RPJosh
/
authelia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

docs: add common oidc shortcode and update (#4862)

pull/4864/head^2
James Elliott 2023-02-02 12:30:06 +11:00 committed by GitHub
parent 2611591359
commit 7e285f461f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
26 changed files with 120 additions and 198 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
docs/content/en/configuration/identity-providers/open-id-connect.md
View File

@ -119,7 +119,7 @@ identity_providers:
clients:
- id: myapp
description: My Application
secret: '$plaintext$this_is_a_secret'
secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
sector_identifier: ''
public: false
authorization_policy: two_factor
@ -171,8 +171,8 @@ JSON key's in the JWKs [Discoverable Endpoint](../../integration/openid-connect/
as per [RFC7517].
[RFC7517]: https://www.rfc-editor.org/rfc/rfc7517
[x5c]: https://www.rfc-editor.org/rfc/rfc7517#section-4.7
[x5t]: https://www.rfc-editor.org/rfc/rfc7517#section-4.8
[x5c]: https://datatracker.ietf.org/doc/html/rfc7517#section-4.7
[x5t]: https://datatracker.ietf.org/doc/html/rfc7517#section-4.8
The first certificate in the chain must have the public key for the [issuer_private_key](#issuerprivatekey), each
certificate in the chain must be valid for the current date, and each certificate in the chain should be signed by the
@ -534,7 +534,7 @@ To integrate Authelia's [OpenID Connect 1.0] implementation with a relying party
[RFC6234]: https://www.rfc-editor.org/rfc/rfc6234.html
[RFC4648]: https://www.rfc-editor.org/rfc/rfc4648.html
[RFC7468]: https://www.rfc-editor.org/rfc/rfc7468.html
[RFC6749 Section 2.1]: https://www.rfc-editor.org/rfc/rfc6749.html#section-2.1
[RFC6749 Section 2.1]: https://datatracker.ietf.org/doc/html/rfc6749#section-2.1
[PKCE]: https://www.rfc-editor.org/rfc/rfc7636.html
[Authorization Code Flow]: https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth
[Subject Identifier Type]: https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes

2
docs/content/en/configuration/notifications/smtp.md
View File

@ -164,7 +164,7 @@ characters and the user password is changed to this value.
{{< confkey type="string" required="yes" >}}
The sender is used to construct both the SMTP command `MAIL FROM` and to add the `FROM` header. This address must be
in [RFC5322](https://www.rfc-editor.org/rfc/rfc5322.html#section-3.4) format. This means it must one of two formats:
in [RFC5322](https://datatracker.ietf.org/doc/html/rfc5322#section-3.4) format. This means it must one of two formats:
* jsmith@domain.com
* John Smith <jsmith@domain.com>

2
docs/content/en/configuration/security/access-control.md
View File

@ -589,7 +589,7 @@ match value is a list/slice).
The regex groups are case-insensitive due to the fact that the regex groups are used in domain criteria and domain names
should not be compared in a case-sensitive way as per the [RFC4343](https://www.rfc-editor.org/rfc/rfc4343.html)
abstract and [RFC3986 Section 3.2.2](https://www.rfc-editor.org/rfc/rfc3986#section-3.2.2).
abstract and [RFC3986 Section 3.2.2](https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2).
We do not currently apply any other normalization to usernames or groups when matching these groups. As such it's
generally *__not recommended__* to use these patterns with usernames or groups which contain characters that are not

13
docs/content/en/integration/openid-connect/apache-guacamole/index.md
View File

