Authentication
SSO and OAuth flows using Zitadel and OAuth2-Proxy.
Overview
RavenmaskOS uses Zitadel as the identity provider and OAuth2-Proxy for forward authentication.
- Zitadel:
https://auth.ravenhelm.dev - OAuth2-Proxy:
https://oauth.ravenhelm.dev
Authentication Flow
User → Traefik → OAuth2-Proxy → Zitadel → Service
Services that do not support native OIDC are protected with the OAuth2-Proxy middleware in Traefik.
Onboarding a New Service
- Create an OIDC application in Zitadel.
- Configure OAuth2-Proxy or the service with the Client ID/Secret.
- Add Traefik labels for forward auth middleware.
Example middleware reference used by services:
traefik.http.routers.<service>.middlewares=oauth2-proxy-auth@docker
Headers
OAuth2-Proxy forwards identity headers such as:
X-Auth-Request-EmailX-Auth-Request-User
Related
- Identity Stack - Zitadel and OAuth2-Proxy setup
- Security/Authorization