AuthN and AuthZ with traefik for micro-services

Aim of the article:

  1. Deploy API gateway in front of a micro-service (say foo)
  2. Delegate authN to another micro-service (say auth) for all requests
  3. Enable OAuth 2.0 Google authN in the micro-service auth
  4. Forward user info to other micro-services upon successful authN


  1. authlib: I have developed my example on the one provided here
  2. traefik documentation for forwardAuth plugin:

I recently started learning about how authN and authZ is solved in micro service architecture. Unlike monolith applications where session information is stored and available to be consumed across all APIs, in micro service architecture it is not feasible to store & sync this information per service. Thus, this creates a need for an API gateway via which all API calls to micro services are routed only if user is authenticated.

To achieve the same, I came across traefik which is a light weight reverse proxy & HTTP load-balancer. It provides automatic discovery of services across multiple providers for eg. docker, kubernetes, etc. So, let’s try to develop a small project with AuthZ and AuthN in place using traefik.

Let’s start with writing the services foo & auth:

# folder per service
$ mkdir foo auth
# setup foo service
$ touch foo/
# setup auth service
$ touch auth/

We create a virtual env for testing where we ensure we add the following packages and then ensure that virtual env is activated:


Now, we add minimal code to service foo:

# run the service foo
$ python foo/
# validate the service is up and running
$ curl http://localhost/
<p>Hello, I am service foo!</p>

Let’s add the logic to service auth also now. Similarly like service foo, we define the where we post creating the app, we wrap it with the OAuth object.

I am using authlib library, documentation for the same can be found here:

But, before we continue, we need to setup oauth2.0 Google API on GCP console. You can follow Google’s documentation / this medium article to setup the same. We need the following data post setup to get the auth app working:


You can choose to remove the database part and have the app not store/lookup user/token upon login/authorize. I am trying to cover an exhaustive example to give the complete picture :)

You can run the auth service the same way you ran foo service. To validate the authorization workflow, visit http://localhost/rbac/login on your machine. If all the data provided is correct and localhost is whitelisted in Google console, you should be redirected to Google’s authorization page. Upon successful authZ, you should get a JSON response with token info in header named X-Auth-User.

Adding the API Gateway — traefik in front of our micro services:

We will make use of docker runtime here so that we can make use of autodiscovery of rules by traefik. To do so, we will perform the following steps:

  1. Dockerize both foo and auth service
  2. Add docker-compose.yaml file defining how to bring up the services.
  3. Add labels to the services in docker-compose.yaml which traefik can discover to redirect API calls accordingly

We first ensure that our directory structure looks like the following:


We have already added foo/ and auth/ above. Let’s see what other files are supposed to look like:


FROM python:3
RUN pip install Flask>=1.0.0
ADD . /app
CMD ["python", ""]


FROM python:3
RUN pip install Flask>=1.0.0 requests==2.22.0 Authlib==0.13
ADD . /app
CMD ["python", ""]

To build docker images for these service you can perform the following:

# foo docker image
cd foo && docker build -t foo:test .
# auth docker images
cd auth && docker build -t auth:test .

Now, we populate the docker-compose.yaml to define the service deployment

For more documentation on traefik’s forwardauth and rules specified in labels below, refer to the documentation

we are still yet to define traefik.toml for configuring traefik:

And, we are done with the setup now. So, let’s run.

# deploy the services
cd deployment && docker-compose up -d

To validate the oauth workflow, go to http://localhost/foo/ on your browser.

NOTE: Remember to either remove the user/token models usage completely or implement the required CRUD methods to enable the successful execution of the apps.




I write about tech

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

History of MATLAB Published by the ACM

Focus on accessibility

How to apply Object-Oriented-Programming-System (OOPS) Concepts

An insider look at WCAG 3.0

WCAG 3 Logo

Cost saving strategies with Cloud Hosting — Part 2


Self -Taught VS Boot-camp route

Chainlink External Adapters : HttpPost Core Adapter vs. Bridge Adapter Dataflow and General Usage

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


I write about tech

More from Medium

Writing Embedded Software Tests Fit for Continuous Integration Platforms Using Docker, Qemu, and…

Get Proper Nouns in a String using Java: NLP API

Setting up Hadoop with Docker and using MapReduce framework

Near Realtime Data Monitoring: A Simple Javascript