Tutorial: How to use Fief with Docker Compose along with other services

[gabrielcnegre]

Hey everyone,

I've been in the development field for several years, but surprisingly, this is my first contribution to a GitHub thread. I apologize if there are any procedural errors or if this isn't the optimal place to share this solution.

First and foremost, I'd like to express my gratitude for this project. I genuinely hope for its immense success.

Recently, I've been experimenting with Fief in one of my projects. I noticed there's been a significant amount of discussion on integrating Fief with Compose. The primary challenges revolve around how the Fief client authenticates in conjunction with Docker networking. In short, the keys and the openid configuration returned by the server are associated with the host. However, the internal service's API call host isn't identical to the host accessed from localhost (e.g., accessing a FastAPI service via a browser).

Some have suggested using ngrok as a solution, but I encountered challenges. The jwks, for instance, returns URI`s to http, which the client struggles to handle (since it gets redirected). Additionally, ngrok introduces other complications, like with OpenAPI docs. (mixed http/https sources)

The other idea was to change the docker networking to host, but this still did not work, since the origin host that calls the client is different that the one calling the API.

I've found a working solution: Traefik!

Since Traefik serves as a reverse proxy it allows you to configure routers to localhost subdomains. Subsequently, these subdomains can be directed to your machine's localhost (labeled "host-gateway") within the services, ensuring consistent hostnames.

x-fief:
  &fief
  environment:
    - SECRET=${FIEF_SECRET}
    - FIEF_CLIENT_ID
    - FIEF_CLIENT_SECRET
    - ENCRYPTION_KEY=${FIEF_ENCRYPTION_KEY}
    - PORT=8000
    - ROOT_DOMAIN=${FIEF_ROOT_DOMAIN}
    - FIEF_DOMAIN=${FIEF_DOMAIN}
    - FIEF_MAIN_USER_EMAIL
    - FIEF_MAIN_USER_PASSWORD
    - DATABASE_TYPE=POSTGRESQL
    - DATABASE_HOST=${POSTGRES_HOST}
    - DATABASE_PORT=${POSTGRES_PORT}
    - DATABASE_USERNAME=${FIEF_POSTGRES_USER}
    - DATABASE_PASSWORD=${FIEF_POSTGRES_PASSWORD}
    - DATABASE_NAME=${FIEF_POSTGRES_DB}
    - REDIS_URL=redis://${REDIS_USER}:${REDIS_PASSWORD}@${REDIS_HOST}:${REDIS_PORT}
  depends_on:
    - postgres
    - redis
    
services:
  
  #... your other services ...

   traefik: # HERE
      image: traefik:v2.4
      command:
        - "--api.insecure=true"
        - "--providers.docker=true"
        - "--providers.docker.exposedbydefault=false"
        - "--entrypoints.web.address=:80"
      ports:
        - 80:80
        - 8080:8080
      volumes:
        - /var/run/docker.sock:/var/run/docker.sock:ro
       
   api:
      <<: *backend
      command: uvicorn api.main:app --host 0.0.0.0 --port 8000 --reload
      extra_hosts: # HERE 
        - "fief.localhost:host-gateway"                                                                     
      labels: # HERE
        - "traefik.enable=true" 
        - "traefik.http.routers.api.rule=Host(`api.localhost`)"
        - "traefik.http.routers.api.entrypoints=web"
        - "traefik.http.services.api.loadbalancer.server.port=8000"
      expose: # HERE
        - 8000
      
  fief-server:
    <<: *fief
    image: ghcr.io/fief-dev/fief:latest
    command: fief run-server --port 8000
    labels: # HERE
      - "traefik.enable=true"
      - "traefik.http.routers.fief.rule=Host(`fief.localhost`)"
      - "traefik.http.routers.fief.entrypoints=web"
      - "traefik.http.services.fief.loadbalancer.server.port=8000"
    expose: # HERE
      - 8000
      
  fief-worker:
      <<: *fief
      image: ghcr.io/fief-dev/fief:latest
      command: fief run-worker -p 1 -t 1

.env

FIEF_SECRET=XXX
FIEF_CLIENT_ID=XXX
FIEF_CLIENT_SECRET=XXX
FIEF_ENCRYPTION_KEY=XXX
FIEF_PORT=8000
FIEF_ROOT_DOMAIN=localhost
FIEF_DOMAIN=fief.localhost
[email protected]
FIEF_MAIN_USER_PASSWORD=XXX
FIEF_SERVER_URL=http://fief.localhost

