforissue31.com&approval_state=!ChRjUnBHenZ0aWlkMlJOWjB1UmZBZRIfODFnTTFFUjNYR1VkY0t0V0xtY192ZHBvNWJsUV9CWQ%E2%88%99AJDr988AAAAAXid5VqkCKO41SE29VN3yjfxvWPdXqezJ&oauthgdpr=1&xsrfsig=ChkAeAh8TzAGW13wZT6mNVUkgf1VI3Un__LKEg5hcHByb3ZhbF9zdGF0ZRILZGVzdGluYXRpb24SBXNvYWN1Eg9vYXV0aHJpc2t5c2NvcGU&flowName=GeneralOAuthFlow] Sec-Fetch-Mode:[navigate] Sec-Fetch-Site:[cross-site] Sec-Fetch-User:[?1] Upgrade-Insecure-Requests:[1] User-Agent:[Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36] X-Forwarded-For:[192.168.0.1] X-Forwarded-Host:[oauth.fakedomainforissue31.com] X-Forwarded-Method:[GET] X-Forwarded-Proto:[https] X-Forwarded-Uri:[/_oauth?state=f480a65f3c0c40bc1ec395dd5884d862%3Ahttps%3A%2F%2Fdebug.fakedomainforissue31.com%2F&code=4%2FvgFS7t4mz4NGZPiFu_WqGI4IM-rwRbZpSLkhC8lsjakaQ3wZcRe1VJIuXxL_8bzruh7dP5LfKUGJraM3UyPUQc4&scope=email+profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+openid&authuser=0&prompt=consent&session_state=efcdb271432c17ec7c1ac1b246b908fbc2dd43eb..413a]]" rule=default source_ip=192.168.0.1
time="2020-01-20T22:21:13Z" level=warning msg="Missing csrf cookie" source_ip=192.168.0.1
time="2020-01-20T22:21:13Z" level=debug msg="Authenticating request" headers="map[Accept:[image/webp,image/apng,image/*,*/*;q=0.8] Accept-Encoding:[gzip, deflate, br] Accept-Language:[en-US,en;q=0.9,nl;q=0.8,af;q=0.7] Referer:[https://oauth.fakedomainforissue31.com/_oauth?state=f480a65f3c0c40bc1ec395dd5884d862%3Ahttps%3A%2F%2Fdebug.fakedomainforissue31.com%2F&code=4%2FvgFS7t4mz4NGZPiFu_WqGI4IM-rwRbZpSLkhC8lsjakaQ3wZcRe1VJIuXxL_8bzruh7dP5LfKUGJraM3UyPUQc4&scope=email+profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+openid&authuser=0&prompt=consent&session_state=efcdb271432c17ec7c1ac1b246b908fbc2dd43eb..413a] Sec-Fetch-Mode:[no-cors] Sec-Fetch-Site:[same-origin] User-Agent:[Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36] X-Forwarded-For:[192.168.0.1] X-Forwarded-Host:[oauth.fakedomainforissue31.com] X-Forwarded-Method:[GET] X-Forwarded-Proto:[https] X-Forwarded-Uri:[/favicon.ico]]" rule=default source_ip=192.168.0.1
time="2020-01-20T22:21:13Z" level=debug msg="Set CSRF cookie and redirecting to google login" source_ip=192.168.0.1
time="2020-01-20T22:21:13Z" level=debug msg=Done source_ip=192.168.0.1
docker-compose.yaml
whoami:
container_name: debug
hostname: debug
image: containous/whoami
labels:
- traefik.frontend.rule=Host:debug.fakedomainforissue31.com
- traefik.port=80
- traefik.backend=whoami
- traefik-docker.network=internal
- traefik.frontend.auth.forward.address=http://oauth:4181
- traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
- traefik.frontend.auth.forward.trustForwardHeader=true
- traefik.redirectorservice.frontend.entryPoints=http
- traefik.redirectorservice.frontend.redirect.entryPoint=https
- traefik.webservice.frontend.entryPoints=https
oauth:
image: thomseddon/traefik-forward-auth:latest
container_name: oauth
hostname: oauth
restart: always
env_file:
- oauth.env
labels:
- traefik.enable=true
- traefik.port=4181
- traefik.backend=oauth
- traefik.docker.network=internal
- traefik.frontend.rule=Host:oauth.fakedomainforissue31.com
- traefik.frontend.headers.SSLHost=oauth.fakedomainforissue31.com
- traefik.frontend.auth.forward.address=http://oauth:4181
- traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User
- traefik.frontend.auth.forward.trustForwardHeader=true
- traefik.frontend.headers.SSLRedirect=true
- traefik.frontend.headers.browserXSSFilter=true
- traefik.frontend.headers.contentTypeNosniff=true
- traefik.frontend.headers.forceSTSHeader=true
- traefik.frontend.headers.STSSeconds=315360000
- traefik.frontend.headers.STSIncludeSubdomains=true
- traefik.frontend.headers.STSPreload=true
- traefik.frontend.headers.frameDeny=true
- traefik.frontend.passHostHeader=true
- traefik.frontend.headers.SSLForceHost=true
- traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex
- traefik.redirectorservice.frontend.entryPoints=http
- traefik.redirectorservice.frontend.redirect.entryPoint=https
- traefik.webservice.frontend.entryPoints=https
oauth.env
PROVIDERS_GOOGLE_CLIENT_ID=XXXXXXXXXXXXXXXXXX.apps.googleusercontent.com
PROVIDERS_GOOGLE_CLIENT_SECRET=XXXXXXXXXXXXXX
SECRET=XXXXXXXXXXXXXXX
COOKIE_DOMAIN=fakedomainforissue31.com
INSECURE_COOKIE=true
