Interest in upstreaming optional role-based access control via request header?

[vilmosnagy]

Hi,

First of all, thanks for maintaining this project — we've been using traefik-forward-auth together with Traefik and Keycloak to protect several internal applications.

In our setup we needed per-application role-based access control, so we implemented a small customization on top of traefik-forward-auth. The idea is:

• A Traefik middleware sets a header (e.g. X-Required-Role) using customRequestHeaders.
• traefik-forward-auth reads this header and checks whether the authenticated user has the required role.
• The user's roles are stored in the signed authentication cookie, so this check does not require an additional request to Keycloak.
• If the role is missing, access is denied.

This allows us to define RBAC per Traefik route/app without modifying the protected applications themselves.

Since the header is injected by Traefik middleware (and not trusted from the client), it works well for our use case.

Before investing time in polishing this change, we wanted to ask:

Would you be open to merging a feature like this upstream if it were implemented in a clean and optional way?

If so, we would be happy to:

• rebase our internal implementation onto the current codebase
• adapt it to match the project's preferred design
• open a PR for discussion.

If this is outside the intended scope of the project, that's totally fine as well - we just wanted to check before preparing a contribution.

Thanks!

[vilmosnagy]

Could be a solution for #401 as well, even tough we're not extending the whitelist but instead adding a per-app role-based access control to this project.