docs: add common oidc shortcode and update (#4862)

docs/content/en/configuration/identity-providers/open-id-connect.md

@@ -119,7 +119,7 @@ identity_providers:
     clients:
       - id: myapp
         description: My Application
-        secret: '$plaintext$this_is_a_secret'
+        secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng'  # The digest of 'insecure_secret'.
         sector_identifier: ''
         public: false
         authorization_policy: two_factor
@@ -171,8 +171,8 @@ JSON key's in the JWKs [Discoverable Endpoint](../../integration/openid-connect/
 as per [RFC7517].
 
 [RFC7517]: https://www.rfc-editor.org/rfc/rfc7517
-[x5c]: https://www.rfc-editor.org/rfc/rfc7517#section-4.7
+[x5c]: https://datatracker.ietf.org/doc/html/rfc7517#section-4.7
-[x5t]: https://www.rfc-editor.org/rfc/rfc7517#section-4.8
+[x5t]: https://datatracker.ietf.org/doc/html/rfc7517#section-4.8
 
 The first certificate in the chain must have the public key for the [issuer_private_key](#issuerprivatekey), each
 certificate in the chain must be valid for the current date, and each certificate in the chain should be signed by the
@@ -534,7 +534,7 @@ To integrate Authelia's [OpenID Connect 1.0] implementation with a relying party
 [RFC6234]: https://www.rfc-editor.org/rfc/rfc6234.html
 [RFC4648]: https://www.rfc-editor.org/rfc/rfc4648.html
 [RFC7468]: https://www.rfc-editor.org/rfc/rfc7468.html
-[RFC6749 Section 2.1]: https://www.rfc-editor.org/rfc/rfc6749.html#section-2.1
+[RFC6749 Section 2.1]: https://datatracker.ietf.org/doc/html/rfc6749#section-2.1
 [PKCE]: https://www.rfc-editor.org/rfc/rfc7636.html
 [Authorization Code Flow]: https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth
 [Subject Identifier Type]: https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes

docs/content/en/configuration/notifications/smtp.md

@@ -164,7 +164,7 @@ characters and the user password is changed to this value.
 {{< confkey type="string" required="yes" >}}
 
 The sender is used to construct both the SMTP command `MAIL FROM` and to add the `FROM` header. This address must be
-in [RFC5322](https://www.rfc-editor.org/rfc/rfc5322.html#section-3.4) format. This means it must one of two formats:
+in [RFC5322](https://datatracker.ietf.org/doc/html/rfc5322#section-3.4) format. This means it must one of two formats:
 
 * jsmith@domain.com
 * John Smith <jsmith@domain.com>

docs/content/en/configuration/security/access-control.md

@@ -589,7 +589,7 @@ match value is a list/slice).
 
 The regex groups are case-insensitive due to the fact that the regex groups are used in domain criteria and domain names
 should not be compared in a case-sensitive way as per the [RFC4343](https://www.rfc-editor.org/rfc/rfc4343.html)
-abstract and [RFC3986 Section 3.2.2](https://www.rfc-editor.org/rfc/rfc3986#section-3.2.2).
+abstract and [RFC3986 Section 3.2.2](https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2).
 
 We do not currently apply any other normalization to usernames or groups when matching these groups. As such it's
 generally *__not recommended__* to use these patterns with usernames or groups which contain characters that are not

docs/content/en/integration/openid-connect/apache-guacamole/index.md

@@ -22,14 +22,7 @@ community: true
 
 ## Before You Begin
 
-### Common Notes
+{{% oidc-common %}}
-
-1. You are *__required__* to utilize a unique client id for every client.
-2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
-3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
-   [Generating Client Secrets] guide instead.
-
-[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
 
 ### Assumptions
 
@@ -38,7 +31,7 @@ This example makes the following assumptions:
 * __Application Root URL:__ `https://guacamole.example.com`
 * __Authelia Root URL:__ `https://auth.example.com`
 * __Client ID:__ `guacamole`
-* __Client Secret:__ `guacamole_client_secret`
+* __Client Secret:__ `insecure_secret`
 