AUTH_HOST=oauth.fakedomainforissue31.com
URL_PATH=/_oauth
[email protected]
LOG_LEVEL=debug
LIFETIME=2592000 # 30 days
OIDC_ISSUER=https://accounts.google.com
CSRF_COOKIE_NAME=_forward_auth_csrf
Note: I also tried INSECURE_COOKIE=false, changing _forward_auth_csrf to a different key and a different email address
How do you want me to collect the request logs? or is this enough to get started?
I did saw this message in the console after landing on the 401 page.
/_oauth?state=014308…49a7a48f6c..576a#:1 A cookie associated with a cross-site resource at https://accounts.google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
/_oauth?state=014308…49a7a48f6c..576a#:1 A cookie associated with a cross-site resource at http://google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
/_oauth?state=014308…49a7a48f6c..576a#:1 A cookie associated with a cross-site resource at https://google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
Cross-Origin Read Blocking (CORB) blocked cross-origin response https://accounts.google.com/o/oauth2/auth?client_id=110929115210-iebt17j9me…b0168a5…%3Ahttps%3A%2F%2Foauth.computerheld.net%2Ffavicon.ico with MIME type text/html. See https://www.chromestatus.com/feature/5629709824032768 for more details.
and I can't seem to find the_forward_auth_csrf cookie after the redirect under Application>Storage>Cookies. Not sure if this is the cause of my problem.
from traefik-forward-auth.
Hello everyone - the good news is that v2.2 was released yesterday, this includes a significant improvement in logging as well as a warning about some invalid configuration states.
This also includes a tweak to the Google provider to ensure the user is always prompted to select which account they would like to use, this fixes the issue where a user selects the wrong account and is then unable to reselect the right account as their previous selection is "cached" (which may result in a Not Authorized error).
I've also released a large amount of new examples for both k8s and swarm, using both traefik v1.7 and 2+ - this shows the advised way to deploy the service and should help many people ending up in a bad/conflicting configuration state.
As mentioned before, I think this issue may represent a number of different issues that people have had, most of which I believe will have been caused by me not providing enough configuration examples - which I hope is now fixed. Due to this, and the other fixes outlined above, I'm going to close this issue.
If anyone is still having a problem when using v2.2, following the new examples, please please please open a new issue with your configuration and logs and I will dig into it right away.
Thank you everyone for your contributions to this, it's very much appreciated.
from traefik-forward-auth.
I can confirm that although a similar issue (intermittently) persisted on tags :2
AND 2.2
, they are resolved on :latest
( b364aa6a4117
)
from traefik-forward-auth.
I Received that too and i seems to be some cookie/cache related issue. Either wait a couple of hours or try a different browser/ Incognito
from traefik-forward-auth.
I Received that too and i seems to be some cookie/cache related issue. Either wait a couple of hours or try a different browser/ Incognito
OMG,so in all my testing I had forgot to try Incognito mode... I had tried both Chrome and Edge... But that was prob whilst the config was not right... so retested with Incognito mode and hey presto its working...
Thanks this can be closed 👍
from traefik-forward-auth.
Related #20
from traefik-forward-auth.
Hmm, I have a similar issue where I've clicked the wrong google account, my only option is to clear cookies and try again - sounds like this could be the same root cause - I wonder if there is a better UX for this?
from traefik-forward-auth.
It does happen if you do choose the wrong account or it happens once the authorization expires with the right account.
I believe it may be due to a missing header on traefik and/or its like it can't refresh the token on it's own.
from traefik-forward-auth.
@robertbaker what do you mean it's missing a header?
from traefik-forward-auth.
from traefik-forward-auth.
I don’t suppose a “logout” endpoint is in the works?
from traefik-forward-auth.
