diff --git a/docs/content/en/configuration/identity-providers/open-id-connect.md b/docs/content/en/configuration/identity-providers/open-id-connect.md index 5d21f92b7..4b7984953 100644 --- a/docs/content/en/configuration/identity-providers/open-id-connect.md +++ b/docs/content/en/configuration/identity-providers/open-id-connect.md @@ -119,7 +119,7 @@ identity_providers: clients: - id: myapp description: My Application - secret: '$plaintext$this_is_a_secret' + secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'. sector_identifier: '' public: false authorization_policy: two_factor @@ -171,8 +171,8 @@ JSON key's in the JWKs [Discoverable Endpoint](../../integration/openid-connect/ as per [RFC7517]. [RFC7517]: https://www.rfc-editor.org/rfc/rfc7517 -[x5c]: https://www.rfc-editor.org/rfc/rfc7517#section-4.7 -[x5t]: https://www.rfc-editor.org/rfc/rfc7517#section-4.8 +[x5c]: https://datatracker.ietf.org/doc/html/rfc7517#section-4.7 +[x5t]: https://datatracker.ietf.org/doc/html/rfc7517#section-4.8 The first certificate in the chain must have the public key for the [issuer_private_key](#issuerprivatekey), each certificate in the chain must be valid for the current date, and each certificate in the chain should be signed by the @@ -534,7 +534,7 @@ To integrate Authelia's [OpenID Connect 1.0] implementation with a relying party [RFC6234]: https://www.rfc-editor.org/rfc/rfc6234.html [RFC4648]: https://www.rfc-editor.org/rfc/rfc4648.html [RFC7468]: https://www.rfc-editor.org/rfc/rfc7468.html -[RFC6749 Section 2.1]: https://www.rfc-editor.org/rfc/rfc6749.html#section-2.1 +[RFC6749 Section 2.1]: https://datatracker.ietf.org/doc/html/rfc6749#section-2.1 [PKCE]: https://www.rfc-editor.org/rfc/rfc7636.html [Authorization Code Flow]: https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth [Subject Identifier Type]: https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes diff --git a/docs/content/en/configuration/notifications/smtp.md b/docs/content/en/configuration/notifications/smtp.md index 8558410f9..e22d4f834 100644 --- a/docs/content/en/configuration/notifications/smtp.md +++ b/docs/content/en/configuration/notifications/smtp.md @@ -164,7 +164,7 @@ characters and the user password is changed to this value. {{< confkey type="string" required="yes" >}} The sender is used to construct both the SMTP command `MAIL FROM` and to add the `FROM` header. This address must be -in [RFC5322](https://www.rfc-editor.org/rfc/rfc5322.html#section-3.4) format. This means it must one of two formats: +in [RFC5322](https://datatracker.ietf.org/doc/html/rfc5322#section-3.4) format. This means it must one of two formats: * jsmith@domain.com * John Smith diff --git a/docs/content/en/configuration/security/access-control.md b/docs/content/en/configuration/security/access-control.md index 011cec776..99dd2225d 100644 --- a/docs/content/en/configuration/security/access-control.md +++ b/docs/content/en/configuration/security/access-control.md @@ -589,7 +589,7 @@ match value is a list/slice). The regex groups are case-insensitive due to the fact that the regex groups are used in domain criteria and domain names should not be compared in a case-sensitive way as per the [RFC4343](https://www.rfc-editor.org/rfc/rfc4343.html) -abstract and [RFC3986 Section 3.2.2](https://www.rfc-editor.org/rfc/rfc3986#section-3.2.2). +abstract and [RFC3986 Section 3.2.2](https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2). We do not currently apply any other normalization to usernames or groups when matching these groups. As such it's generally *__not recommended__* to use these patterns with usernames or groups which contain characters that are not diff --git a/docs/content/en/integration/openid-connect/apache-guacamole/index.md b/docs/content/en/integration/openid-connect/apache-guacamole/index.md index 51a8ec5c5..d66c84523 100644 --- a/docs/content/en/integration/openid-connect/apache-guacamole/index.md +++ b/docs/content/en/integration/openid-connect/apache-guacamole/index.md @@ -22,14 +22,7 @@ community: true ## Before You Begin -### Common Notes - -1. You are *__required__* to utilize a unique client id for every client. -2. The client id on this page is merely an example and you can theoretically use any alphanumeric string. -3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the - [Generating Client Secrets] guide instead. - -[Generating Client Secrets]: ../specific-information.md#generating-client-secrets +{{% oidc-common %}} ### Assumptions @@ -38,7 +31,7 @@ This example makes the following assumptions: * __Application Root URL:__ `https://guacamole.example.com` * __Authelia Root URL:__ `https://auth.example.com` * __Client ID:__ `guacamole` -* __Client Secret:__ `guacamole_client_secret` +* __Client Secret:__ `insecure_secret` ## Configuration @@ -66,7 +59,7 @@ The following YAML configuration is an example __Authelia__ ```yaml - id: guacamole description: Apache Guacamole - secret: '$plaintext$guacamole_client_secret' + secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'. public: false authorization_policy: two_factor redirect_uris: diff --git a/docs/content/en/integration/openid-connect/argocd/index.md b/docs/content/en/integration/openid-connect/argocd/index.md index dfb625835..081a76b10 100644 --- a/docs/content/en/integration/openid-connect/argocd/index.md +++ b/docs/content/en/integration/openid-connect/argocd/index.md @@ -22,14 +22,7 @@ community: true ## Before You Begin -### Common Notes - -1. You are *__required__* to utilize a unique client id for every client. -2. The client id on this page is merely an example and you can theoretically use any alphanumeric string. -3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the - [Generating Client Secrets] guide instead. - -[Generating Client Secrets]: ../specific-information.md#generating-client-secrets +{{% oidc-common %}} ### Assumptions @@ -38,7 +31,7 @@ This example makes the following assumptions: * __Application Root URL:__ `https://argocd.example.com` * __Authelia Root URL:__ `https://auth.example.com` * __Client ID:__ `argocd` -* __Client Secret:__ `argocd_client_secret` +* __Client Secret:__ `insecure_secret` * __CLI Client ID:__ `argocd-cli` ## Configuration @@ -51,7 +44,7 @@ To configure [Argo CD] to utilize Authelia as an [OpenID Connect 1.0] Provider u name: Authelia issuer: https://auth.example.com clientID: argocd -clientSecret: argocd_client_secret +clientSecret: insecure_secret cliClientID: argocd-cli requestedScopes: - openid @@ -69,7 +62,7 @@ which will operate with the above example: ```yaml - id: argocd description: Argo CD - secret: '$plaintext$argocd_client_secret' + secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'. public: false authorization_policy: two_factor redirect_uris: diff --git a/docs/content/en/integration/openid-connect/bookstack/index.md b/docs/content/en/integration/openid-connect/bookstack/index.md index 1e1b93e09..adb61041f 100644 --- a/docs/content/en/integration/openid-connect/bookstack/index.md +++ b/docs/content/en/integration/openid-connect/bookstack/index.md @@ -22,14 +22,7 @@ community: true ## Before You Begin -### Common Notes - -1. You are *__required__* to utilize a unique client id for every client. -2. The client id on this page is merely an example and you can theoretically use any alphanumeric string. -3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the - [Generating Client Secrets] guide instead. - -[Generating Client Secrets]: ../specific-information.md#generating-client-secrets +{{% oidc-common %}} ### Assumptions @@ -38,13 +31,13 @@ This example makes the following assumptions: * __Application Root URL:__ `https://bookstack.example.com` * __Authelia Root URL:__ `https://auth.example.com` * __Client ID:__ `bookstack` -* __Client Secret:__ `bookstack_client_secret` +* __Client Secret:__ `insecure_secret` *__Important Note:__ [BookStack] does not properly URL encode the secret per [RFC6749 Appendix B] at the time this article was last modified (noted at the bottom). This means you'll either have to use only alphanumeric characters for the secret or URL encode the secret yourself.* -[RFC6749 Appendix B]: https://www.rfc-editor.org/rfc/rfc6749#appendix-B +[RFC6749 Appendix B]: https://datatracker.ietf.org/doc/html/rfc6749#appendix-B ## Configuration @@ -58,7 +51,7 @@ To configure [BookStack] to utilize Authelia as an [OpenID Connect 1.0] Provider 2. OIDC_NAME: `Authelia` 3. OIDC_DISPLAY_NAME_CLAIMS: `name` 4. OIDC_CLIENT_ID: `bookstack` - 5. OIDC_CLIENT_SECRET: `bookstack_client_secret` + 5. OIDC_CLIENT_SECRET: `insecure_secret` 6. OIDC_ISSUER: `https://auth.example.com` 7. OIDC_ISSUER_DISCOVER: `true` @@ -71,7 +64,7 @@ which will operate with the above example: ```yaml - id: bookstack description: BookStack - secret: '$plaintext$bookstack_client_secret' + secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'. public: false authorization_policy: two_factor redirect_uris: diff --git a/docs/content/en/integration/openid-connect/cloudflare-zerotrust/index.md b/docs/content/en/integration/openid-connect/cloudflare-zerotrust/index.md index 1a285e77e..9a24e40a5 100644 --- a/docs/content/en/integration/openid-connect/cloudflare-zerotrust/index.md +++ b/docs/content/en/integration/openid-connect/cloudflare-zerotrust/index.md @@ -20,14 +20,7 @@ community: true ## Before You Begin -### Common Notes - -1. You are *__required__* to utilize a unique client id for every client. -2. The client id on this page is merely an example and you can theoretically use any alphanumeric string. -3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the - [Generating Client Secrets] guide instead. - -[Generating Client Secrets]: ../specific-information.md#generating-client-secrets +{{% oidc-common %}} ### Assumptions @@ -36,13 +29,13 @@ This example makes the following assumptions: * __Cloudflare Team Name:__ `example-team` * __Authelia Root URL:__ `https://auth.example.com` * __Client ID:__ `cloudflare` -* __Client Secret:__ `cloudflare_client_secret` +* __Client Secret:__ `insecure_secret` *__Important Note:__ [Cloudflare Zero Trust] does not properly URL encode the secret per [RFC6749 Appendix B] at the time this article was last modified (noted at the bottom). This means you'll either have to use only alphanumeric characters for the secret or URL encode the secret yourself.