 ## Configuration
 
@@ -66,7 +59,7 @@ The following YAML configuration is an example __Authelia__
 ```yaml
 - id: guacamole
   description: Apache Guacamole
-  secret: '$plaintext$guacamole_client_secret'
+  secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng'  # The digest of 'insecure_secret'.
   public: false
   authorization_policy: two_factor
   redirect_uris:

docs/content/en/integration/openid-connect/argocd/index.md

@@ -22,14 +22,7 @@ community: true
 
 ## Before You Begin
 
-### Common Notes
+{{% oidc-common %}}
-
-1. You are *__required__* to utilize a unique client id for every client.
-2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
-3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
-   [Generating Client Secrets] guide instead.
-
-[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
 
 ### Assumptions
 
@@ -38,7 +31,7 @@ This example makes the following assumptions:
 * __Application Root URL:__ `https://argocd.example.com`
 * __Authelia Root URL:__ `https://auth.example.com`
 * __Client ID:__ `argocd`
-* __Client Secret:__ `argocd_client_secret`
+* __Client Secret:__ `insecure_secret`
 * __CLI Client ID:__ `argocd-cli`
 
 ## Configuration
@@ -51,7 +44,7 @@ To configure [Argo CD] to utilize Authelia as an [OpenID Connect 1.0] Provider u
 name: Authelia
 issuer: https://auth.example.com
 clientID: argocd
-clientSecret: argocd_client_secret
+clientSecret: insecure_secret
 cliClientID: argocd-cli
 requestedScopes:
   - openid
@@ -69,7 +62,7 @@ which will operate with the above example:
 ```yaml
 - id: argocd
   description: Argo CD
-  secret: '$plaintext$argocd_client_secret'
+  secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng'  # The digest of 'insecure_secret'.
   public: false
   authorization_policy: two_factor
   redirect_uris:

docs/content/en/integration/openid-connect/bookstack/index.md

@@ -22,14 +22,7 @@ community: true
 
 ## Before You Begin
 
-### Common Notes
+{{% oidc-common %}}
-
-1. You are *__required__* to utilize a unique client id for every client.
-2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
-3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
-   [Generating Client Secrets] guide instead.
-
-[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
 
 ### Assumptions
 
@@ -38,13 +31,13 @@ This example makes the following assumptions:
 * __Application Root URL:__ `https://bookstack.example.com`
 * __Authelia Root URL:__ `https://auth.example.com`
 * __Client ID:__ `bookstack`
-* __Client Secret:__ `bookstack_client_secret`
+* __Client Secret:__ `insecure_secret`
 
 *__Important Note:__ [BookStack] does not properly URL encode the secret per [RFC6749 Appendix B] at the time this
 article was last modified (noted at the bottom). This means you'll either have to use only alphanumeric characters for
 the secret or URL encode the secret yourself.*
 
-[RFC6749 Appendix B]: https://www.rfc-editor.org/rfc/rfc6749#appendix-B
+[RFC6749 Appendix B]: https://datatracker.ietf.org/doc/html/rfc6749#appendix-B
 
 ## Configuration
 
@@ -58,7 +51,7 @@ To configure [BookStack] to utilize Authelia as an [OpenID Connect 1.0] Provider
    2. OIDC_NAME: `Authelia`
    3. OIDC_DISPLAY_NAME_CLAIMS: `name`
    4. OIDC_CLIENT_ID: `bookstack`
-   5. OIDC_CLIENT_SECRET: `bookstack_client_secret`
+   5. OIDC_CLIENT_SECRET: `insecure_secret`
    6. OIDC_ISSUER: `https://auth.example.com`
    7. OIDC_ISSUER_DISCOVER: `true`
 
@@ -71,7 +64,7 @@ which will operate with the above example:
 ```yaml
 - id: bookstack
   description: BookStack
-  secret: '$plaintext$bookstack_client_secret'
+  secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng'  # The digest of 'insecure_secret'.
   public: false
   authorization_policy: two_factor
   redirect_uris:

docs/content/en/integration/openid-connect/cloudflare-zerotrust/index.md

@@ -20,14 +20,7 @@ community: true
 
 ## Before You Begin
 
-### Common Notes
+{{% oidc-common %}}
-
-1. You are *__required__* to utilize a unique client id for every client.
-2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
-3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
-   [Generating Client Secrets] guide instead.
-
-[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
 
 ### Assumptions
 
@@ -36,13 +29,13 @@ This example makes the following assumptions:
 * __Cloudflare Team Name:__ `example-team`
 * __Authelia Root URL:__ `https://auth.example.com`
 * __Client ID:__ `cloudflare`
-* __Client Secret:__ `cloudflare_client_secret`
+* __Client Secret:__ `insecure_secret`
 
 *__Important Note:__ [Cloudflare Zero Trust] does not properly URL encode the secret per [RFC6749 Appendix B] at the
 time this article was last modified (noted at the bottom). This means you'll either have to use only alphanumeric
 characters for the secret or URL encode the secret yourself.*
 
-[RFC6749 Appendix B]: https://www.rfc-editor.org/rfc/rfc6749#appendix-B
+[RFC6749 Appendix B]: https://datatracker.ietf.org/doc/html/rfc6749#appendix-B
 
 ## Configuration
 
@@ -62,7 +55,7 @@ To configure [Cloudflare Zero Trust] to utilize Authelia as an [OpenID Connect 1
 6. Set the following values:
    1. Name: `Authelia`
    2. App ID: `cloudflare`
-   3. Client Secret: `cloudflare_client_secret`
+   3. Client Secret: `insecure_secret`
    4. Auth URL: `https://auth.example.com/api/oidc/authorization`
    5. Token URL: `https://auth.example.com/api/oidc/token`
    6. Certificate URL: `https://auth.example.com/jwks.json`
@@ -79,7 +72,7 @@ which will operate with the above example:
 ```yaml
 - id: cloudflare
   description: Cloudflare ZeroTrust
-  secret: '$plaintext$cloudflare_client_secret'
+  secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng'  # The digest of 'insecure_secret'.
   public: false
   authorization_policy: two_factor
   redirect_uris:

docs/content/en/integration/openid-connect/gitea/index.md

@@ -22,14 +22,7 @@ community: true
 
 ## Before You Begin
 
-### Common Notes
+{{% oidc-common %}}
-
-1. You are *__required__* to utilize a unique client id for every client.
-2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
-3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
-   [Generating Client Secrets] guide instead.
-
-[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
 
 ### Assumptions
 
@@ -38,7 +31,7 @@ This example makes the following assumptions:
 * __Application Root URL:__ `https://gitea.example.com`
 * __Authelia Root URL:__ `https://auth.example.com`
 * __Client ID:__ `gitea`
-* __Client Secret:__ `gitea_client_secret`
+* __Client Secret:__ `insecure_secret`
 
 ## Configuration
 
@@ -54,7 +47,7 @@ To configure [Gitea] to utilize Authelia as an [OpenID Connect 1.0] Provider:
    1. Authentication Name: `authelia`
    2. OAuth2 Provider: `OpenID Connect`
    3. Client ID (Key): `gitea`
-   4. Client Secret: `gitea_client_secret`
+   4. Client Secret: `insecure_secret`
    5. OpenID Connect Auto Discovery URL: `https://auth.example.com/.well-known/openid-configuration`
 
 {{< figure src="gitea.png" alt="Gitea" width="300" >}}
@@ -86,7 +79,7 @@ will operate with the above example:
 ```yaml
 - id: gitea
   description: Gitea
-  secret: '$plaintext$gitea_client_secret'
+  secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng'  # The digest of 'insecure_secret'.
   public: false
   authorization_policy: two_factor
   redirect_uris:

docs/content/en/integration/openid-connect/gitlab/index.md

@@ -22,14 +22,7 @@ community: true
 
 ## Before You Begin
 
-### Common Notes
+{{% oidc-common %}}
-
-1. You are *__required__* to utilize a unique client id for every client.
-2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
-3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
-   [Generating Client Secrets] guide instead.
-
-[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
 
 ### Assumptions
 
@@ -38,7 +31,7 @@ This example makes the following assumptions:
 * __Application Root URL:__ `https://gitlab.example.com`
 * __Authelia Root URL:__ `https://auth.example.com`
 * __Client ID:__ `gitlab`
-* __Client Secret:__ `gitlab_client_secret`
+* __Client Secret:__ `insecure_secret`
 
 ## Configuration
 
@@ -65,7 +58,7 @@ gitlab_rails['omniauth_providers'] = [
       send_scope_to_token_endpoint: "false",
       client_options: {
         identifier: "gitlab",
-        secret: "gitlab_client_secret",
+        secret: "insecure_secret",
         redirect_uri: "https://gitlab.example.com/users/auth/openid_connect/callback"
       }
     }
@@ -82,7 +75,7 @@ which will operate with the above example:
 ```yaml
 - id: gitlab
   description: GitLab
-  secret: '$plaintext$gitlab_client_secret'
+  secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng'  # The digest of 'insecure_secret'.
   public: false
   authorization_policy: two_factor
   redirect_uris:

docs/content/en/integration/openid-connect/grafana/index.md

@@ -22,14 +22,7 @@ community: true
 
 ## Before You Begin
 
-### Common Notes
+{{% oidc-common %}}
-
-1. You are *__required__* to utilize a unique client id for every client.
-2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
-3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
-   [Generating Client Secrets] guide instead.
-
-[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
 
 ### Assumptions
 
@@ -38,7 +31,7 @@ This example makes the following assumptions:
 * __Application Root URL:__ `https://grafana.example.com`
 * __Authelia Root URL:__ `https://auth.example.com`
 * __Client ID:__ `grafana`
-* __Client Secret:__ `grafana_client_secret`
+* __Client Secret:__ `insecure_secret`
 