@zetas simply completely closing chrome (including tray icon) should be the only thing you need to do to fix it.
from traefik-forward-auth.
The weird thing is that it lets me access some of my endpoints but not others when this happens. E.g. some work fine some give the "not authorized" text
from traefik-forward-auth.
So I think I might have found the cause of this, after a cookie expires the existing behavior was just to throw an error.
I have just pushed a change which means that the users will be redirected to Google login instead.
If someone would be willing to test the latest
tag on docker, with error logging enabled, that would be hugely helpful.
I know this can take some time to replicate, so if anyone has error logs enabled then there should be more info in that log already, so if you could post existing logs that would also help!
from traefik-forward-auth.
Can you double check you're running the image with the tag: 3e6ccc8
Do you get any logs with the 401?
For extra info, 401 can returned from 4 places:
- AuthHandler - invalid cookie:
traefik-forward-auth/internal/server.go
Lines 79 to 89 in 3e6ccc8
- AuthHandler - invalid user:
traefik-forward-auth/internal/server.go
Lines 92 to 100 in 3e6ccc8
- AuthCallbackHandler - invalid CSRF:
traefik-forward-auth/internal/server.go
Lines 115 to 121 in 3e6ccc8
- AuthCallbackHandler - invalid state:
traefik-forward-auth/internal/server.go
Lines 123 to 129 in 3e6ccc8
There's a log message in each location, so if tfa is returning an error then it should be showing more info in the logs
from traefik-forward-auth.
One thing that seems to work consistently is getting to the "not authorized" page, then visiting a different endpoint that for whatever reason works, then going back to my original endpoint lets me continue to the page I wanted.
from traefik-forward-auth.
I've done a thing in branch add-logout-endpoint
on my fork that, in theory, adds a /_tfa-logout
endpoint which will clear the local _forward_auth
cookie.
I have written tests, which pass, but I want to do some functional testing before I actually submit a PR. However, I flubbed an unrelated IP on my home setup, and so can't actually access my own environment to deploy the updated version, so I'll do it tomorrow. Thanks, sslh.
I have built the image manually on https://hub.docker.com/r/tnwhitwell/traefik-forward-auth/tags, tag: testing, but obviously I'd recommend building and deploying your own version if you do want to test.
from traefik-forward-auth.
I actually added a logout endpoint to my landing page which does the same thing, I've also been manually deleting the cookie and disabling caching before running these tests so I don't know if that will solve the problem
from traefik-forward-auth.
Could you do a docker inspect on the container, mine is showing: Image": "sha256:97d5ed375d0c1fa946b74d4381ab912199056da56d5c2af7a78c87ee074d240f"
I actually think my changes in 3e6ccc8 are a red herring (which I will partially revert), the browser will expire the cookie after that time so it is actually an error if such a cookie is received.
Missing csrf cookie
suggests you're hitting the callback endpoint, you should only hit this endpoint after you've done the login on Google?
from traefik-forward-auth.
Could you do a docker inspect on the container, mine is showing:
Image": "sha256:97d5ed375d0c1fa946b74d4381ab912199056da56d5c2af7a78c87ee074d240f"
I'll double check the image hash
Missing csrf cookie
suggests you're hitting the callback endpoint, you should only hit this endpoint after you've done the login on Google?
Indeed it's directly after I log into google that I get this screen, which is part of why it makes no sense since I've just logged in.
Do you rely on the X-Forwarded-User header to check the username at the callback endpoint? I don't think I configured traefik to send it for that endpoint
from traefik-forward-auth.
Interesting, could you check what cookies are sent before you're redirected to Google (you can inspect the headers on the 307 redirect in your browser)? Are you using the auth host?
from traefik-forward-auth.
Sorry for the late reply, I'm in the process of rebuilding that cluster right now, when it's settled down I'll look into the cookies for you
from traefik-forward-auth.
In the request to my endpoint, I see
cookie: _forward_auth_csrf=0adc70a3cbde78d0b09e37e7c9602c83
The 307 response has
set-cookie: _forward_auth_csrf=cabca8a0d088bddc863932ec8704c953; Path=/; Domain=<redacted correct domain>; Expires=Wed, 19 Jun 2019 00:10:51 GMT; HttpOnly; Secure
from traefik-forward-auth.
Hmm, so that's why it doesn't work - but why doesn't the cookie match? My first thought would be a domain missmatch?
from traefik-forward-auth.
Domain is correct and if it was that I would expect it to fail for every domain. The only obvious difference is that the working domains set x-forwarded-user
and the failing ones don't
from traefik-forward-auth.
I am experiencing exactly same issue as Queuecumber. "Not authorized" after google authentication. Docker Image: 97d5ed375d0c
. Traefik services handle traffic on port 8080.