* -[RFC6749 Appendix B]: https://www.rfc-editor.org/rfc/rfc6749#appendix-B +[RFC6749 Appendix B]: https://datatracker.ietf.org/doc/html/rfc6749#appendix-B ## Configuration @@ -62,7 +55,7 @@ To configure [Cloudflare Zero Trust] to utilize Authelia as an [OpenID Connect 1 6. Set the following values: 1. Name: `Authelia` 2. App ID: `cloudflare` - 3. Client Secret: `cloudflare_client_secret` + 3. Client Secret: `insecure_secret` 4. Auth URL: `https://auth.example.com/api/oidc/authorization` 5. Token URL: `https://auth.example.com/api/oidc/token` 6. Certificate URL: `https://auth.example.com/jwks.json` @@ -79,7 +72,7 @@ which will operate with the above example: ```yaml - id: cloudflare description: Cloudflare ZeroTrust - secret: '$plaintext$cloudflare_client_secret' + secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'. public: false authorization_policy: two_factor redirect_uris: diff --git a/docs/content/en/integration/openid-connect/gitea/index.md b/docs/content/en/integration/openid-connect/gitea/index.md index 2c388c7c2..386811b9b 100644 --- a/docs/content/en/integration/openid-connect/gitea/index.md +++ b/docs/content/en/integration/openid-connect/gitea/index.md @@ -22,14 +22,7 @@ community: true ## Before You Begin -### Common Notes - -1. You are *__required__* to utilize a unique client id for every client. -2. The client id on this page is merely an example and you can theoretically use any alphanumeric string. -3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the - [Generating Client Secrets] guide instead. - -[Generating Client Secrets]: ../specific-information.md#generating-client-secrets +{{% oidc-common %}} ### Assumptions @@ -38,7 +31,7 @@ This example makes the following assumptions: * __Application Root URL:__ `https://gitea.example.com` * __Authelia Root URL:__ `https://auth.example.com` * __Client ID:__ `gitea` -* __Client Secret:__ `gitea_client_secret` +* __Client Secret:__ `insecure_secret` ## Configuration @@ -54,7 +47,7 @@ To configure [Gitea] to utilize Authelia as an [OpenID Connect 1.0] Provider: 1. Authentication Name: `authelia` 2. OAuth2 Provider: `OpenID Connect` 3. Client ID (Key): `gitea` - 4. Client Secret: `gitea_client_secret` + 4. Client Secret: `insecure_secret` 5. OpenID Connect Auto Discovery URL: `https://auth.example.com/.well-known/openid-configuration` {{< figure src="gitea.png" alt="Gitea" width="300" >}} @@ -86,7 +79,7 @@ will operate with the above example: ```yaml - id: gitea description: Gitea - secret: '$plaintext$gitea_client_secret' + secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'. public: false authorization_policy: two_factor redirect_uris: diff --git a/docs/content/en/integration/openid-connect/gitlab/index.md b/docs/content/en/integration/openid-connect/gitlab/index.md index 52fd4dae0..1620d95e3 100644 --- a/docs/content/en/integration/openid-connect/gitlab/index.md +++ b/docs/content/en/integration/openid-connect/gitlab/index.md @@ -22,14 +22,7 @@ community: true ## Before You Begin -### Common Notes - -1. You are *__required__* to utilize a unique client id for every client. -2. The client id on this page is merely an example and you can theoretically use any alphanumeric string. -3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the - [Generating Client Secrets] guide instead. - -[Generating Client Secrets]: ../specific-information.md#generating-client-secrets +{{% oidc-common %}} ### Assumptions @@ -38,7 +31,7 @@ This example makes the following assumptions: * __Application Root URL:__ `https://gitlab.example.com` * __Authelia Root URL:__ `https://auth.example.com` * __Client ID:__ `gitlab` -* __Client Secret:__ `gitlab_client_secret` +* __Client Secret:__ `insecure_secret` ## Configuration @@ -65,7 +58,7 @@ gitlab_rails['omniauth_providers'] = [ send_scope_to_token_endpoint: "false", client_options: { identifier: "gitlab", - secret: "gitlab_client_secret", + secret: "insecure_secret", redirect_uri: "https://gitlab.example.com/users/auth/openid_connect/callback" } } @@ -82,7 +75,7 @@ which will operate with the above example: ```yaml - id: gitlab description: GitLab - secret: '$plaintext$gitlab_client_secret' + secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'. public: false authorization_policy: two_factor redirect_uris: diff --git a/docs/content/en/integration/openid-connect/grafana/index.md b/docs/content/en/integration/openid-connect/grafana/index.md index 6ac6775b1..916dd4f2a 100644 --- a/docs/content/en/integration/openid-connect/grafana/index.md +++ b/docs/content/en/integration/openid-connect/grafana/index.md @@ -22,14 +22,7 @@ community: true ## Before You Begin -### Common Notes - -1. You are *__required__* to utilize a unique client id for every client. -2. The client id on this page is merely an example and you can theoretically use any alphanumeric string. -3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the - [Generating Client Secrets] guide instead. - -[Generating Client Secrets]: ../specific-information.md#generating-client-secrets +{{% oidc-common %}} ### Assumptions @@ -38,7 +31,7 @@ This example makes the following assumptions: * __Application Root URL:__ `https://grafana.example.com` * __Authelia Root URL:__ `https://auth.example.com` * __Client ID:__ `grafana` -* __Client Secret:__ `grafana_client_secret` +* __Client Secret:__ `insecure_secret` ## Configuration @@ -58,7 +51,7 @@ enabled = true name = Authelia icon = signin client_id = grafana -client_secret = grafana_client_secret +client_secret = insecure_secret scopes = openid profile email groups empty_scopes = false auth_url = https://auth.example.com/api/oidc/authorization @@ -80,7 +73,7 @@ Configure the following environment variables: | GF_AUTH_GENERIC_OAUTH_ENABLED | true | | GF_AUTH_GENERIC_OAUTH_NAME | Authelia | | GF_AUTH_GENERIC_OAUTH_CLIENT_ID | grafana | -| GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET | grafana_client_secret | +| GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET | insecure_secret | | GF_AUTH_GENERIC_OAUTH_SCOPES | openid profile email groups | | GF_AUTH_GENERIC_OAUTH_EMPTY_SCOPES | false | | GF_AUTH_GENERIC_OAUTH_AUTH_URL | https://auth.example.com/api/oidc/authorization | @@ -100,7 +93,7 @@ which will operate with the above example: ```yaml - id: grafana description: Grafana - secret: '$plaintext$grafana_client_secret' + secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'. public: false authorization_policy: two_factor redirect_uris: diff --git a/docs/content/en/integration/openid-connect/harbor/index.md b/docs/content/en/integration/openid-connect/harbor/index.md index 77e120597..ebd832b69 100644 --- a/docs/content/en/integration/openid-connect/harbor/index.md +++ b/docs/content/en/integration/openid-connect/harbor/index.md @@ -22,14 +22,7 @@ community: true ## Before You Begin -### Common Notes - -1. You are *__required__* to utilize a unique client id for every client. -2. The client id on this page is merely an example and you can theoretically use any alphanumeric string. -3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the - [Generating Client Secrets] guide instead. - -[Generating Client Secrets]: ../specific-information.md#generating-client-secrets +{{% oidc-common %}} ### Assumptions @@ -38,7 +31,7 @@ This example makes the following assumptions: * __Application Root URL:__ `https://harbor.example.com` * __Authelia Root URL:__ `https://auth.example.com` * __Client ID:__ `harbor` -* __Client Secret:__ `harbor_client_secret` +* __Client Secret:__ `insecure_secret` ## Configuration @@ -54,7 +47,7 @@ To configure [Harbor] to utilize Authelia as an [OpenID Connect 1.0] Provider: 1. OIDC Provider Name: `Authelia` 2. OIDC Provider Endpoint: `https://auth.example.com` 3. OIDC Client ID: `harbor` - 4. OIDC Client Secret: `harbor_client_secret` + 4. OIDC Client Secret: `insecure_secret` 5. Group Claim Name: `groups` 6. OIDC Scope: `openid,profile,email,groups` 7. For OIDC Admin Group you can specify a group name that matches your authentication backend. @@ -73,7 +66,7 @@ which will operate with the above example: ```yaml - id: harbor description: Harbor - secret: '$plaintext$harbor_client_secret' + secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'. public: false authorization_policy: two_factor redirect_uris: diff --git a/docs/content/en/integration/openid-connect/hashicorp-vault/index.md b/docs/content/en/integration/openid-connect/hashicorp-vault/index.md index 76f7fb61e..80f93009b 100644 --- a/docs/content/en/integration/openid-connect/hashicorp-vault/index.md +++ b/docs/content/en/integration/openid-connect/hashicorp-vault/index.md @@ -22,14 +22,7 @@ community: true ## Before You Begin -### Common Notes - -1. You are *__required__* to utilize a unique client id for every client. -2. The client id on this page is merely an example and you can theoretically use any alphanumeric string. -3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the - [Generating Client Secrets] guide instead. - -[Generating Client Secrets]: ../specific-information.md#generating-client-secrets +{{% oidc-common %}} ### Assumptions @@ -38,7 +31,7 @@ This example makes the following assumptions: * __Application Root URL:__ `https://vault.example.com` * __Authelia Root URL:__ `https://auth.example.com` * __Client ID:__ `vault` -* __Client Secret:__ `vault_client_secret` +* __Client Secret:__ `insecure_secret` ## Configuration @@ -56,7 +49,7 @@ which will operate with the above example: ```yaml - id: vault description: HashiCorp Vault - secret: '$plaintext$vault_client_secret' + secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'. public: false authorization_policy: two_factor redirect_uris: diff --git a/docs/content/en/integration/openid-connect/introduction.md b/docs/content/en/integration/openid-connect/introduction.md index 77271afa6..93d50ffe1 100644 --- a/docs/content/en/integration/openid-connect/introduction.md +++ b/docs/content/en/integration/openid-connect/introduction.md @@ -168,7 +168,7 @@ These endpoints implement OpenID Connect elements. [OpenID Connect Discovery]: https://openid.net/specs/openid-connect-discovery-1_0.html [OAuth 2.0 Authorization Server Metadata]: https://www.rfc-editor.org/rfc/rfc8414.html -[JSON Web Key Sets]: https://www.rfc-editor.org/rfc/rfc7517.html#section-5 +[JSON Web Key Sets]: https://datatracker.ietf.org/doc/html/rfc7517#section-5 [Authorization]: https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint [Token]: https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint diff --git a/docs/content/en/integration/openid-connect/komga/index.md b/docs/content/en/integration/openid-connect/komga/index.md index e999aea7a..15cea6ded 100644 --- a/docs/content/en/integration/openid-connect/komga/index.md +++ b/docs/content/en/integration/openid-connect/komga/index.md @@ -22,14 +22,7 @@ community: true ## Before You Begin -### Common Notes - -1. You are *__required__* to utilize a unique client id for every client. -2. The client id on this page is merely an example and you can theoretically use any alphanumeric string. -3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the - [Generating Client Secrets] guide instead. - -[Generating Client Secrets]: ../specific-information.md#generating-client-secrets +{{% oidc-common %}} ### Assumptions @@ -38,7 +31,7 @@ This example makes the following assumptions: * __Application Root URL:__ `https://komga.example.com` * __Authelia Root URL:__ `https://auth.example.com` * __Client ID:__ `komga` -* __Client Secret:__ `komga_client_secret` +* __Client Secret:__ `insecure_secret` ## Configuration @@ -58,7 +51,7 @@ spring: registration: authelia: client-id: `komga` - client-secret: `komga_client_secret` + client-secret: `insecure_secret` client-name: Authelia scope: openid,profile,email authorization-grant-type: authorization_code @@ -78,7 +71,7 @@ which will operate with the above example: ```yaml - id: komga description: Komga - secret: '$plaintext$komga_client_secret' + secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'. public: false authorization_policy: two_factor redirect_uris: diff --git a/docs/content/en/integration/openid-connect/nextcloud/index.md b/docs/content/en/integration/openid-connect/nextcloud/index.md index 9731e3943..f21e0d1b6 100644 --- a/docs/content/en/integration/openid-connect/nextcloud/index.md +++ b/docs/content/en/integration/openid-connect/nextcloud/index.md @@ -22,14 +22,7 @@ community: true ## Before You Begin -### Common Notes - -1. You are *__required__* to utilize a unique client id for every client. -2. The client id on this page is merely an example and you can theoretically use any alphanumeric string. -3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the - [Generating Client Secrets] guide instead. - -[Generating Client Secrets]: ../specific-information.md#generating-client-secrets +{{% oidc-common %}} ### Assumptions @@ -38,7 +31,7 @@ This example makes the following assumptions: * __Application Root URL:__ `https://nextcloud.example.com` * __Authelia Root URL:__ `https://auth.example.com` * __Client ID:__ `nextcloud` -* __Client Secret:__ `nextcloud_client_secret` +* __Client Secret:__ `insecure_secret` ## Configuration @@ -55,7 +48,7 @@ $CONFIG = array ( 'lost_password_link' => 'disabled', 'oidc_login_provider_url' => 'https://auth.example.com', 'oidc_login_client_id' => 'nextcloud', - 'oidc_login_client_secret' => 'nextcloud_client_secret', + 'oidc_login_client_secret' => 'insecure_secret', 'oidc_login_auto_redirect' => false, 'oidc_login_end_session_redirect' => false, 'oidc_login_button_text' => 'Log in with Authelia', @@ -94,7 +87,7 @@ which will operate with the above example: ```yaml - id: nextcloud description: NextCloud - secret: '$plaintext$nextcloud_client_secret' + secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'. public: false authorization_policy: two_factor redirect_uris: diff --git a/docs/content/en/integration/openid-connect/outline/index.md b/docs/content/en/integration/openid-connect/outline/index.md index cd565ca87..17e0b1cfb 100644 --- a/docs/content/en/integration/openid-connect/outline/index.md +++ b/docs/content/en/integration/openid-connect/outline/index.md @@ -22,14 +22,7 @@ community: true ## Before You Begin -### Common Notes - -1. You are *__required__* to utilize a unique client id for every client. -2. The client id on this page is merely an example and you can theoretically use any alphanumeric string. -3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the - [Generating Client Secrets] guide instead. - -[Generating Client Secrets]: ../specific-information.md#generating-client-secrets +{{% oidc-common %}} ### Assumptions @@ -38,7 +31,7 @@ This example makes the following assumptions: * __Application Root URL:__ `https://outline.example.com` * __Authelia Root URL:__ `https://auth.example.com` * __Client ID:__ `outline` -* __Client Secret:__ `outline_client_secret` +* __Client Secret:__ `insecure_secret` *__Important Note:__ At the time of this writing [Outline] requires the `offline_access` scope by default. Failure to include this scope will result in an error as [Outline] will attempt to use a refresh token that is never issued.* @@ -55,7 +48,7 @@ URL=https://outline.example.com FORCE_HTTPS=true OIDC_CLIENT_ID=outline -OIDC_CLIENT_SECRET=outline_client_secret +OIDC_CLIENT_SECRET=insecure_secret OIDC_AUTH_URI=https://auth.example.com/api/oidc/authorization OIDC_TOKEN_URI=https://auth.example.com/api/oidc/token OIDC_USERINFO_URI=https://auth.example.com/api/oidc/userinfo @@ -73,7 +66,7 @@ which will operate with the above example: ```yaml - id: outline description: Outline - secret: '$plaintext$outline_client_secret' + secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'. public: false authorization_policy: two_factor redirect_uris: diff --git a/docs/content/en/integration/openid-connect/portainer/index.md b/docs/content/en/integration/openid-connect/portainer/index.md index 2fa52f55f..94e26b368 100644 --- a/docs/content/en/integration/openid-connect/portainer/index.md +++ b/docs/content/en/integration/openid-connect/portainer/index.md @@ -24,14 +24,7 @@ aliases: ## Before You Begin -### Common Notes - -1. You are *__required__* to utilize a unique client id for every client. -2. The client id on this page is merely an example and you can theoretically use any alphanumeric string. -3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the - [Generating Client Secrets] guide instead. - -[Generating Client Secrets]: ../specific-information.md#generating-client-secrets +{{% oidc-common %}} ### Assumptions @@ -40,7 +33,7 @@ This example makes the following assumptions: * __Application Root URL:__ `https://portainer.example.com` * __Authelia Root URL:__ `https://auth.example.com` * __Client ID:__ `portainer` -* __Client Secret:__ `portainer_client_secret` +* __Client Secret:__ `insecure_secret` ## Configuration @@ -55,7 +48,7 @@ To configure [Portainer] to utilize Authelia as an [OpenID Connect 1.0] Provider 2. Provider: Custom 3. Enable *Automatic User Provision* if you want users to automatically be created in [Portainer]. 4. Client ID: `portainer` - 5. Client Secret: `portainer_client_secret` + 5. Client Secret: `insecure_secret` 6. Authorization URL: `https://auth.example.com/api/oidc/authorization` 7. Access Token URL: `https://auth.example.com/api/oidc/token` 8. Resource URL: `https://auth.example.com/api/oidc/userinfo` @@ -74,7 +67,7 @@ which will operate with the above example: ```yaml - id: portainer description: Portainer - secret: '$plaintext$portainer_client_secret' + secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'. public: false authorization_policy: two_factor redirect_uris: diff --git a/docs/content/en/integration/openid-connect/proxmox/index.md b/docs/content/en/integration/openid-connect/proxmox/index.md index fab84e943..9e6c608c6 100644 --- a/docs/content/en/integration/openid-connect/proxmox/index.md +++ b/docs/content/en/integration/openid-connect/proxmox/index.md @@ -43,7 +43,7 @@ This example makes the following assumptions: * __Application Root URL:__ `https://proxmox.example.com` * __Authelia Root URL:__ `https://auth.example.com` * __Client ID:__ `proxmox` -* __Client Secret:__ `proxmox_client_secret` +* __Client Secret:__ `insecure_secret` * __Realm__ `authelia` ## Configuration @@ -60,7 +60,7 @@ To configure [Proxmox] to utilize Authelia as an [OpenID Connect 1.0] Provider: 1. Issuer URL: `https://auth.example.com` 2. Realm: `authelia` 3. Client ID: `proxmox` - 4. Client Key: `proxmox_client_secret` + 4. Client Key: `insecure_secret` 5. Username Claim `preferred_username` 6. Scopes: `openid profile email` 7. Enable *Autocreate Users* if you want users to automatically be created in [Proxmox]. @@ -76,7 +76,7 @@ which will operate with the above example: ```yaml - id: proxmox description: Proxmox - secret: '$plaintext$proxmox_client_secret' + secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'. public: false authorization_policy: two_factor redirect_uris: diff --git a/docs/content/en/integration/openid-connect/seafile/index.md b/docs/content/en/integration/openid-connect/seafile/index.md index 0187a179e..d2d77cdba 100644 --- a/docs/content/en/integration/openid-connect/seafile/index.md +++ b/docs/content/en/integration/openid-connect/seafile/index.md @@ -22,14 +22,7 @@ community: true ## Before You Begin -### Common Notes - -1. You are *__required__* to utilize a unique client id for every client. -2. The client id on this page is merely an example and you can theoretically use any alphanumeric string. -3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the - [Generating Client Secrets] guide instead. - -[Generating Client Secrets]: ../specific-information.md#generating-client-secrets +{{% oidc-common %}} ### Assumptions @@ -38,7 +31,7 @@ This example makes the following assumptions: * __Application Root URL:__ `https://seafile.example.com` * __Authelia Root URL:__ `https://auth.example.com` * __Client ID:__ `seafile` -* __Client Secret:__ `seafile_client_secret` +* __Client Secret:__ `insecure_secret` ## Configuration @@ -55,7 +48,7 @@ To configure [Seafile] to utilize Authelia as an [OpenID Connect 1.0] Provider: ENABLE_OAUTH = True OAUTH_ENABLE_INSECURE_TRANSPORT = False OAUTH_CLIENT_ID = "seafile" -OAUTH_CLIENT_SECRET = "seafile_client_secret" +OAUTH_CLIENT_SECRET = "insecure_secret" OAUTH_REDIRECT_URL = 'https://seafile.example.com/oauth/callback/' OAUTH_PROVIDER_DOMAIN = 'auth.example.com' OAUTH_AUTHORIZATION_URL = 'https://auth.example.com/api/oidc/authorization' @@ -82,7 +75,7 @@ which will operate with the above example: ```yaml - id: seafile description: Seafile - secret: '$plaintext$seafile_client_secret' + secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'. public: false authorization_policy: two_factor redirect_uris: diff --git a/docs/content/en/integration/openid-connect/specific-information.md b/docs/content/en/integration/openid-connect/specific-information.md index a89bf29b6..81d35a99f 100644 --- a/docs/content/en/integration/openid-connect/specific-information.md +++ b/docs/content/en/integration/openid-connect/specific-information.md @@ -34,6 +34,22 @@ using PBKDF2 which can be stored in the Authelia configuration. ### Plaintext -Authelia supports storing the plaintext secret in the configuration. This