 ## Configuration
 
@@ -58,7 +51,7 @@ enabled = true
 name = Authelia
 icon = signin
 client_id = grafana
-client_secret = grafana_client_secret
+client_secret = insecure_secret
 scopes = openid profile email groups
 empty_scopes = false
 auth_url = https://auth.example.com/api/oidc/authorization
@@ -80,7 +73,7 @@ Configure the following environment variables:
 |        GF_AUTH_GENERIC_OAUTH_ENABLED        |                      true                       |
 |         GF_AUTH_GENERIC_OAUTH_NAME          |                    Authelia                     |
 |       GF_AUTH_GENERIC_OAUTH_CLIENT_ID       |                     grafana                     |
-|     GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET     |              grafana_client_secret              |
+|     GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET     |                 insecure_secret                 |
 |        GF_AUTH_GENERIC_OAUTH_SCOPES         |           openid profile email groups           |
 |     GF_AUTH_GENERIC_OAUTH_EMPTY_SCOPES      |                      false                      |
 |       GF_AUTH_GENERIC_OAUTH_AUTH_URL        | https://auth.example.com/api/oidc/authorization |
@@ -100,7 +93,7 @@ which will operate with the above example:
 ```yaml
 - id: grafana
   description: Grafana
-  secret: '$plaintext$grafana_client_secret'
+  secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng'  # The digest of 'insecure_secret'.
   public: false
   authorization_policy: two_factor
   redirect_uris:

docs/content/en/integration/openid-connect/harbor/index.md

@@ -22,14 +22,7 @@ community: true
 
 ## Before You Begin
 
-### Common Notes
+{{% oidc-common %}}
-
-1. You are *__required__* to utilize a unique client id for every client.
-2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
-3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
-   [Generating Client Secrets] guide instead.
-
-[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
 
 ### Assumptions
 
@@ -38,7 +31,7 @@ This example makes the following assumptions:
 * __Application Root URL:__ `https://harbor.example.com`
 * __Authelia Root URL:__ `https://auth.example.com`
 * __Client ID:__ `harbor`
-* __Client Secret:__ `harbor_client_secret`
+* __Client Secret:__ `insecure_secret`
 
 ## Configuration
 
@@ -54,7 +47,7 @@ To configure [Harbor] to utilize Authelia as an [OpenID Connect 1.0] Provider:
    1. OIDC Provider Name: `Authelia`
    2. OIDC Provider Endpoint: `https://auth.example.com`
    3. OIDC Client ID: `harbor`
-   4. OIDC Client Secret: `harbor_client_secret`
+   4. OIDC Client Secret: `insecure_secret`
    5. Group Claim Name: `groups`
    6. OIDC Scope: `openid,profile,email,groups`
    7. For OIDC Admin Group you can specify a group name that matches your authentication backend.
@@ -73,7 +66,7 @@ which will operate with the above example:
 ```yaml
 - id: harbor
   description: Harbor
-  secret: '$plaintext$harbor_client_secret'
+  secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng'  # The digest of 'insecure_secret'.
   public: false
   authorization_policy: two_factor
   redirect_uris:

docs/content/en/integration/openid-connect/hashicorp-vault/index.md

@@ -22,14 +22,7 @@ community: true
 
 ## Before You Begin
 
-### Common Notes
+{{% oidc-common %}}
-
-1. You are *__required__* to utilize a unique client id for every client.
-2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
-3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
-   [Generating Client Secrets] guide instead.
-
-[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
 
 ### Assumptions
 
@@ -38,7 +31,7 @@ This example makes the following assumptions:
 * __Application Root URL:__ `https://vault.example.com`
 * __Authelia Root URL:__ `https://auth.example.com`
 * __Client ID:__ `vault`
-* __Client Secret:__ `vault_client_secret`
+* __Client Secret:__ `insecure_secret`
 
 ## Configuration
 
@@ -56,7 +49,7 @@ which will operate with the above example:
 ```yaml
 - id: vault
   description: HashiCorp Vault
-  secret: '$plaintext$vault_client_secret'
+  secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng'  # The digest of 'insecure_secret'.
   public: false
   authorization_policy: two_factor
   redirect_uris:

docs/content/en/integration/openid-connect/introduction.md

@@ -168,7 +168,7 @@ These endpoints implement OpenID Connect elements.
 [OpenID Connect Discovery]: https://openid.net/specs/openid-connect-discovery-1_0.html
 [OAuth 2.0 Authorization Server Metadata]: https://www.rfc-editor.org/rfc/rfc8414.html
 
-[JSON Web Key Sets]: https://www.rfc-editor.org/rfc/rfc7517.html#section-5
+[JSON Web Key Sets]: https://datatracker.ietf.org/doc/html/rfc7517#section-5
 
 [Authorization]: https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint
 [Token]: https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint

docs/content/en/integration/openid-connect/komga/index.md

@@ -22,14 +22,7 @@ community: true
 
 ## Before You Begin
 
-### Common Notes
+{{% oidc-common %}}
-
-1. You are *__required__* to utilize a unique client id for every client.
-2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
-3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
-   [Generating Client Secrets] guide instead.
-
-[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
 
 ### Assumptions
 
@@ -38,7 +31,7 @@ This example makes the following assumptions:
 * __Application Root URL:__ `https://komga.example.com`
 * __Authelia Root URL:__ `https://auth.example.com`
 * __Client ID:__ `komga`
-* __Client Secret:__ `komga_client_secret`
+* __Client Secret:__ `insecure_secret`
 
 ## Configuration
 
@@ -58,7 +51,7 @@ spring:
         registration:
           authelia:
             client-id: `komga`
-            client-secret: `komga_client_secret`
+            client-secret: `insecure_secret`
             client-name: Authelia
             scope: openid,profile,email
             authorization-grant-type: authorization_code
@@ -78,7 +71,7 @@ which will operate with the above example:
 ```yaml
 - id: komga
   description: Komga
-  secret: '$plaintext$komga_client_secret'
+  secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng'  # The digest of 'insecure_secret'.
   public: false
   authorization_policy: two_factor
   redirect_uris:

docs/content/en/integration/openid-connect/nextcloud/index.md

@@ -22,14 +22,7 @@ community: true
 
 ## Before You Begin
 
-### Common Notes
+{{% oidc-common %}}
-
-1. You are *__required__* to utilize a unique client id for every client.
-2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
-3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
-   [Generating Client Secrets] guide instead.
-
-[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
 
 ### Assumptions
 
@@ -38,7 +31,7 @@ This example makes the following assumptions:
 * __Application Root URL:__ `https://nextcloud.example.com`
 * __Authelia Root URL:__ `https://auth.example.com`
 * __Client ID:__ `nextcloud`
-* __Client Secret:__ `nextcloud_client_secret`
+* __Client Secret:__ `insecure_secret`
 
 ## Configuration
 
@@ -55,7 +48,7 @@ $CONFIG = array (
     'lost_password_link' => 'disabled',
     'oidc_login_provider_url' => 'https://auth.example.com',
     'oidc_login_client_id' => 'nextcloud',
-    'oidc_login_client_secret' => 'nextcloud_client_secret',
+    'oidc_login_client_secret' => 'insecure_secret',
     'oidc_login_auto_redirect' => false,
     'oidc_login_end_session_redirect' => false,
     'oidc_login_button_text' => 'Log in with Authelia',
@@ -94,7 +87,7 @@ which will operate with the above example:
 ```yaml
 - id: nextcloud
   description: NextCloud
-  secret: '$plaintext$nextcloud_client_secret'
+  secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng'  # The digest of 'insecure_secret'.
   public: false
   authorization_policy: two_factor
   redirect_uris:

docs/content/en/integration/openid-connect/outline/index.md

@@ -22,14 +22,7 @@ community: true
 
 ## Before You Begin
 
-### Common Notes
+{{% oidc-common %}}
-
-1. You are *__required__* to utilize a unique client id for every client.
-2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
-3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
-   [Generating Client Secrets] guide instead.
-
-[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
 
 ### Assumptions
 
@@ -38,7 +31,7 @@ This example makes the following assumptions:
 * __Application Root URL:__ `https://outline.example.com`
 * __Authelia Root URL:__ `https://auth.example.com`
 * __Client ID:__ `outline`
-* __Client Secret:__ `outline_client_secret`
+* __Client Secret:__ `insecure_secret`
 
 *__Important Note:__ At the time of this writing [Outline] requires the `offline_access` scope by default. Failure to include this scope will result
 in an error as [Outline] will attempt to use a refresh token that is never issued.*
@@ -55,7 +48,7 @@ URL=https://outline.example.com
 FORCE_HTTPS=true
 
 OIDC_CLIENT_ID=outline
-OIDC_CLIENT_SECRET=outline_client_secret
+OIDC_CLIENT_SECRET=insecure_secret
 OIDC_AUTH_URI=https://auth.example.com/api/oidc/authorization
 OIDC_TOKEN_URI=https://auth.example.com/api/oidc/token
 OIDC_USERINFO_URI=https://auth.example.com/api/oidc/userinfo
@@ -73,7 +66,7 @@ which will operate with the above example:
 ```yaml
 - id: outline
   description: Outline
-  secret: '$plaintext$outline_client_secret'
+  secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng'  # The digest of 'insecure_secret'.
   public: false
   authorization_policy: two_factor
   redirect_uris:

docs/content/en/integration/openid-connect/portainer/index.md

@@ -24,14 +24,7 @@ aliases:
 
 ## Before You Begin
 
-### Common Notes
+{{% oidc-common %}}
-
-1. You are *__required__* to utilize a unique client id for every client.
-2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
-3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
-   [Generating Client Secrets] guide instead.
-
-[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
 