Command is: --cookie-domain=somewhere.com --cookie-domain=test.somewhere.com --cookie-domain=auth.test.somewhere.com
In my env: AUTH_HOST: auth.test.somewhere.com:8080
services I am authenticating are path based m1-eu1.test.somewhere.com:8080/traefik/dashboard or m1-eu1.test.somewhere.com:8080/cadvisor
from traefik-forward-auth.
Same issue here, After google login I get "Not authorized".. No clue yet why
msg="Missing csrf cookie"
from traefik-forward-auth.
@frankforpresident (or anyone else in the thread) could you post:
- Confg
- Request log (headers from all requests+responses)
- Debug log from traefik-forward-auth
I'm sure we can get to the bottom of this :)
from traefik-forward-auth.
I can confirm I'm seeing the same behavior here. Initiating an incognito browser allows me to access the service properly though.
from traefik-forward-auth.
@thomseddon, (or anyone else) Any update on this issue? Is there something I could help you with? If more logs are required don't hesitate to contact me.
I would love to implement this in my setup.
from traefik-forward-auth.
Sorry I missed your previous comment, thanks for the detailed info. Could you post your entire compose config (including traefik) - the absolute jackpot would be if you can give me a docker-compose.yaml + associated config so I can exactly replicate it?
With regards to capturing the requests, if you export them from the chrome network tab, that would be great (although if I can replicate that won't be needed)
from traefik-forward-auth.
I am having the same issue here. I guess my config are more naive.
Error:
time="2020-02-27T08:25:03Z" level=warning msg="Missing csrf cookie" source_ip=192.168.9.195
Traefik (installed with helm - stable/traefik):
values.yaml:
ssl:
enabled: true
enforced: true
insecureSkipVerify: true
dashboard:
enabled: true
domain: traefik.stg.example.com
ingress:
annotations:
kubernetes.io/ingress.class: traefik
ingress.kubernetes.io/auth-type: forward
ingress.kubernetes.io/auth-url: http://traefik-forward-auth.kube-system.svc.cluster.local
ingress.kubernetes.io/auth-response-headers: X-Forwarded-User
rbac:
enabled: true
deployment:
hostPort:
httpsEnabled: true
traefik-forward-auth (reference to Example for k8s):
##
# Secrets to store Google's client secret and the app's secret
##
kind: Secret
apiVersion: v1
metadata:
name: traefik-forward-auth-secrets
namespace: kube-system
labels:
name: traefik
type: Opaque
data:
CLIENT_SECRET: <- CLIENT_SECRET ->
SECRET: <- SECRET ->
---
##
# Main deployment
##
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: traefik-forward-auth
name: traefik-forward-auth
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
app: traefik-forward-auth
template:
metadata:
labels:
app: traefik-forward-auth
spec:
containers:
- name: traefik-forward-auth
image: thomseddon/traefik-forward-auth
ports:
- containerPort: 4181
protocol: TCP
env:
- name: CLIENT_ID
value: <- CLIENT_ID ->
- name: CLIENT_SECRET
valueFrom:
secretKeyRef:
name: traefik-forward-auth-secrets
key: CLIENT_SECRET
- name: SECRET
valueFrom:
secretKeyRef:
name: traefik-forward-auth-secrets
key: SECRET
- name: DOMAIN
value: example.com
livenessProbe:
tcpSocket:
port: 4181
initialDelaySeconds: 20
failureThreshold: 3
successThreshold: 1
periodSeconds: 10
timeoutSeconds: 2
---
kind: Service
apiVersion: v1
metadata:
name: traefik-forward-auth
namespace: kube-system
spec:
selector:
app: traefik-forward-auth
ports:
- port: 80
targetPort: 4181
protocol: TCP
from traefik-forward-auth.
I found out the clear the browser data can solve this problem.
from traefik-forward-auth.
@thomseddon, I did my best to gather some information for you. My setup was based on: https://www.smarthomebeginner.com/google-oauth-with-traefik-docker/
Description:
Open chrome in incognite mode (or normal). Visit the configured url and login with configured email address.Expected: Proper redirection after the authentication. Content is visible.
Actual: After login the webpage redirects and returns with 401 Not authorized.
Note: I did changed some personal data and revoked the 0auth cert just after this run.