may be discontinued in the future. Plaintext -is either denoted by the `$plaintext$` prefix where everything after the prefix is the secret. In addition if the secret -does not start with the `$` character it's considered as a plaintext secret for the time being but is deprecated. +Authelia *technically* supports storing the plaintext secret in the configuration. This will likely be completely +unavailable in the future as it was a mistake to implement it like this in the first place. While some other OpenID +Connect 1.0 providers operate in this way, it's more often than not that they operating in this way in error. The +current *technical support* for this is only to prevent massive upheaval to users and give them time to migrate. + +As per [RFC6819 Section 5.1.4.1.3](https://datatracker.ietf.org/doc/html/rfc6819#section-5.1.4.1.3) the secret should +only be stored by the authorization server as hashes / digests unless there is a very specific specification or protocol +that is implemented by the authorization server which requires access to the secret in the clear to operate properly in +which case the secret should be encrypted and not be stored in plaintext. The most likely long term outcome is that the +client configurations will be stored in the database with the secret both salted and peppered. + +Authelia currently does not implement any of the specifications or protocols which require secrets being accessible in +the clear and currently has no plans to implement any of these. As such it's *__strongly discouraged and heavily +deprecated__* and we instead recommended that users remove this from their configuration entirely and use the +[Generating Client Secrets](#generating-client-secrets) guide. + +Plaintext is either denoted by the `$plaintext$` prefix where everything after the prefix is the secret. In addition if +the secret does not start with the `$` character it's considered as a plaintext secret for the time being but is +deprecated as is the `$plaintext$` prefix. diff --git a/docs/content/en/integration/openid-connect/synapse/index.md b/docs/content/en/integration/openid-connect/synapse/index.md index a4e7cb520..1e4b737c4 100644 --- a/docs/content/en/integration/openid-connect/synapse/index.md +++ b/docs/content/en/integration/openid-connect/synapse/index.md @@ -22,14 +22,7 @@ community: true ## Before You Begin -### Common Notes - -1. You are *__required__* to utilize a unique client id for every client. -2. The client id on this page is merely an example and you can theoretically use any alphanumeric string. -3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the - [Generating Client Secrets] guide instead. - -[Generating Client Secrets]: ../specific-information.md#generating-client-secrets +{{% oidc-common %}} ### Assumptions @@ -38,7 +31,7 @@ This example makes the following assumptions: * __Application Root URL:__ `https://matrix.example.com/` * __Authelia Root URL:__ `https://auth.example.com` * __Client ID:__ `synapse` -* __Client Secret:__ `synapse_client_secret` +* __Client Secret:__ `insecure_secret` ## Configuration @@ -56,7 +49,7 @@ oidc_providers: discover: true issuer: "https://auth.example.com" client_id: "synapse" - client_secret: "synapse_client_secret" + client_secret: "insecure_secret" scopes: ["openid", "profile", "email"] allow_existing_users: true user_mapping_provider: @@ -76,7 +69,7 @@ which will operate with the above example: ```yaml - id: synapse description: Synapse - secret: '$plaintext$synapse_client_secret' + secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'. public: false authorization_policy: two_factor redirect_uris: diff --git a/docs/content/en/integration/openid-connect/synology-dsm/index.md b/docs/content/en/integration/openid-connect/synology-dsm/index.md index cb866ba58..a740af86e 100644 --- a/docs/content/en/integration/openid-connect/synology-dsm/index.md +++ b/docs/content/en/integration/openid-connect/synology-dsm/index.md @@ -22,14 +22,7 @@ community: true ## Before You Begin -### Common Notes - -1. You are *__required__* to utilize a unique client id for every client. -2. The client id on this page is merely an example and you can theoretically use any alphanumeric string. -3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the - [Generating Client Secrets] guide instead. - -[Generating Client Secrets]: ../specific-information.md#generating-client-secrets +{{% oidc-common %}} ### Specific Notes @@ -43,7 +36,7 @@ This example makes the following assumptions: * __Application Root URL:__ `https://dsm.example.com/` * __Authelia Root URL:__ `https://auth.example.com` * __Client ID:__ `synology-dsm` -* __Client Secret:__ `synology-dsm_client_secret` +* __Client Secret:__ `insecure_secret` ## Configuration @@ -61,7 +54,7 @@ To configure [Synology DSM] to utilize Authelia as an [OpenID Connect 1.0] Provi * Name: `Authelia` * Well Known URL: `https://auth.example.com/.well-known/openid-configuration` * Application ID: `synology-dsm` - * Application Key: `synology-dsm_client_secret` + * Application Key: `insecure_secret` * Redirect URL: `https://dsm.example.com` * Authorisation Scope: `openid profile groups email` * Username Claim: `preferred_username` @@ -78,7 +71,7 @@ which will operate with the above example: ```yaml - id: synology-dsm description: Synology DSM - secret: '$plaintext$synology-dsm_client_secret' + secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'. public: false authorization_policy: two_factor redirect_uris: diff --git a/docs/content/en/overview/security/measures.md b/docs/content/en/overview/security/measures.md index b050512fc..5cd77d588 100644 --- a/docs/content/en/overview/security/measures.md +++ b/docs/content/en/overview/security/measures.md @@ -216,9 +216,9 @@ to port 587 (_the `submission` port, a common alternative that uses STARTTLS ins [docs-config-smtp-port]: ../../configuration/notifications/smtp.md#port [cleartext]: https://cwe.mitre.org/data/definitions/312.html -[service-submissions]: https://www.rfc-editor.org/rfc/rfc8314#section-7.3 -[port-465]: https://www.rfc-editor.org/rfc/rfc8314#section-3.3 -[smtp-auth]: https://www.rfc-editor.org/rfc/rfc6409#section-4.3 +[service-submissions]: https://datatracker.ietf.org/doc/html/rfc8314#section-7.3 +[port-465]: https://datatracker.ietf.org/doc/html/rfc8314#section-3.3 +[smtp-auth]: https://datatracker.ietf.org/doc/html/rfc6409#section-4.3 ## Protection against open redirects diff --git a/docs/content/en/reference/guides/passwords.md b/docs/content/en/reference/guides/passwords.md index 1163fa792..de2955edf 100644 --- a/docs/content/en/reference/guides/passwords.md +++ b/docs/content/en/reference/guides/passwords.md @@ -200,7 +200,7 @@ This table suggests the parameters for the [SHA2 Crypt] algorithm: [Bcrypt]: https://en.wikipedia.org/wiki/Bcrypt [FIPS-140 compliance]: https://csrc.nist.gov/publications/detail/fips/140/2/final -[RFC9106 Parameter Choice]: https://www.rfc-editor.org/rfc/rfc9106.html#section-4 +[RFC9106 Parameter Choice]: https://datatracker.ietf.org/doc/html/rfc9106#section-4 [YAML]: https://yaml.org/ [crypt hash generate]: ../cli/authelia/authelia_crypto_hash_generate.md [Password Hashing Competition]: https://en.wikipedia.org/wiki/Password_Hashing_Competition diff --git a/docs/content/en/roadmap/active/openid-connect.md b/docs/content/en/roadmap/active/openid-connect.md index 72a4785dc..0dce3552a 100644 --- a/docs/content/en/roadmap/active/openid-connect.md +++ b/docs/content/en/roadmap/active/openid-connect.md @@ -39,11 +39,11 @@ Feature List: * [User Consent](https://openid.net/specs/openid-connect-core-1_0.html#Consent) * [Authorization Code Flow](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowSteps) * [OpenID Connect Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html) -* [RS256 Signature Strategy](https://www.rfc-editor.org/rfc/rfc7518.html#section-3.1) +* [RS256 Signature Strategy](https://datatracker.ietf.org/doc/html/rfc7518#section-3.1) * Per Client Scope/Grant Type/Response Type Restriction * Per Client Authorization Policy (1FA/2FA) * Per Client List of Valid Redirection URI's -* [Confidential Client Type](https://www.rfc-editor.org/rfc/rfc6749.html#section-2.1) +* [Confidential Client Type](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1) ### Beta 2 @@ -56,7 +56,7 @@ Feature List: * Token/Code Lifespan * Client Debug Messages * Client Audience -* [Public Client Type](https://www.rfc-editor.org/rfc/rfc6749.html#section-2.1) +* [Public Client Type](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1) ### Beta 3 @@ -97,7 +97,7 @@ Feature List: Feature List: -* [JWK's backed by X509 Certificate Chains](https://www.rfc-editor.org/rfc/rfc7517#section-4.7) +* [JWK's backed by X509 Certificate Chains](https://datatracker.ietf.org/doc/html/rfc7517#section-4.7) * Hashed Client Secrets * Per-Client [Consent](https://openid.net/specs/openid-connect-core-1_0.html#Consent) Mode: * Explicit: diff --git a/docs/layouts/shortcodes/oidc-common.html b/docs/layouts/shortcodes/oidc-common.html new file mode 100644 index 000000000..0d6c73715 --- /dev/null +++ b/docs/layouts/shortcodes/oidc-common.html @@ -0,0 +1,18 @@ +{{ $specificinfo := "../specific-information/" }}{{ $config := "../../../configuration/identity-providers/open-id-connect.md" }} +{{- with .Get "specificinfo" }}{{ $specificinfo = . }}{{ end }} +{{- with .Get "config" }}{{ $config = . }}{{ end }} +### Common Notes + +1. The [OpenID Connect 1.0](https://openid.net/specs/openid-connect-core-1_0.html) `client_id` parameter: + 1. This *__must__* be a unique value for every client. + 2. The value used in this guide is merely for demonstration purposes and you can theoretically use nearly any + alphanumeric string. +2. The [OpenID Connect 1.0](https://openid.net/specs/openid-connect-core-1_0.html) `secret` parameter: + 1. The value used in this guide is merely for demonstration purposes and you *__should absolutely not__* use this in + production and should instead utilize the + [Generating Client Secrets]({{ $specificinfo }}#generating-client-secrets) guide. + 2. This string may be stored as plaintext in the Authelia configuration but this behaviour is deprecated and is not + guaranteed to be supported in the future. See the [Plaintext]({{ $specificinfo }}#plaintext) guide for more + information. +3. The Configuration example for Authelia is only a portion of the required configuration and it should be used as a + guide in conjunction with the standard [OpenID Connect 1.0 Configuration]({{ $config }}) guide. \ No newline at end of file