 ### Assumptions
 
@@ -40,7 +33,7 @@ This example makes the following assumptions:
 * __Application Root URL:__ `https://portainer.example.com`
 * __Authelia Root URL:__ `https://auth.example.com`
 * __Client ID:__ `portainer`
-* __Client Secret:__ `portainer_client_secret`
+* __Client Secret:__ `insecure_secret`
 
 ## Configuration
 
@@ -55,7 +48,7 @@ To configure [Portainer] to utilize Authelia as an [OpenID Connect 1.0] Provider
    2. Provider: Custom
    3. Enable *Automatic User Provision* if you want users to automatically be created in [Portainer].
    4. Client ID: `portainer`
-   5. Client Secret: `portainer_client_secret`
+   5. Client Secret: `insecure_secret`
    6. Authorization URL: `https://auth.example.com/api/oidc/authorization`
    7. Access Token URL: `https://auth.example.com/api/oidc/token`
    8. Resource URL: `https://auth.example.com/api/oidc/userinfo`
@@ -74,7 +67,7 @@ which will operate with the above example:
 ```yaml
 - id: portainer
   description: Portainer
-  secret: '$plaintext$portainer_client_secret'
+  secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng'  # The digest of 'insecure_secret'.
   public: false
   authorization_policy: two_factor
   redirect_uris:

docs/content/en/integration/openid-connect/proxmox/index.md

@@ -43,7 +43,7 @@ This example makes the following assumptions:
 * __Application Root URL:__ `https://proxmox.example.com`
 * __Authelia Root URL:__ `https://auth.example.com`
 * __Client ID:__ `proxmox`
-* __Client Secret:__ `proxmox_client_secret`
+* __Client Secret:__ `insecure_secret`
 * __Realm__ `authelia`
 
 ## Configuration
@@ -60,7 +60,7 @@ To configure [Proxmox] to utilize Authelia as an [OpenID Connect 1.0] Provider:
    1. Issuer URL: `https://auth.example.com`
    2. Realm: `authelia`
    3. Client ID: `proxmox`
-   4. Client Key: `proxmox_client_secret`
+   4. Client Key: `insecure_secret`
    5. Username Claim `preferred_username`
    6. Scopes: `openid profile email`
    7. Enable *Autocreate Users* if you want users to automatically be created in [Proxmox].
@@ -76,7 +76,7 @@ which will operate with the above example:
 ```yaml
 - id: proxmox
   description: Proxmox
-  secret: '$plaintext$proxmox_client_secret'
+  secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng'  # The digest of 'insecure_secret'.
   public: false
   authorization_policy: two_factor
   redirect_uris:

docs/content/en/integration/openid-connect/seafile/index.md

@@ -22,14 +22,7 @@ community: true
 
 ## Before You Begin
 
-### Common Notes
+{{% oidc-common %}}
-
-1. You are *__required__* to utilize a unique client id for every client.
-2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
-3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
-   [Generating Client Secrets] guide instead.
-
-[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
 
 ### Assumptions
 
@@ -38,7 +31,7 @@ This example makes the following assumptions:
 * __Application Root URL:__ `https://seafile.example.com`
 * __Authelia Root URL:__ `https://auth.example.com`
 * __Client ID:__ `seafile`
-* __Client Secret:__ `seafile_client_secret`
+* __Client Secret:__ `insecure_secret`
 