Logs:
time="2020-01-20T22:20:42Z" level=debug msg="Starting with options: {\"LogLevel\":\"debug\",\"LogFormat\":\"text\",\"AuthHost\":\"oauth.fakedomainforissue31.com\",\"CookieDomains\":[{\"Domain\":\"fakedomainforissue31.com\",\"DomainLen\":16,\"SubDomain\":\".fakedomainforissue31.com\",\"SubDomainLen\":17}],\"InsecureCookie\":true,\"CookieName\":\"_forward_auth\",\"CSRFCookieName\":\"_forward_auth_csrf\",\"DefaultAction\":\"auth\",\"Domains\":null,\"LifetimeString\":0,\"Path\":\"/_oauth\",\"Whitelist\":[\"[email protected]\"],\"Providers\":{\"Google\":{\"ClientId\":\"xxxxxxxxxxxxx.apps.googleusercontent.com\",\"Scope\":\"https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email\",\"Prompt\":\"\",\"LoginURL\":{\"Scheme\":\"https\",\"Opaque\":\"\",\"User\":null,\"Host\":\"accounts.google.com\",\"Path\":\"/o/oauth2/auth\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"TokenURL\":{\"Scheme\":\"https\",\"Opaque\":\"\",\"User\":null,\"Host\":\"www.googleapis.com\",\"Path\":\"/oauth2/v3/token\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"UserURL\":{\"Scheme\":\"https\",\"Opaque\":\"\",\"User\":null,\"Host\":\"www.googleapis.com\",\"Path\":\"/oauth2/v2/userinfo\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"}}},\"Rules\":{},\"Lifetime\":0,\"CookieDomainsLegacy\":null,\"CookieSecureLegacy\":\"\",\"ClientIdLegacy\":\"\",\"PromptLegacy\":\"\"}" time="2020-01-20T22:20:42Z" level=info msg="Listening on :4181" time="2020-01-20T22:21:10Z" level=debug msg="Authenticating request" headers="map[Accept:[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9] Accept-Encoding:[gzip, deflate, br] Accept-Language:[en-US,en;q=0.9,nl;q=0.8,af;q=0.7] Sec-Fetch-Mode:[navigate] Sec-Fetch-Site:[none] Sec-Fetch-User:[?1] Upgrade-Insecure-Requests:[1] User-Agent:[Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36] X-Forwarded-For:[192.168.0.1] X-Forwarded-Host:[debug.fakedomainforissue31.com] X-Forwarded-Method:[GET] X-Forwarded-Proto:[https] X-Forwarded-Uri:[/]]" rule=default source_ip=192.168.0.1 time="2020-01-20T22:21:10Z" level=debug msg="Set CSRF cookie and redirecting to google login" source_ip=192.168.0.1 time="2020-01-20T22:21:10Z" level=debug msg=Done source_ip=192.168.0.1 time="2020-01-20T22:21:13Z" level=debug msg="Handling callback" headers="map[Accept:[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9] Accept-Encoding:[gzip, deflate, br] Accept-Language:[en-US,en;q=0.9,nl;q=0.8,af;q=0.7] Referer:[https://accounts.google.com/signin/oauth/oauthchooseaccount?client_id=xxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com&as=siqf3xKp8E6XuK8hiWhYSw&destination=https%3A%2F%2Foauth.fakedomainforissue31.com&approval_state=!ChRjUnBHenZ0aWlkMlJOWjB1UmZBZRIfODFnTTFFUjNYR1VkY0t0V0xtY192ZHBvNWJsUV9CWQ%E2%88%99AJDr988AAAAAXid5VqkCKO41SE29VN3yjfxvWPdXqezJ&oauthgdpr=1&xsrfsig=ChkAeAh8TzAGW13wZT6mNVUkgf1VI3Un__LKEg5hcHByb3ZhbF9zdGF0ZRILZGVzdGluYXRpb24SBXNvYWN1Eg9vYXV0aHJpc2t5c2NvcGU&flowName=GeneralOAuthFlow] Sec-Fetch-Mode:[navigate] Sec-Fetch-Site:[cross-site] Sec-Fetch-User:[?1] Upgrade-Insecure-Requests:[1] User-Agent:[Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36] X-Forwarded-For:[192.168.0.1] X-Forwarded-Host:[oauth.fakedomainforissue31.com] X-Forwarded-Method:[GET] X-Forwarded-Proto:[https] X-Forwarded-Uri:[/_oauth?state=f480a65f3c0c40bc1ec395dd5884d862%3Ahttps%3A%2F%2Fdebug.fakedomainforissue31.com%2F&code=4%2FvgFS7t4mz4NGZPiFu_WqGI4IM-rwRbZpSLkhC8lsjakaQ3wZcRe1VJIuXxL_8bzruh7dP5LfKUGJraM3UyPUQc4&scope=email+profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+openid&authuser=0&prompt=consent&session_state=efcdb271432c17ec7c1ac1b246b908fbc2dd43eb..413a]]" rule=default source_ip=192.168.0.1 time="2020-01-20T22:21:13Z" level=warning msg="Missing csrf cookie" source_ip=192.168.0.1 time="2020-01-20T22:21:13Z" level=debug msg="Authenticating