@ -22,14 +22,7 @@ community: true
## Before You Begin
### Common Notes
1. You are *__required__* to utilize a unique client id for every client.
2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
[Generating Client Secrets] guide instead.
[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
{{% oidc-common %}}
### Assumptions
@ -38,7 +31,7 @@ This example makes the following assumptions:
* __Application Root URL:__ `https://guacamole.example.com`
* __Authelia Root URL:__ `https://auth.example.com`
* __Client ID:__ `guacamole`
* __Client Secret:__ `guacamole_client_secret`
* __Client Secret:__ `insecure_secret`
## Configuration
@ -66,7 +59,7 @@ The following YAML configuration is an example __Authelia__
```yaml
- id: guacamole
description: Apache Guacamole
secret: '$plaintext$guacamole_client_secret'
secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
public: false
authorization_policy: two_factor
redirect_uris:

15
docs/content/en/integration/openid-connect/argocd/index.md
View File

@ -22,14 +22,7 @@ community: true
## Before You Begin
### Common Notes
1. You are *__required__* to utilize a unique client id for every client.
2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
[Generating Client Secrets] guide instead.
[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
{{% oidc-common %}}
### Assumptions
@ -38,7 +31,7 @@ This example makes the following assumptions:
* __Application Root URL:__ `https://argocd.example.com`
* __Authelia Root URL:__ `https://auth.example.com`
* __Client ID:__ `argocd`
* __Client Secret:__ `argocd_client_secret`
* __Client Secret:__ `insecure_secret`
* __CLI Client ID:__ `argocd-cli`
## Configuration
@ -51,7 +44,7 @@ To configure [Argo CD] to utilize Authelia as an [OpenID Connect 1.0] Provider u
name: Authelia
issuer: https://auth.example.com
clientID: argocd
clientSecret: argocd_client_secret
clientSecret: insecure_secret
cliClientID: argocd-cli
requestedScopes:
- openid
@ -69,7 +62,7 @@ which will operate with the above example:
```yaml
- id: argocd
description: Argo CD
secret: '$plaintext$argocd_client_secret'
secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
public: false
authorization_policy: two_factor
redirect_uris:

17
docs/content/en/integration/openid-connect/bookstack/index.md
View File

@ -22,14 +22,7 @@ community: true
## Before You Begin
### Common Notes
1. You are *__required__* to utilize a unique client id for every client.
2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
[Generating Client Secrets] guide instead.
[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
{{% oidc-common %}}
### Assumptions
@ -38,13 +31,13 @@ This example makes the following assumptions:
* __Application Root URL:__ `https://bookstack.example.com`
* __Authelia Root URL:__ `https://auth.example.com`
* __Client ID:__ `bookstack`
* __Client Secret:__ `bookstack_client_secret`
* __Client Secret:__ `insecure_secret`
*__Important Note:__ [BookStack] does not properly URL encode the secret per [RFC6749 Appendix B] at the time this
article was last modified (noted at the bottom). This means you'll either have to use only alphanumeric characters for
the secret or URL encode the secret yourself.*
[RFC6749 Appendix B]: https://www.rfc-editor.org/rfc/rfc6749#appendix-B
[RFC6749 Appendix B]: https://datatracker.ietf.org/doc/html/rfc6749#appendix-B
## Configuration
@ -58,7 +51,7 @@ To configure [BookStack] to utilize Authelia as an [OpenID Connect 1.0] Provider
2. OIDC_NAME: `Authelia`
3. OIDC_DISPLAY_NAME_CLAIMS: `name`
4. OIDC_CLIENT_ID: `bookstack`
5. OIDC_CLIENT_SECRET: `bookstack_client_secret`
5. OIDC_CLIENT_SECRET: `insecure_secret`
6. OIDC_ISSUER: `https://auth.example.com`
7. OIDC_ISSUER_DISCOVER: `true`
@ -71,7 +64,7 @@ which will operate with the above example:
```yaml
- id: bookstack
description: BookStack
secret: '$plaintext$bookstack_client_secret'
secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
public: false
authorization_policy: two_factor
redirect_uris:

17
docs/content/en/integration/openid-connect/cloudflare-zerotrust/index.md
View File

@ -20,14 +20,7 @@ community: true
## Before You Begin
### Common Notes
1. You are *__required__* to utilize a unique client id for every client.
2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
[Generating Client Secrets] guide instead.
[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
{{% oidc-common %}}
### Assumptions
@ -36,13 +29,13 @@ This example makes the following assumptions:
* __Cloudflare Team Name:__ `example-team`
* __Authelia Root URL:__ `https://auth.example.com`
* __Client ID:__ `cloudflare`
* __Client Secret:__ `cloudflare_client_secret`
* __Client Secret:__ `insecure_secret`
*__Important Note:__ [Cloudflare Zero Trust] does not properly URL encode the secret per [RFC6749 Appendix B] at the
time this article was last modified (noted at the bottom). This means you'll either have to use only alphanumeric
characters for the secret or URL encode the secret yourself.*
[RFC6749 Appendix B]: https://www.rfc-editor.org/rfc/rfc6749#appendix-B
[RFC6749 Appendix B]: https://datatracker.ietf.org/doc/html/rfc6749#appendix-B
## Configuration
@ -62,7 +55,7 @@ To configure [Cloudflare Zero Trust] to utilize Authelia as an [OpenID Connect 1
6. Set the following values:
1. Name: `Authelia`
2. App ID: `cloudflare`
3. Client Secret: `cloudflare_client_secret`
3. Client Secret: `insecure_secret`
4. Auth URL: `https://auth.example.com/api/oidc/authorization`
5. Token URL: `https://auth.example.com/api/oidc/token`
6. Certificate URL: `https://auth.example.com/jwks.json`
@ -79,7 +72,7 @@ which will operate with the above example:
```yaml
- id: cloudflare
description: Cloudflare ZeroTrust
secret: '$plaintext$cloudflare_client_secret'
secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
public: false
authorization_policy: two_factor
redirect_uris:

15
docs/content/en/integration/openid-connect/gitea/index.md
View File

@ -22,14 +22,7 @@ community: true
## Before You Begin
### Common Notes
1. You are *__required__* to utilize a unique client id for every client.
2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
[Generating Client Secrets] guide instead.
[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
{{% oidc-common %}}
### Assumptions
@ -38,7 +31,7 @@ This example makes the following assumptions:
* __Application Root URL:__ `https://gitea.example.com`
* __Authelia Root URL:__ `https://auth.example.com`
* __Client ID:__ `gitea`
* __Client Secret:__ `gitea_client_secret`
* __Client Secret:__ `insecure_secret`
## Configuration
@ -54,7 +47,7 @@ To configure [Gitea] to utilize Authelia as an [OpenID Connect 1.0] Provider:
1. Authentication Name: `authelia`
2. OAuth2 Provider: `OpenID Connect`
3. Client ID (Key): `gitea`
4. Client Secret: `gitea_client_secret`
4. Client Secret: `insecure_secret`
5. OpenID Connect Auto Discovery URL: `https://auth.example.com/.well-known/openid-configuration`
{{< figure src="gitea.png" alt="Gitea" width="300" >}}
@ -86,7 +79,7 @@ will operate with the above example:
```yaml
- id: gitea
description: Gitea
secret: '$plaintext$gitea_client_secret'
secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
public: false
authorization_policy: two_factor
redirect_uris:

15
docs/content/en/integration/openid-connect/gitlab/index.md
View File

@ -22,14 +22,7 @@ community: true
## Before You Begin
### Common Notes
1. You are *__required__* to utilize a unique client id for every client.
2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
[Generating Client Secrets] guide instead.
[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
{{% oidc-common %}}
### Assumptions
@ -38,7 +31,7 @@ This example makes the following assumptions:
* __Application Root URL:__ `https://gitlab.example.com`
* __Authelia Root URL:__ `https://auth.example.com`
* __Client ID:__ `gitlab`
* __Client Secret:__ `gitlab_client_secret`
* __Client Secret:__ `insecure_secret`
## Configuration
@ -65,7 +58,7 @@ gitlab_rails['omniauth_providers'] = [
send_scope_to_token_endpoint: "false",
client_options: {
identifier: "gitlab",
secret: "gitlab_client_secret",
secret: "insecure_secret",
redirect_uri: "https://gitlab.example.com/users/auth/openid_connect/callback"
}
}
@ -82,7 +75,7 @@ which will operate with the above example:
```yaml
- id: gitlab
description: GitLab
secret: '$plaintext$gitlab_client_secret'
secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
public: false
authorization_policy: two_factor
redirect_uris:

17
docs/content/en/integration/openid-connect/grafana/index.md
View File

@ -22,14 +22,7 @@ community: true
## Before You Begin
### Common Notes
1. You are *__required__* to utilize a unique client id for every client.
2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
[Generating Client Secrets] guide instead.
[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
{{% oidc-common %}}
### Assumptions
@ -38,7 +31,7 @@ This example makes the following assumptions:
* __Application Root URL:__ `https://grafana.example.com`
* __Authelia Root URL:__ `https://auth.example.com`
* __Client ID:__ `grafana`
* __Client Secret:__ `grafana_client_secret`
* __Client Secret:__ `insecure_secret`
## Configuration
@ -58,7 +51,7 @@ enabled = true
name = Authelia
icon = signin
client_id = grafana
client_secret = grafana_client_secret
client_secret = insecure_secret
scopes = openid profile email groups
empty_scopes = false
auth_url = https://auth.example.com/api/oidc/authorization
@ -80,7 +73,7 @@ Configure the following environment variables:
| GF_AUTH_GENERIC_OAUTH_ENABLED | true |
| GF_AUTH_GENERIC_OAUTH_NAME | Authelia |
| GF_AUTH_GENERIC_OAUTH_CLIENT_ID | grafana |
| GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET | grafana_client_secret |
| GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET | insecure_secret |
| GF_AUTH_GENERIC_OAUTH_SCOPES | openid profile email groups |
| GF_AUTH_GENERIC_OAUTH_EMPTY_SCOPES | false |
| GF_AUTH_GENERIC_OAUTH_AUTH_URL | https://auth.example.com/api/oidc/authorization |
@ -100,7 +93,7 @@ which will operate with the above example:
```yaml
- id: grafana
description: Grafana
secret: '$plaintext$grafana_client_secret'
secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
public: false
authorization_policy: two_factor
redirect_uris:

15
docs/content/en/integration/openid-connect/harbor/index.md
View File

@ -22,14 +22,7 @@ community: true
## Before You Begin
### Common Notes
1. You are *__required__* to utilize a unique client id for every client.
2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
[Generating Client Secrets] guide instead.
[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
{{% oidc-common %}}
### Assumptions
@ -38,7 +31,7 @@ This example makes the following assumptions:
* __Application Root URL:__ `https://harbor.example.com`
* __Authelia Root URL:__ `https://auth.example.com`
* __Client ID:__ `harbor`
* __Client Secret:__ `harbor_client_secret`
* __Client Secret:__ `insecure_secret`
## Configuration
@ -54,7 +47,7 @@ To configure [Harbor] to utilize Authelia as an [OpenID Connect 1.0] Provider:
1. OIDC Provider Name: `Authelia`
2. OIDC Provider Endpoint: `https://auth.example.com`
3. OIDC Client ID: `harbor`
4. OIDC Client Secret: `harbor_client_secret`
4. OIDC Client Secret: `insecure_secret`
5. Group Claim Name: `groups`
6. OIDC Scope: `openid,profile,email,groups`
7. For OIDC Admin Group you can specify a group name that matches your authentication backend.
@ -73,7 +66,7 @@ which will operate with the above example:
```yaml
- id: harbor
description: Harbor
secret: '$plaintext$harbor_client_secret'
secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
public: false
authorization_policy: two_factor
redirect_uris:

13
docs/content/en/integration/openid-connect/hashicorp-vault/index.md
View File

@ -22,14 +22,7 @@ community: true
## Before You Begin
### Common Notes
1. You are *__required__* to utilize a unique client id for every client.
2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
[Generating Client Secrets] guide instead.
[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
{{% oidc-common %}}
### Assumptions
@ -38,7 +31,7 @@ This example makes the following assumptions:
* __Application Root URL:__ `https://vault.example.com`
* __Authelia Root URL:__ `https://auth.example.com`
* __Client ID:__ `vault`
* __Client Secret:__ `vault_client_secret`
* __Client Secret:__ `insecure_secret`
## Configuration
@ -56,7 +49,7 @@ which will operate with the above example:
```yaml
- id: vault
description: HashiCorp Vault
secret: '$plaintext$vault_client_secret'
secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
public: false
authorization_policy: two_factor
redirect_uris:

2
docs/content/en/integration/openid-connect/introduction.md
View File

@ -168,7 +168,7 @@ These endpoints implement OpenID Connect elements.
[OpenID Connect Discovery]: https://openid.net/specs/openid-connect-discovery-1_0.html
[OAuth 2.0 Authorization Server Metadata]: https://www.rfc-editor.org/rfc/rfc8414.html
[JSON Web Key Sets]: https://www.rfc-editor.org/rfc/rfc7517.html#section-5
[JSON Web Key Sets]: https://datatracker.ietf.org/doc/html/rfc7517#section-5
[Authorization]: https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint
[Token]: https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint

15
docs/content/en/integration/openid-connect/komga/index.md
View File

@ -22,14 +22,7 @@ community: true
## Before You Begin
### Common Notes
1. You are *__required__* to utilize a unique client id for every client.
2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
[Generating Client Secrets] guide instead.
[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
{{% oidc-common %}}
### Assumptions
@ -38,7 +31,7 @@ This example makes the following assumptions:
* __Application Root URL:__ `https://komga.example.com`
* __Authelia Root URL:__ `https://auth.example.com`
* __Client ID:__ `komga`
* __Client Secret:__ `komga_client_secret`
* __Client Secret:__ `insecure_secret`
## Configuration
@ -58,7 +51,7 @@ spring:
registration:
authelia:
client-id: `komga`
client-secret: `komga_client_secret`
client-secret: `insecure_secret`
client-name: Authelia
scope: openid,profile,email
authorization-grant-type: authorization_code
@ -78,7 +71,7 @@ which will operate with the above example:
```yaml
- id: komga
description: Komga
secret: '$plaintext$komga_client_secret'
secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
public: false
authorization_policy: two_factor
redirect_uris:

15
docs/content/en/integration/openid-connect/nextcloud/index.md
View File

@ -22,14 +22,7 @@ community: true
## Before You Begin
### Common Notes
1. You are *__required__* to utilize a unique client id for every client.
2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
[Generating Client Secrets] guide instead.
[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
{{% oidc-common %}}
### Assumptions
@ -38,7 +31,7 @@ This example makes the following assumptions:
* __Application Root URL:__ `https://nextcloud.example.com`
* __Authelia Root URL:__ `https://auth.example.com`
* __Client ID:__ `nextcloud`
* __Client Secret:__ `nextcloud_client_secret`
* __Client Secret:__ `insecure_secret`
## Configuration
@ -55,7 +48,7 @@ $CONFIG = array (
'lost_password_link' => 'disabled',
'oidc_login_provider_url' => 'https://auth.example.com',
'oidc_login_client_id' => 'nextcloud',
'oidc_login_client_secret' => 'nextcloud_client_secret',
'oidc_login_client_secret' => 'insecure_secret',
'oidc_login_auto_redirect' => false,
'oidc_login_end_session_redirect' => false,
'oidc_login_button_text' => 'Log in with Authelia',
@ -94,7 +87,7 @@ which will operate with the above example:
```yaml
- id: nextcloud
description: NextCloud
secret: '$plaintext$nextcloud_client_secret'
secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
public: false
authorization_policy: two_factor
redirect_uris:

15
docs/content/en/integration/openid-connect/outline/index.md
View File

@ -22,14 +22,7 @@ community: true
## Before You Begin
### Common Notes
1. You are *__required__* to utilize a unique client id for every client.
2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
[Generating Client Secrets] guide instead.
[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
{{% oidc-common %}}
### Assumptions
@ -38,7 +31,7 @@ This example makes the following assumptions:
* __Application Root URL:__ `https://outline.example.com`
* __Authelia Root URL:__ `https://auth.example.com`
* __Client ID:__ `outline`
* __Client Secret:__ `outline_client_secret`
* __Client Secret:__ `insecure_secret`
*__Important Note:__ At the time of this writing [Outline] requires the `offline_access` scope by default. Failure to include this scope will result
in an error as [Outline] will attempt to use a refresh token that is never issued.*
@ -55,7 +48,7 @@ URL=https://outline.example.com
FORCE_HTTPS=true
OIDC_CLIENT_ID=outline
OIDC_CLIENT_SECRET=outline_client_secret
OIDC_CLIENT_SECRET=insecure_secret
OIDC_AUTH_URI=https://auth.example.com/api/oidc/authorization
OIDC_TOKEN_URI=https://auth.example.com/api/oidc/token
OIDC_USERINFO_URI=https://auth.example.com/api/oidc/userinfo
@ -73,7 +66,7 @@ which will operate with the above example:
```yaml
- id: outline
description: Outline
secret: '$plaintext$outline_client_secret'
secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
public: false
authorization_policy: two_factor
redirect_uris:

15
docs/content/en/integration/openid-connect/portainer/index.md
View File

@ -24,14 +24,7 @@ aliases:
## Before You Begin
### Common Notes
1. You are *__required__* to utilize a unique client id for every client.
2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
[Generating Client Secrets] guide instead.
[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
{{% oidc-common %}}
### Assumptions
@ -40,7 +33,7 @@ This example makes the following assumptions:
* __Application Root URL:__ `https://portainer.example.com`
* __Authelia Root URL:__ `https://auth.example.com`
* __Client ID:__ `portainer`
* __Client Secret:__ `portainer_client_secret`
* __Client Secret:__ `insecure_secret`
## Configuration
@ -55,7 +48,7 @@ To configure [Portainer] to utilize Authelia as an [OpenID Connect 1.0] Provider
2. Provider: Custom
3. Enable *Automatic User Provision* if you want users to automatically be created in [Portainer].
4. Client ID: `portainer`
5. Client Secret: `portainer_client_secret`
5. Client Secret: `insecure_secret`
6. Authorization URL: `https://auth.example.com/api/oidc/authorization`
7. Access Token URL: `https://auth.example.com/api/oidc/token`
8. Resource URL: `https://auth.example.com/api/oidc/userinfo`
@ -74,7 +67,7 @@ which will operate with the above example:
```yaml
- id: portainer
description: Portainer
secret: '$plaintext$portainer_client_secret'
secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
public: false
authorization_policy: two_factor
redirect_uris:

6
docs/content/en/integration/openid-connect/proxmox/index.md
View File

@ -43,7 +43,7 @@ This example makes the following assumptions:
* __Application Root URL:__ `https://proxmox.example.com`
* __Authelia Root URL:__ `https://auth.example.com`
* __Client ID:__ `proxmox`
* __Client Secret:__ `proxmox_client_secret`
* __Client Secret:__ `insecure_secret`
* __Realm__ `authelia`
## Configuration
@ -60,7 +60,7 @@ To configure [Proxmox] to utilize Authelia as an [OpenID Connect 1.0] Provider:
1. Issuer URL: `https://auth.example.com`
2. Realm: `authelia`
3. Client ID: `proxmox`
4. Client Key: `proxmox_client_secret`
4. Client Key: `insecure_secret`
5. Username Claim `preferred_username`
6. Scopes: `openid profile email`
7. Enable *Autocreate Users* if you want users to automatically be created in [Proxmox].
@ -76,7 +76,7 @@ which will operate with the above example:
```yaml
- id: proxmox
description: Proxmox
secret: '$plaintext$proxmox_client_secret'
secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
public: false
authorization_policy: two_factor
redirect_uris:

15
docs/content/en/integration/openid-connect/seafile/index.md
View File

@ -22,14 +22,7 @@ community: true
## Before You Begin
### Common Notes
1. You are *__required__* to utilize a unique client id for every client.
2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
[Generating Client Secrets] guide instead.
[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
{{% oidc-common %}}
### Assumptions
@ -38,7 +31,7 @@ This example makes the following assumptions:
* __Application Root URL:__ `https://seafile.example.com`
* __Authelia Root URL:__ `https://auth.example.com`
* __Client ID:__ `seafile`
* __Client Secret:__ `seafile_client_secret`
* __Client Secret:__ `insecure_secret`
## Configuration
@ -55,7 +48,7 @@ To configure [Seafile] to utilize Authelia as an [OpenID Connect 1.0] Provider:
ENABLE_OAUTH = True
OAUTH_ENABLE_INSECURE_TRANSPORT = False
OAUTH_CLIENT_ID = "seafile"
OAUTH_CLIENT_SECRET = "seafile_client_secret"
OAUTH_CLIENT_SECRET = "insecure_secret"
OAUTH_REDIRECT_URL = 'https://seafile.example.com/oauth/callback/'
OAUTH_PROVIDER_DOMAIN = 'auth.example.com'
OAUTH_AUTHORIZATION_URL = 'https://auth.example.com/api/oidc/authorization'
@ -82,7 +75,7 @@ which will operate with the above example:
```yaml
- id: seafile
description: Seafile
secret: '$plaintext$seafile_client_secret'
secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
public: false
authorization_policy: two_factor
redirect_uris:

22
docs/content/en/integration/openid-connect/specific-information.md
View File

@ -34,6 +34,22 @@ using PBKDF2 which can be stored in the Authelia configuration.
### Plaintext
Authelia supports storing the plaintext secret in the configuration. This may be discontinued in the future. Plaintext
is either denoted by the `$plaintext$` prefix where everything after the prefix is the secret. In addition if the secret
does not start with the `$` character it's considered as a plaintext secret for the time being but is deprecated.
Authelia *technically* supports storing the plaintext secret in the configuration. This will likely be completely
unavailable in the future as it was a mistake to implement it like this in the first place. While some other OpenID
Connect 1.0 providers operate in this way, it's more often than not that they operating in this way in error. The
current *technical support* for this is only to prevent massive upheaval to users and give them time to migrate.
As per [RFC6819 Section 5.1.4.1.3](https://datatracker.ietf.org/doc/html/rfc6819#section-5.1.4.1.3) the secret should
only be stored by the authorization server as hashes / digests unless there is a very specific specification or protocol
that is implemented by the authorization server which requires access to the secret in the clear to operate properly in
which case the secret should be encrypted and not be stored in plaintext. The most likely long term outcome is that the
client configurations will be stored in the database with the secret both salted and peppered.
Authelia currently does not implement any of the specifications or protocols which require secrets being accessible in
the clear and currently has no plans to implement any of these. As such it's *__strongly discouraged and heavily
deprecated__* and we instead recommended that users remove this from their configuration entirely and use the
[Generating Client Secrets](#generating-client-secrets) guide.
Plaintext is either denoted by the `$plaintext$` prefix where everything after the prefix is the secret. In addition if
the secret does not start with the `$` character it's considered as a plaintext secret for the time being but is
deprecated as is the `$plaintext$` prefix.

15
docs/content/en/integration/openid-connect/synapse/index.md
View File

@ -22,14 +22,7 @@ community: true
## Before You Begin
### Common Notes
1. You are *__required__* to utilize a unique client id for every client.
2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
[Generating Client Secrets] guide instead.
[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
{{% oidc-common %}}
### Assumptions
@ -38,7 +31,7 @@ This example makes the following assumptions:
* __Application Root URL:__ `https://matrix.example.com/`
* __Authelia Root URL:__ `https://auth.example.com`
* __Client ID:__ `synapse`
* __Client Secret:__ `synapse_client_secret`
* __Client Secret:__ `insecure_secret`
## Configuration
@ -56,7 +49,7 @@ oidc_providers:
discover: true
issuer: "https://auth.example.com"
client_id: "synapse"
client_secret: "synapse_client_secret"
client_secret: "insecure_secret"
scopes: ["openid", "profile", "email"]
allow_existing_users: true
user_mapping_provider:
@ -76,7 +69,7 @@ which will operate with the above example:
```yaml
- id: synapse
description: Synapse
secret: '$plaintext$synapse_client_secret'
secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
public: false
authorization_policy: two_factor
redirect_uris:

15
docs/content/en/integration/openid-connect/synology-dsm/index.md
View File

@ -22,14 +22,7 @@ community: true
## Before You Begin
### Common Notes
1. You are *__required__* to utilize a unique client id for every client.
2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
[Generating Client Secrets] guide instead.
[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
{{% oidc-common %}}
### Specific Notes
@ -43,7 +36,7 @@ This example makes the following assumptions:
* __Application Root URL:__ `https://dsm.example.com/`
* __Authelia Root URL:__ `https://auth.example.com`
* __Client ID:__ `synology-dsm`
* __Client Secret:__ `synology-dsm_client_secret`
* __Client Secret:__ `insecure_secret`
## Configuration
@ -61,7 +54,7 @@ To configure [Synology DSM] to utilize Authelia as an [OpenID Connect 1.0] Provi
* Name: `Authelia`
* Well Known URL: `https://auth.example.com/.well-known/openid-configuration`
* Application ID: `synology-dsm`
* Application Key: `synology-dsm_client_secret`
* Application Key: `insecure_secret`
* Redirect URL: `https://dsm.example.com`
* Authorisation Scope: `openid profile groups email`
* Username Claim: `preferred_username`
@ -78,7 +71,7 @@ which will operate with the above example:
```yaml
- id: synology-dsm
description: Synology DSM
secret: '$plaintext$synology-dsm_client_secret'
secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
public: false
authorization_policy: two_factor
redirect_uris:

6
docs/content/en/overview/security/measures.md
View File

@ -216,9 +216,9 @@ to port 587 (_the `submission` port, a common alternative that uses STARTTLS ins
[docs-config-smtp-port]: ../../configuration/notifications/smtp.md#port
[cleartext]: https://cwe.mitre.org/data/definitions/312.html
[service-submissions]: https://www.rfc-editor.org/rfc/rfc8314#section-7.3
[port-465]: https://www.rfc-editor.org/rfc/rfc8314#section-3.3
[smtp-auth]: https://www.rfc-editor.org/rfc/rfc6409#section-4.3
[service-submissions]: https://datatracker.ietf.org/doc/html/rfc8314#section-7.3
[port-465]: https://datatracker.ietf.org/doc/html/rfc8314#section-3.3
[smtp-auth]: https://datatracker.ietf.org/doc/html/rfc6409#section-4.3
## Protection against open redirects

2
docs/content/en/reference/guides/passwords.md
View File

@ -200,7 +200,7 @@ This table suggests the parameters for the [SHA2 Crypt] algorithm:
[Bcrypt]: https://en.wikipedia.org/wiki/Bcrypt
[FIPS-140 compliance]: https://csrc.nist.gov/publications/detail/fips/140/2/final
[RFC9106 Parameter Choice]: https://www.rfc-editor.org/rfc/rfc9106.html#section-4
[RFC9106 Parameter Choice]: https://datatracker.ietf.org/doc/html/rfc9106#section-4
[YAML]: https://yaml.org/
[crypt hash generate]: ../cli/authelia/authelia_crypto_hash_generate.md
[Password Hashing Competition]: https://en.wikipedia.org/wiki/Password_Hashing_Competition

8
docs/content/en/roadmap/active/openid-connect.md
View File

@ -39,11 +39,11 @@ Feature List:
* [User Consent](https://openid.net/specs/openid-connect-core-1_0.html#Consent)
* [Authorization Code Flow](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowSteps)
* [OpenID Connect Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html)
* [RS256 Signature Strategy](https://www.rfc-editor.org/rfc/rfc7518.html#section-3.1)
* [RS256 Signature Strategy](https://datatracker.ietf.org/doc/html/rfc7518#section-3.1)
* Per Client Scope/Grant Type/Response Type Restriction
* Per Client Authorization Policy (1FA/2FA)
* Per Client List of Valid Redirection URI's
* [Confidential Client Type](https://www.rfc-editor.org/rfc/rfc6749.html#section-2.1)
* [Confidential Client Type](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1)
### Beta 2
@ -56,7 +56,7 @@ Feature List:
* Token/Code Lifespan
* Client Debug Messages
* Client Audience
* [Public Client Type](https://www.rfc-editor.org/rfc/rfc6749.html#section-2.1)
* [Public Client Type](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1)
### Beta 3
@ -97,7 +97,7 @@ Feature List:
Feature List:
* [JWK's backed by X509 Certificate Chains](https://www.rfc-editor.org/rfc/rfc7517#section-4.7)
* [JWK's backed by X509 Certificate Chains](https://datatracker.ietf.org/doc/html/rfc7517#section-4.7)
* Hashed Client Secrets
* Per-Client [Consent](https://openid.net/specs/openid-connect-core-1_0.html#Consent) Mode:
* Explicit:

18
docs/layouts/shortcodes/oidc-common.html 100644
View File

@ -0,0 +1,18 @@
{{ $specificinfo := "../specific-information/" }}{{ $config := "../../../configuration/identity-providers/open-id-connect.md" }}
{{- with .Get "specificinfo" }}{{ $specificinfo = . }}{{ end }}
{{- with .Get "config" }}{{ $config = . }}{{ end }}
### Common Notes
1. The [OpenID Connect 1.0](https://openid.net/specs/openid-connect-core-1_0.html) `client_id` parameter:
1. This *__must__* be a unique value for every client.
2. The value used in this guide is merely for demonstration purposes and you can theoretically use nearly any
alphanumeric string.
2. The [OpenID Connect 1.0](https://openid.net/specs/openid-connect-core-1_0.html) `secret` parameter:
1. The value used in this guide is merely for demonstration purposes and you *__should absolutely not__* use this in
production and should instead utilize the
[Generating Client Secrets]({{ $specificinfo }}#generating-client-secrets) guide.
2. This string may be stored as plaintext in the Authelia configuration but this behaviour is deprecated and is not
guaranteed to be supported in the future. See the [Plaintext]({{ $specificinfo }}#plaintext) guide for more
information.
3. The Configuration example for Authelia is only a portion of the required configuration and it should be used as a
guide in conjunction with the standard [OpenID Connect 1.0 Configuration]({{ $config }}) guide.