 ## Configuration
 
@@ -55,7 +48,7 @@ To configure [Seafile] to utilize Authelia as an [OpenID Connect 1.0] Provider:
 ENABLE_OAUTH = True
 OAUTH_ENABLE_INSECURE_TRANSPORT = False
 OAUTH_CLIENT_ID = "seafile"
-OAUTH_CLIENT_SECRET = "seafile_client_secret"
+OAUTH_CLIENT_SECRET = "insecure_secret"
 OAUTH_REDIRECT_URL = 'https://seafile.example.com/oauth/callback/'
 OAUTH_PROVIDER_DOMAIN = 'auth.example.com'
 OAUTH_AUTHORIZATION_URL = 'https://auth.example.com/api/oidc/authorization'
@@ -82,7 +75,7 @@ which will operate with the above example:
 ```yaml
 - id: seafile
   description: Seafile
-  secret: '$plaintext$seafile_client_secret'
+  secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng'  # The digest of 'insecure_secret'.
   public: false
   authorization_policy: two_factor
   redirect_uris:

docs/content/en/integration/openid-connect/specific-information.md

@@ -34,6 +34,22 @@ using PBKDF2 which can be stored in the Authelia configuration.
 
 ### Plaintext
 
-Authelia supports storing the plaintext secret in the configuration. This may be discontinued in the future. Plaintext
+Authelia *technically* supports storing the plaintext secret in the configuration. This will likely be completely
-is either denoted by the `$plaintext$` prefix where everything after the prefix is the secret. In addition if the secret
+unavailable in the future as it was a mistake to implement it like this in the first place. While some other OpenID
-does not start with the `$` character it's considered as a plaintext secret for the time being but is deprecated.
+Connect 1.0 providers operate in this way, it's more often than not that they operating in this way in error. The
+current *technical support* for this is only to prevent massive upheaval to users and give them time to migrate.
+
+As per [RFC6819 Section 5.1.4.1.3](https://datatracker.ietf.org/doc/html/rfc6819#section-5.1.4.1.3) the secret should
+only be stored by the authorization server as hashes / digests unless there is a very specific specification or protocol
+that is implemented by the authorization server which requires access to the secret in the clear to operate properly in
+which case the secret should be encrypted and not be stored in plaintext. The most likely long term outcome is that the
+client configurations will be stored in the database with the secret both salted and peppered.
+
+Authelia currently does not implement any of the specifications or protocols which require secrets being accessible in
+the clear and currently has no plans to implement any of these. As such it's *__strongly discouraged and heavily
+deprecated__* and we instead recommended that users remove this from their configuration entirely and use the
+[Generating Client Secrets](#generating-client-secrets) guide.
+
+Plaintext is either denoted by the `$plaintext$` prefix where everything after the prefix is the secret. In addition if
+the secret does not start with the `$` character it's considered as a plaintext secret for the time being but is
+deprecated as is the `$plaintext$` prefix.

docs/content/en/integration/openid-connect/synapse/index.md

@@ -22,14 +22,7 @@ community: true
 
 ## Before You Begin
 
-### Common Notes
+{{% oidc-common %}}
-
-1. You are *__required__* to utilize a unique client id for every client.
-2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
-3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
-   [Generating Client Secrets] guide instead.
-
-[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
 
 ### Assumptions
 
@@ -38,7 +31,7 @@ This example makes the following assumptions:
 * __Application Root URL:__ `https://matrix.example.com/`
 * __Authelia Root URL:__ `https://auth.example.com`
 * __Client ID:__ `synapse`
-* __Client Secret:__ `synapse_client_secret`
+* __Client Secret:__ `insecure_secret`
 
 ## Configuration
 
@@ -56,7 +49,7 @@ oidc_providers:
     discover: true
     issuer: "https://auth.example.com"
     client_id: "synapse"
-    client_secret: "synapse_client_secret"
+    client_secret: "insecure_secret"
     scopes: ["openid", "profile", "email"]
     allow_existing_users: true
     user_mapping_provider:
@@ -76,7 +69,7 @@ which will operate with the above example:
 ```yaml
 - id: synapse
   description: Synapse
-  secret: '$plaintext$synapse_client_secret'
+  secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng'  # The digest of 'insecure_secret'.
   public: false
   authorization_policy: two_factor
   redirect_uris:

docs/content/en/integration/openid-connect/synology-dsm/index.md

@@ -22,14 +22,7 @@ community: true
 
 ## Before You Begin
 
-### Common Notes
+{{% oidc-common %}}
-
-1. You are *__required__* to utilize a unique client id for every client.
-2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
-3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
-   [Generating Client Secrets] guide instead.
-
-[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
 
 ### Specific Notes
 
@@ -43,7 +36,7 @@ This example makes the following assumptions:
 * __Application Root URL:__ `https://dsm.example.com/`
 * __Authelia Root URL:__ `https://auth.example.com`
 * __Client ID:__ `synology-dsm`
-* __Client Secret:__ `synology-dsm_client_secret`
+* __Client Secret:__ `insecure_secret`
 
