Welcome to ForwardAuth for Auth0’s documentation!

ForwardAuth for Auth0 is a authorization proxy written specifically for use with the Traefik, The Cloud Native Edge Router, and the Auth0 Identity Management Platform.

Traefik will act as the gate to your applications, and the ForwardAuth application will act as the gatekeeper and authorize requests to your applications. Management of users, roles and permissions are handled in Auth0.

Caution

There is some important breaking changes in version 2.0 of ForwardAuth.

For those that want to delay upgrade from 1.0 to 2.0 version, there is a docker image with tag 1.0 that you can continue to use, but it will not get any further updates and I encourage you to upgrade to 2.0 as soon as possible.

It is now mandatory to set an audience when requesting authorization. This change is required due to how Auth0 handles two different kinds of token formats, opaque tokens and jwt tokens, for access tokens. The only token that is possible to validate and verify is the jwt token. Therefor its from now on required to set the audience in the application config and the application will not work otherwise.

The version 2.0 configuration also has some new fields that need to be set for the application to start up. See Upgrade Notes for information about compatability and upgrades between versions. The page Configuration should have a update to date example for the latest version.

Features

• Protect your applications with Authorization and Authentication using Auth0 rich feature set.

• Shared-host auth-mode for single sign-on for a whole domain and a whole set of services.

• Sub-Path auth-mode for restricting single sign-on per sub-domain configuration to restrict SSO to a sub-domain.

• Support for Auth0 API permissions natively to block access to services by API permissions.

• Implement a powerful BeyondCorp policy control using Auth0 Rules + Auth0 Auth Core with RBAC.

• Restrict selected HTTP methods, let other methods be unrestricted.

• Signout and userinfo endpoint for other applications to use.

Documentation

Getting started

• Installation
  • Run in Kubernetes
  • Run in Docker Compose
• Configuration
  • Application configuration
  • Complete configuration file format
• Live Demo
• Upgrade Notes
  • Upgrade to version 2.0 from version 1.0

Examples

• Kubernetes
  • Install ForwardAuth with Helm
  • Traefik 2.0 Kubernetes Customer Resource Definition
• Traefik 1.x
• Traefik 2.x
  • File provider configuration
  • Traefik 2.x Docker provider configuration

Auth0

• What is Auth0?
  • Auth0 Central Components
  • Authorization Code OAuth 2.0 grant-flow
  • Applications
  • API’s
  • Users and Roles
  • Assign permissions to the Roles.
  • Require Permissions to access an application in ForwardAuth
• Auth0 Configuration
  • Auth0 Step by Step configuration
• OAuth and Open ID Connect
  • The different roles of OAuth and how they are related to ForwardAuth
  • Tokens
  • Reference

Developer guide

• Development
  • Architecture
  • Compile with Maven
  • Continuous integration and deployment
  • Run with Maven
  • Run with Docker
  • Run with Docker-Compose
  • Configuration
  • Release
  • Tags
  • Tech
• ForwardAuth API
• Diagrams
  • Component diagram
  • Sequence diagram
  • Authorization activity diagram
  • Authentication activity diagram
• Contributing

Extra information

• Receipts
  • Whitelist email addresses that has access
  • Automatic assign default roles based on conditions in rule with the new Auth0’s Core Authorization
• Frequently asked Questions
  • Q: Why Opaque Access Tokens is not supported?
  • Q: How do I check if ForwardAuth is accessible through Traefik?
  • Q: How do I adjust loglevel in application?
  • Q: Updates in permissions/api/applications does not show in ForwardAuth and I still get permission denied?
  • Q: How do I check if the application is running?
• Todos