request" headers="map[Accept:[image/webp,image/apng,image/*,*/*;q=0.8] Accept-Encoding:[gzip, deflate, br] Accept-Language:[en-US,en;q=0.9,nl;q=0.8,af;q=0.7] Referer:[https://oauth.fakedomainforissue31.com/_oauth?state=f480a65f3c0c40bc1ec395dd5884d862%3Ahttps%3A%2F%2Fdebug.fakedomainforissue31.com%2F&code=4%2FvgFS7t4mz4NGZPiFu_WqGI4IM-rwRbZpSLkhC8lsjakaQ3wZcRe1VJIuXxL_8bzruh7dP5LfKUGJraM3UyPUQc4&scope=email+profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+openid&authuser=0&prompt=consent&session_state=efcdb271432c17ec7c1ac1b246b908fbc2dd43eb..413a] Sec-Fetch-Mode:[no-cors] Sec-Fetch-Site:[same-origin] User-Agent:[Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36] X-Forwarded-For:[192.168.0.1] X-Forwarded-Host:[oauth.fakedomainforissue31.com] X-Forwarded-Method:[GET] X-Forwarded-Proto:[https] X-Forwarded-Uri:[/favicon.ico]]" rule=default source_ip=192.168.0.1 time="2020-01-20T22:21:13Z" level=debug msg="Set CSRF cookie and redirecting to google login" source_ip=192.168.0.1 time="2020-01-20T22:21:13Z" level=debug msg=Done source_ip=192.168.0.1
docker-compose.yaml
whoami: container_name: debug hostname: debug image: containous/whoami labels: - traefik.frontend.rule=Host:debug.fakedomainforissue31.com - traefik.port=80 - traefik.backend=whoami - traefik-docker.network=internal - traefik.frontend.auth.forward.address=http://oauth:4181 - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User - traefik.frontend.auth.forward.trustForwardHeader=true - traefik.redirectorservice.frontend.entryPoints=http - traefik.redirectorservice.frontend.redirect.entryPoint=https - traefik.webservice.frontend.entryPoints=https oauth: image: thomseddon/traefik-forward-auth:latest container_name: oauth hostname: oauth restart: always env_file: - oauth.env labels: - traefik.enable=true - traefik.port=4181 - traefik.backend=oauth - traefik.docker.network=internal - traefik.frontend.rule=Host:oauth.fakedomainforissue31.com - traefik.frontend.headers.SSLHost=oauth.fakedomainforissue31.com - traefik.frontend.auth.forward.address=http://oauth:4181 - traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User - traefik.frontend.auth.forward.trustForwardHeader=true - traefik.frontend.headers.SSLRedirect=true - traefik.frontend.headers.browserXSSFilter=true - traefik.frontend.headers.contentTypeNosniff=true - traefik.frontend.headers.forceSTSHeader=true - traefik.frontend.headers.STSSeconds=315360000 - traefik.frontend.headers.STSIncludeSubdomains=true - traefik.frontend.headers.STSPreload=true - traefik.frontend.headers.frameDeny=true - traefik.frontend.passHostHeader=true - traefik.frontend.headers.SSLForceHost=true - traefik.frontend.headers.customResponseHeaders=X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex - traefik.redirectorservice.frontend.entryPoints=http - traefik.redirectorservice.frontend.redirect.entryPoint=https - traefik.webservice.frontend.entryPoints=https
oauth.env
PROVIDERS_GOOGLE_CLIENT_ID=XXXXXXXXXXXXXXXXXX.apps.googleusercontent.com PROVIDERS_GOOGLE_CLIENT_SECRET=XXXXXXXXXXXXXX SECRET=XXXXXXXXXXXXXXX COOKIE_DOMAIN=fakedomainforissue31.com INSECURE_COOKIE=true AUTH_HOST=oauth.fakedomainforissue31.com URL_PATH=/_oauth [email protected] LOG_LEVEL=debug LIFETIME=2592000 # 30 days OIDC_ISSUER=https://accounts.google.com CSRF_COOKIE_NAME=_forward_auth_csrf
Note: I also tried INSECURE_COOKIE=false, changing _forward_auth_csrf to a different key and a different email address
How do you want me to collect the request logs? or is this enough to get started?
I did saw this message in the console after landing on the 401 page.
/_oauth?state=014308…49a7a48f6c..576a#:1 A cookie associated with a cross-site resource at https://accounts.google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032. /_oauth?state=014308…49a7a48f6c..576a#:1 A cookie associated with a cross-site resource at http://google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032. /_oauth?state=014308…49a7a48f6c..576a#:1 A cookie associated with a cross-site resource at https://google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032. Cross-Origin Read Blocking (CORB) blocked cross-origin response https://accounts.google.com/o/oauth2/auth?client_id=110929115210-iebt17j9me…b0168a5…%3Ahttps%3A%2F%2Foauth.computerheld.net%2Ffavicon.ico with MIME type text/html. See https://www.chromestatus.com/feature/5629709824032768 for more details.
and I can't seem to find the_forward_auth_csrf cookie after the redirect under Application>Storage>Cookies. Not sure if this is the cause of my problem.