If you want to use FastAPI:

from typing import Annotated

from fastapi import Depends
from fastapi.security import OAuth2AuthorizationCodeBearer
from fief_client import FiefAccessTokenInfo, FiefAsync
from fief_client.integrations.fastapi import FiefAuth

from settings import settings

fief = FiefAsync(settings.fief_server_url, settings.fief_client_id, settings.fief_client_secret)

oauth2 = OAuth2AuthorizationCodeBearer(
    f"{settings.fief_server_url}/authorize",
    f"{settings.fief_server_url}/api/token",
    scopes={"openid": "openid", "offline_access": "offline_access"},
    auto_error=False,
)

auth = FiefAuth(fief, oauth2)

AuthenticatedUser = Annotated[FiefAccessTokenInfo, Depends(auth.authenticated())]

Now you can access Fief at "fief.localhost" and your api at "api.localhost".

Hope it helps! (Please feel free to ask anything or offer suggestions / improvements)

[fief-bailiff[bot]]

Hail, @gabrielcnegre 👋 Welcome to Fief's kingdom!

Our team will get back to you very soon to help.

In the meantime, take a minute to star our repository ⭐️

Farewell!

[ScottFred]

@gabrielcnegre I really like what you are attempting to show here with Traefik, but your example is too incomplete; it's as if it is a snippet of a larger project and things were left out. For example:

• You reference the Docker Compose YML extension field "*backend" in the Compose api service, but it isn't defined, so it's hard to tell what additional settings you included there. Likely a Docker Image name, some environment variables?
• Your FastAPI example, the api service, seems to be incomplete because your Uvicorn command is referencing an api.main:app which is presumably the FastAPI example code that you show, but seems to be incomplete. Specifically, if that file is supposed to be api/main.py there is no app = FastAPI() for Uvicorn to find to execute... so maybe this again is a snippet of a larger FastAPI application that you put in here? Or maybe I'm missing something else?
• You created a depends-on rule in Docker Compose for redis and postgres, but then didn't include them in this Docker Compose file; maybe that's what you meant by "#... your other services ..." in the docker-compose.yml file? There are also several environment variables that are needed within your docker-compose.yml file, but not defined in your .env file.

IMHO: If you're going to post an example like this, it would be more helpful if it were a complete and working example rather than just some hints.

I also looked to see if you had a public GitHub repo to see if this would be available there, but you don't have any public repos.

I created a new Discussion post with my take on the Docker Compose and other files.

Thanks for helping us all get a little further with this process.

[gabrielcnegre]

Hey Scott!

Thanks for the feedback! I will improve it.

As I said, I've never worked on open source, nor have I made anything public. (I want to change that)

The idea of my snippet was just to show how you would configure Traefik (through Docker Compose labels) to be able to run Fief along with other services locally inside the same compose "stack", allowing other services to call Fief as well as making it accessible through the host machine (browser).

Since it's code from my business, I removed everything and left what I thought was relevant/useful to the solution (that is, assuming you know Docker and FastAPI, you could get the idea).

About the individual points:

backend references a YAML anchor that defines some service properties. I thought that leaving only the relevant definitions pertaining to Traefik would be enough to understand the bigger picture.

Yes, the code is a snippet from a larger project. It's there just to show how you could configure Fief's FastAPI dependency - again, I really thought it would be enough. This code could live in a "fief.py" or "dependencies.py".

Yes, you are right, that's why I inserted the "your services here". Also, I just wrote ENV variables that are related to FIEF and whose values were not "obvious".

I just wanted to help since it took me a day to figure out the best way to run Fief in my local environment, and admittedly, I was a little proud of my solution (since I did not find it anywhere).

I will see the discussion you created and try to provide some help.

[ScottFred]

@gabrielcnegre Yup, I agree, you should be proud of your Traefik reverse proxy solution. And since you admitted that you had not contributed to open source much, I thought I'd help you see how to help the community even more. For example, it's really nice when we can use Docker to rebuild your environment locally on our own system and experiment with it. I'm very familiar with Docker, but I'm not familiar with Traefik and wasn't aware you could use Docker Labels to configure it. I'll be digging into Traefik. Thanks for your more detailed response on my other post. I'll respond there.

[kielerrr]

Thank you! I'm deploying to k8s with traefik doing the routing.
This fixed the hosts issue I was having.