Hanzo
PlatformHanzo IAMIntegrationsGo

Traefik

Protect services behind Traefik with Hanzo IAM auth (SSO).

Use Traefik with the traefik-iam-auth middleware to protect routes with Hanzo IAM authentication and SSO.

Prerequisites

  • Traefik v2.x or v3.x installed and running
  • A Hanzo IAM instance deployed and accessible
  • Docker and Docker Compose (if using the containerized approach)

Step 1: Deploy Hanzo IAM

Deploy Hanzo IAM if needed. Then confirm:

  • The Hanzo IAM server is running and accessible
  • You can log in to the Hanzo IAM admin interface
  • Test the login functionality by entering admin and 123

Step 2: Configure the Hanzo IAM application

  1. Create or edit a Hanzo IAM application.
  2. Add a redirect URL in the form: 
    http://<your-domain>/callback
    For example: http://localhost:8080/callback
  3. Note down the following values from your application settings:
    • Client ID
    • Client Secret
    • Organization Name
    • Application Name

Hanzo IAM Application Setting

  1. Configure your application to use the appropriate authentication providers as needed.

Step 3: Deploy traefik-iam-auth Middleware

There are two ways to deploy the Traefik Hanzo IAM Auth middleware:

Create a docker-compose.yml file:

version: '3'

services:
  traefik:
    image: traefik:v2.10
    container_name: traefik
    restart: unless-stopped
    command:
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
    ports:
      - "80:80"
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - traefik-network

  iam-auth:
    image: casbin/traefik-iam-auth:latest
    container_name: iam-auth
    restart: unless-stopped
    environment:
      - IAM_ENDPOINT=http://localhost:8000
      - CLIENT_ID=<your-client-id>
      - CLIENT_SECRET=<your-client-secret>
      - IAM_ORGANIZATION=<your-organization>
      - IAM_APPLICATION=<your-application>
      - CALLBACK_URL=http://localhost/callback
    labels:
      - "traefik.enable=true"
      - "traefik.http.middlewares.iam-auth.forwardauth.address=http://iam-auth:8080/verify"
      - "traefik.http.middlewares.iam-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
    networks:
      - traefik-network

  # Example protected service
  whoami:
    image: traefik/whoami
    container_name: whoami
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`localhost`)"
      - "traefik.http.routers.whoami.entrypoints=web"
      - "traefik.http.routers.whoami.middlewares=iam-auth@docker"
    networks:
      - traefik-network

networks:
  traefik-network:
    driver: bridge

Replace the placeholder values:

- `<your-client-id>`: Your Hanzo IAM application client ID
- `<your-client-secret>`: Your Hanzo IAM application client secret
- `<your-organization>`: Your Hanzo IAM organization name
- `<your-application>`: Your Hanzo IAM application name

Start the services:

```bash
docker-compose up -d

### Option 2: Using Binary Deployment

1. Download the latest release from the [traefik-iam-auth releases page](https://github.com/iam/traefik-iam-auth/releases).

2. Create a configuration file `config.yaml`:

```yaml
iam:
  endpoint: "http://localhost:8000"
  clientId: "<your-client-id>"
  clientSecret: "<your-client-secret>"
  organizationName: "<your-organization>"
  applicationName: "<your-application>"

server:
  port: 8080
  callbackUrl: "http://localhost/callback"

1. Run the middleware:

```bash
./traefik-iam-auth --config config.yaml

1. Configure Traefik to use the middleware. Add to your Traefik dynamic configuration:

```yaml
http:
  middlewares:
    iam-auth:
      forwardAuth:
        address: "http://localhost:8080/verify"
        authResponseHeaders:
          - "X-Forwarded-User"

  routers:
    my-protected-service:
      rule: "Host(`example.com`)"
      middlewares:
        - iam-auth
      service: my-service

## Step 4: Test the Integration

1. Access your protected service through Traefik (e.g., `http://localhost` if using the Docker Compose example).

2. You should be redirected to the Hanzo IAM login page.

3. Log in with your Hanzo IAM credentials.

4. After successful authentication, you will be redirected back to your protected service.

5. The middleware will set the `X-Forwarded-User` header with the authenticated user's information, which your backend service can use.

## Configuration Options

The traefik-iam-auth middleware supports the following environment variables:

| Variable | Description | Required |
|----------|-------------|----------|
| `IAM_ENDPOINT` | URL of your Hanzo IAM instance | Yes |
| `CLIENT_ID` | Hanzo IAM application client ID | Yes |
| `CLIENT_SECRET` | Hanzo IAM application client secret | Yes |
| `IAM_ORGANIZATION` | Hanzo IAM organization name | Yes |
| `IAM_APPLICATION` | Hanzo IAM application name | Yes |
| `CALLBACK_URL` | OAuth callback URL | Yes |
| `JWT_SECRET` | Secret for JWT token signing (auto-generated if not set) | No |
| `SESSION_TIMEOUT` | Session timeout in seconds (default: 3600) | No |
| `LOG_LEVEL` | Logging level: debug, info, warn, error (default: info) | No |

## Advanced Configuration

### Using HTTPS

For production deployments, it's recommended to use HTTPS. Update your Traefik configuration to include TLS:

```yaml
services:
  traefik:
    command:
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
      - "--certificatesresolvers.myresolver.acme.email=your-email@example.com"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./letsencrypt:/letsencrypt

And update your service router configuration:

```yaml
labels:
  - "traefik.http.routers.whoami.entrypoints=websecure"
  - "traefik.http.routers.whoami.tls.certresolver=myresolver"

### Customizing Session Behavior

You can customize session timeout and other behaviors:

```yaml
environment:
  - SESSION_TIMEOUT=7200  # 2 hours
  - LOG_LEVEL=debug

## Troubleshooting

### Redirect Loop

If you experience a redirect loop:

1. Verify that the `CALLBACK_URL` matches the redirect URL configured in your Hanzo IAM application.
2. Check that cookies are enabled in your browser.
3. Ensure the middleware can reach the Hanzo IAM endpoint.

### Authentication Fails

If authentication fails:

1. Check that the `CLIENT_ID` and `CLIENT_SECRET` are correct.
2. Verify that the Hanzo IAM organization and application names are correct.
3. Check the middleware logs for detailed error messages: `docker logs iam-auth`

### 502 Bad Gateway

If you see a 502 error:

1. Ensure the iam-auth service is running: `docker ps`
2. Check that all services are on the same Docker network.
3. Verify the ForwardAuth address is correct in the Traefik configuration.

## Resources

- [Traefik Hanzo IAM Auth GitHub Repository](https://github.com/iam/traefik-iam-auth)
- [Traefik ForwardAuth Middleware Documentation](https://doc.traefik.io/traefik/middlewares/http/forwardauth/)
- [Hanzo IAM Documentation](/docs/overview)

How is this guide?

Last updated on

OpenShift

Using Hanzo IAM for authentication in OpenShift

Bytebase

Use Hanzo IAM as the OAuth2/OIDC provider for Bytebase SSO.

On this page

Prerequisites
Step 1: Deploy Hanzo IAM
Step 2: Configure the Hanzo IAM application
Step 3: Deploy traefik-iam-auth Middleware
Option 1: Using Docker Compose (Recommended)