Hey Frank, I also used the SmartHomeBeginner sample. I was also getting 'unauthorized' because the Google email address I was logging in with, was not in the WHITELIST environment variable passed to the forward-auth! Adding this fixed it.. Clear cookies to ensure it's re-authenticating.
This error clue is also apparent from the service log for the container which will say invalid email.
time="2020-04-04T12:13:37Z" level=error msg="Invalid email" [email protected]
Hope that helps someone!
from traefik-forward-auth.
Hey Frank, I also used the SmartHomeBeginner sample. I was also getting 'unauthorized' because the Google email address I was logging in with, was not in the WHITELIST environment variable passed to the forward-auth! Adding this fixed it.. Clear cookies to ensure it's re-authenticating.
This error clue is also apparent from the service log for the container which will say invalid email.
time="2020-04-04T12:13:37Z" level=error msg="Invalid email" [email protected]
Hope that helps someone!
I will try it again tonight but if i remember correctly it was already set to the correct email address.
from traefik-forward-auth.
My email address is ok and I don't see this message in the logs.
I have a question, could it be related to my ip range? I've noticed in the logs a 192.168.0.1 ip address but that would be the range of my modem while my internal ip range of my router is 10.0.0.X
Anyway. on every attempt I see the same result. missing cookie, setting cookie, done
time="2020-04-09T10:53:09Z" level=warning msg="Missing csrf cookie" source_ip=192.168.0.1
time="2020-04-09T10:53:10Z" level=debug msg="Set CSRF cookie and redirecting to google login" source_ip=192.168.0.1
time="2020-04-09T10:53:10Z" level=debug msg=Done source_ip=192.168.0.1
from traefik-forward-auth.
Ahh, OK.. that should be an easy fix.. Did you generate and pass a cookie?
e.g.
environment:
- CLIENT_ID=$OAUTH2_PROXY_CLIENT_ID
- CLIENT_SECRET=$OAUTH2_PROXY_CLIENT_SECRET
- SECRET=$OAUTH2_PROXY_COOKIE_SECRET
from traefik-forward-auth.
Ahh, OK.. that should be an easy fix.. Did you generate and pass a cookie?
e.g.
environment:
- CLIENT_ID=$OAUTH2_PROXY_CLIENT_ID
- CLIENT_SECRET=$OAUTH2_PROXY_CLIENT_SECRET
- SECRET=$OAUTH2_PROXY_COOKIE_SECRET
Yes, generated with: openssl rand -hex 16
You can check my config here, it didn't changed that much.
#31 (comment)
from traefik-forward-auth.
OK, comparing yours to mine, I have 2 differences:
- INSECURE_COOKIE=false
And I do not have the "CSRF_COOKIE_NAME=_forward_auth_csrf"
So that could be why you are getting your error.
Note also that SmartHomeBeginner has drastically changed his sample code in the past week..
from traefik-forward-auth.
I got the same errors and was able to reproduce it as follows:
- traefik-forward-auth configured in Host Mode
- Tab A: open an application that makes requests to its backend every second to refreshing its data
- Wait until the authentication session expires
- Tab A keeps making requests, which fail because the session expired. From my understanding, this is issuing new
_forward_auth_csrf
cookies every second - Tab B: open another application, go through the OIDC login to the consent screen. When I was redirected back to my auth backend, I got
Not authorized
and saw in the logError validating csrf cookie: CSRF cookie does not match state
.
Closing Tab A, so that it would not make requests and issue new _forward_auth_csrf
cookies then allowed me to log in to the second application in tab B.
from traefik-forward-auth.
@thomseddon, Will do
from traefik-forward-auth.
I am having the same issue here. I guess my config are more naive.