 ## Configuration
 
@@ -61,7 +54,7 @@ To configure [Synology DSM] to utilize Authelia as an [OpenID Connect 1.0] Provi
     * Name: `Authelia`
     * Well Known URL: `https://auth.example.com/.well-known/openid-configuration`
     * Application ID: `synology-dsm`
-    * Application Key: `synology-dsm_client_secret`
+    * Application Key: `insecure_secret`
     * Redirect URL: `https://dsm.example.com`
     * Authorisation Scope: `openid profile groups email`
     * Username Claim: `preferred_username`
@@ -78,7 +71,7 @@ which will operate with the above example:
 ```yaml
 - id: synology-dsm
   description: Synology DSM
-  secret: '$plaintext$synology-dsm_client_secret'
+  secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng'  # The digest of 'insecure_secret'.
   public: false
   authorization_policy: two_factor
   redirect_uris:

docs/content/en/overview/security/measures.md

@@ -216,9 +216,9 @@ to port 587 (_the `submission` port, a common alternative that uses STARTTLS ins
 
 [docs-config-smtp-port]: ../../configuration/notifications/smtp.md#port
 [cleartext]: https://cwe.mitre.org/data/definitions/312.html
-[service-submissions]: https://www.rfc-editor.org/rfc/rfc8314#section-7.3
+[service-submissions]: https://datatracker.ietf.org/doc/html/rfc8314#section-7.3
-[port-465]: https://www.rfc-editor.org/rfc/rfc8314#section-3.3
+[port-465]: https://datatracker.ietf.org/doc/html/rfc8314#section-3.3
-[smtp-auth]: https://www.rfc-editor.org/rfc/rfc6409#section-4.3
+[smtp-auth]: https://datatracker.ietf.org/doc/html/rfc6409#section-4.3
 
 ## Protection against open redirects
 

docs/content/en/reference/guides/passwords.md

@@ -200,7 +200,7 @@ This table suggests the parameters for the [SHA2 Crypt] algorithm:
 [Bcrypt]: https://en.wikipedia.org/wiki/Bcrypt
 [FIPS-140 compliance]: https://csrc.nist.gov/publications/detail/fips/140/2/final
 
-[RFC9106 Parameter Choice]: https://www.rfc-editor.org/rfc/rfc9106.html#section-4
+[RFC9106 Parameter Choice]: https://datatracker.ietf.org/doc/html/rfc9106#section-4
 [YAML]: https://yaml.org/
 [crypt hash generate]: ../cli/authelia/authelia_crypto_hash_generate.md
 [Password Hashing Competition]: https://en.wikipedia.org/wiki/Password_Hashing_Competition

docs/content/en/roadmap/active/openid-connect.md

@@ -39,11 +39,11 @@ Feature List:
 * [User Consent](https://openid.net/specs/openid-connect-core-1_0.html#Consent)
 * [Authorization Code Flow](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowSteps)
 * [OpenID Connect Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html)
-* [RS256 Signature Strategy](https://www.rfc-editor.org/rfc/rfc7518.html#section-3.1)
+* [RS256 Signature Strategy](https://datatracker.ietf.org/doc/html/rfc7518#section-3.1)
 * Per Client Scope/Grant Type/Response Type Restriction
 * Per Client Authorization Policy (1FA/2FA)
 * Per Client List of Valid Redirection URI's
-* [Confidential Client Type](https://www.rfc-editor.org/rfc/rfc6749.html#section-2.1)
+* [Confidential Client Type](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1)
 
 ### Beta 2
 
@@ -56,7 +56,7 @@ Feature List:
 * Token/Code Lifespan
 * Client Debug Messages
 * Client Audience
-* [Public Client Type](https://www.rfc-editor.org/rfc/rfc6749.html#section-2.1)
+* [Public Client Type](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1)
 
 ### Beta 3
 
@@ -97,7 +97,7 @@ Feature List:
 
 Feature List:
 
-* [JWK's backed by X509 Certificate Chains](https://www.rfc-editor.org/rfc/rfc7517#section-4.7)
+* [JWK's backed by X509 Certificate Chains](https://datatracker.ietf.org/doc/html/rfc7517#section-4.7)
 * Hashed Client Secrets
 * Per-Client [Consent](https://openid.net/specs/openid-connect-core-1_0.html#Consent) Mode:
   * Explicit:

docs/layouts/shortcodes/oidc-common.html

@@ -0,0 +1,18 @@
+{{ $specificinfo := "../specific-information/" }}{{ $config := "../../../configuration/identity-providers/open-id-connect.md" }}
+{{- with .Get "specificinfo" }}{{ $specificinfo = . }}{{ end }}
+{{- with .Get "config" }}{{ $config = . }}{{ end }}
+### Common Notes
+
+1. The [OpenID Connect 1.0](https://openid.net/specs/openid-connect-core-1_0.html) `client_id` parameter:
+    1. This *__must__* be a unique value for every client.
+    2. The value used in this guide is merely for demonstration purposes and you can theoretically use nearly any
+       alphanumeric string.
+2. The [OpenID Connect 1.0](https://openid.net/specs/openid-connect-core-1_0.html) `secret` parameter:
+    1. The value used in this guide is merely for demonstration purposes and you *__should absolutely not__* use this in
+       production and should instead utilize the
+       [Generating Client Secrets]({{ $specificinfo }}#generating-client-secrets) guide.
+    2. This string may be stored as plaintext in the Authelia configuration but this behaviour is deprecated and is not
+       guaranteed to be supported in the future. See the [Plaintext]({{ $specificinfo }}#plaintext) guide for more
+       information.
+3. The Configuration example for Authelia is only a portion of the required configuration and it should be used as a
+   guide in conjunction with the standard [OpenID Connect 1.0 Configuration]({{ $config }}) guide.