Error:
time="2020-02-27T08:25:03Z" level=warning msg="Missing csrf cookie" source_ip=192.168.9.195
Traefik (installed with helm - stable/traefik):
values.yaml:ssl: enabled: true enforced: true insecureSkipVerify: true dashboard: enabled: true domain: traefik.stg.example.com ingress: annotations: kubernetes.io/ingress.class: traefik ingress.kubernetes.io/auth-type: forward ingress.kubernetes.io/auth-url: http://traefik-forward-auth.kube-system.svc.cluster.local ingress.kubernetes.io/auth-response-headers: X-Forwarded-User rbac: enabled: true deployment: hostPort: httpsEnabled: true
traefik-forward-auth (reference to Example for k8s):
## # Secrets to store Google's client secret and the app's secret ## kind: Secret apiVersion: v1 metadata: name: traefik-forward-auth-secrets namespace: kube-system labels: name: traefik type: Opaque data: CLIENT_SECRET: <- CLIENT_SECRET -> SECRET: <- SECRET -> --- ## # Main deployment ## apiVersion: apps/v1 kind: Deployment metadata: labels: app: traefik-forward-auth name: traefik-forward-auth namespace: kube-system spec: replicas: 1 selector: matchLabels: app: traefik-forward-auth template: metadata: labels: app: traefik-forward-auth spec: containers: - name: traefik-forward-auth image: thomseddon/traefik-forward-auth ports: - containerPort: 4181 protocol: TCP env: - name: CLIENT_ID value: <- CLIENT_ID -> - name: CLIENT_SECRET valueFrom: secretKeyRef: name: traefik-forward-auth-secrets key: CLIENT_SECRET - name: SECRET valueFrom: secretKeyRef: name: traefik-forward-auth-secrets key: SECRET - name: DOMAIN value: example.com livenessProbe: tcpSocket: port: 4181 initialDelaySeconds: 20 failureThreshold: 3 successThreshold: 1 periodSeconds: 10 timeoutSeconds: 2 --- kind: Service apiVersion: v1 metadata: name: traefik-forward-auth namespace: kube-system spec: selector: app: traefik-forward-auth ports: - port: 80 targetPort: 4181 protocol: TCP
Just want to share my Experience on debugging my issue.
My architecture is like this:
Route53 -> CloudFront -> EKS -> traefik -> traefik-forward-auth -> The application
The biggest challenge to me is the Cloudfront since i am not familiar with it. Here are the errors I experienced
First Error - Missing csrf cookie
The reason is that I didn't allow the Cloudfront to Forward Cookies
Second Error - Error validating csrf cookie: Invalid CSRF state value
The reason of getting this is because the Allowed HTTP Methods
are GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE
. After I change it to just GET, HEAD
, The error changed.
Third Error - Invalid email
It seems like the config in the kubeconfig.yaml is incorrect. I am still investigating it.
from traefik-forward-auth.
Hello all,
for reference to other users: I too was experiencing the error:
msg="Error validating csrf cookie"
error="CSRF cookie does not match state"
with the in the documentation recommended docker v2
image from docker hub.
The error happened after the initial cookie expired (which was 30 days after initial authentication).
I could work around the issue by using a private browser session.
After updating to the latest
docker image the issue seems to be resolved.
Best regards,
Lieven.
from traefik-forward-auth.
I find myself revisiting this thread again but this time, my issue was I didn't have the user in the WHITELIST - added that and voila! If that helps anyone..
from traefik-forward-auth.
I can confirm that although a similar issue (intermittently) persisted on tags
:2
AND2.2
, they are resolved on:latest
(b364aa6a4117
)
What would we, the ones running on arm
do? :(
from traefik-forward-auth.
I can confirm that although a similar issue (intermittently) persisted on tags
:2
AND2.2
, they are resolved on:latest
(b364aa6a4117
)What would we, the ones running on
arm
do? :(
@GuyKh you can use the 2.2.1 multi-arch image here https://github.com/Beanow/traefik-forward-auth/pkgs/container/traefik-forward-auth. Works like a charm.
Credit to @Beanow who built it as part of #275.
from traefik-forward-auth.
Nope... still getting
level=info msg="Missing csrf cookie" handler=AuthCallback ...
from traefik-forward-auth.
Related Issues (20)
- On redirect Traefik-forward-auth strips away any existing query-params after successfully authenticating (oauth)
- Google OAuth Set CSRF cookie and redirected to provider login url HOT 4
- Not found "_oauth" with Azure provider HOT 1
- Use docker secrets for environment variables HOT 2
- Feature request: Pull information about groups of user HOT 1
- How to check for token revocation?
- Safe deployment HOT 1
- multiple whitelist users in rules doesn't work HOT 1
- go-compiler Multiple Vulnerabilities
- whitelist rule not working with arm64 images or images <= 2.2
- Invalid Cookie should point to a recoverable state
- oidc: issuer did not match the issuer returned by provider HOT 2
- oidc: id token signed with unsupported algorithm, expected ["RS256"] got "ES384" HOT 2
- 404 not found after Successful Sign in HOT 2
- Endless loop when using OIDC (cognito) as provider ERR_TOO_MANY_REDIRECTS HOT 3
- Missing Binary Files (and Instructions)
- Device code flow support
- Whitelist is case sensitive
- Getting this error when trying to install via truecharts HOT 1
- Trim the whitelisted emails
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from traefik-forward-auth.