RPJosh
/
authelia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'authelia:master' into master

pull/3770/head
feinedsquirrel 2023-02-22 15:14:31 -07:00 committed by GitHub
parent b956d3c5e7 f62b4d4cd3
commit 8bccb2d416
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
397 changed files with 13229 additions and 6031 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.buildkite/hooks/post-command
View File

@ -15,6 +15,8 @@ if [[ ! "${BUILDKITE_BRANCH}" =~ ^(v.*) ]] && [[ "${BUILDKITE_COMMAND_EXIT_STATU
NAME="UnitTest"
if [[ "${SUITE}" != "" ]]; then
NAME=${SUITE}
go tool covdata percent -i=coverage
go tool covdata textfmt -i=coverage -o coverage.txt
fi
if [[ "${BUILDKITE_AGENT_META_DATA_CODECOV}" == "verbose" ]]; then
BUILDKITE_AGENT_META_DATA_CODECOV="-v"
@ -23,7 +25,7 @@ if [[ ! "${BUILDKITE_BRANCH}" =~ ^(v.*) ]] && [[ "${BUILDKITE_COMMAND_EXIT_STATU
if [[ "${BUILDKITE_LABEL}" =~ ":selenium:" ]]; then
cd web && pnpm report
fi
codecov -Z -c -f '!Dockerfile*' -f '!*.go' -f '!*.zst' -n ${NAME} -F frontend "${BUILDKITE_AGENT_META_DATA_CODECOV}"
codecov -Z -c -f '!Dockerfile*' -f '!*.go' -f '!*.tar' -f '!*.zst' -n ${NAME} -F frontend "${BUILDKITE_AGENT_META_DATA_CODECOV}"
fi
fi

1
.buildkite/hooks/pre-command
View File

@ -31,6 +31,7 @@ fi
if [[ "${BUILDKITE_LABEL}" =~ ":selenium:" ]]; then
DEFAULT_ARCH=coverage
echo "--- :docker: Extract and load build container"
mkdir coverage
buildkite-agent artifact download "authelia-image-${DEFAULT_ARCH}*" .
if [[ "${SUITE}" == "Kubernetes" ]]; then
zstd -d authelia-image-coverage.tar.zst --stdout > ./internal/suites/example/kube/authelia-image-${DEFAULT_ARCH}.tar

4
.editorconfig
View File

@ -11,6 +11,10 @@ insert_final_newline = true
indent_style = space
indent_size = 2
[{.github/pre-commit,.github/required-apps,.github/commit-msg}]
indent_style = space
indent_size = 2
[.buildkite/hooks/**]
indent_style = space
indent_size = 2

3
.github/commit-msg vendored
View File

@ -1,5 +1,6 @@
#!/bin/sh
. "$(dirname "$0")/_/husky.sh"
. "$(dirname "$0")/required-apps"
cd web && ${PMGR} commitlint --edit "$1"
cd web && ${PMGR_EXEC} commitlint --edit "$1"

2
.github/pre-commit vendored
View File

@ -8,4 +8,4 @@ fi
. "$(dirname "$0")/required-apps"
golangci-lint run -v --fix && \
cd web && "${PMGR}" lint
cd web && ${PMGR_RUN} lint

23
.github/required-apps vendored
View File

@ -1,19 +1,20 @@
#!/bin/sh
export PMGR=pnpm
if [ ! -x "$(command -v golangci-lint)" ]; then
echo "You must install golangci-lint."
exit 1
fi
if [ ! -x "$(command -v pnpm)" ]; then
export PMGR=yarn
if [ ! -x "$(command -v yarn)" ]; then
export PMGR=npm
if [ ! -x "$(command -v npm)" ]; then
echo "You must install a node package manager."
exit 1
fi
fi
if [ -x "$(command -v pnpm)" ]; then
export PMGR_RUN="pnpm"
export PMGR_EXEC="pnpm"
elif [ -x "$(command -v yarn)" ]; then
export PMGR_RUN="yarn run"
export PMGR_EXEC="yarn dlx"
elif [ -x "$(command -v npm)" ]; then
export PMGR_RUN="npm run"
export PMGR_EXEC="npx"
else
echo "You must install a node package manager (pnpm, yarn, or npm)."
exit 1
fi

2
.gitignore vendored
View File

@ -25,3 +25,5 @@ authelia-image-dev.tar
/authelia
__debug_bin
internal/suites/common/pki/ca/ca.private.pem

2
Dockerfile
View File

@ -1,7 +1,7 @@
# ===================================
# ===== Authelia official image =====
# ===================================
FROM alpine:3.17.1
FROM alpine:3.17.2
ARG TARGETOS
ARG TARGETARCH

13
Dockerfile.coverage
View File

@ -15,7 +15,7 @@ RUN yarn global add pnpm && \
# =======================================
# ===== Build image for the backend =====
# =======================================
FROM golang:1.19.5-alpine AS builder-backend
FROM golang:1.20.1-alpine AS builder-backend
WORKDIR /go/src/app
@ -39,14 +39,14 @@ RUN \
mv api internal/server/public_html/api && \
cd cmd/authelia && \
chmod 0666 /go/src/app/.healthcheck.env && \
echo ">> Starting go build (coverage via go test)..." && \
CGO_ENABLED=1 CGO_CPPFLAGS="-D_FORTIFY_SOURCE=2 -fstack-protector-strong" CGO_LDFLAGS="-Wl,-z,relro,-z,now" go test -c --tags coverage -covermode=atomic \
-ldflags "${LDFLAGS_EXTRA}" -o authelia -coverpkg github.com/authelia/authelia/...
echo ">> Starting go build (coverage via -cover)..." && \
CGO_ENABLED=1 CGO_CPPFLAGS="-D_FORTIFY_SOURCE=2 -fstack-protector-strong" CGO_LDFLAGS="-Wl,-z,relro,-z,now" go build -cover -covermode=atomic \
-ldflags "${LDFLAGS_EXTRA}" -o authelia
# ===================================
# ===== Authelia official image =====
# ===================================
FROM alpine:3.17.1
FROM alpine:3.17.2
RUN apk --no-cache add ca-certificates tzdata
@ -59,7 +59,8 @@ EXPOSE 9091
VOLUME /config
ENV PATH="/app:${PATH}" \
GOCOVERDIR="/authelia/coverage/" \
X_AUTHELIA_CONFIG="/config/configuration.yml"
CMD ["authelia", "-test.coverprofile=/authelia/coverage.txt", "COVERAGE"]
CMD ["authelia"]
HEALTHCHECK --interval=30s --timeout=3s CMD /app/healthcheck.sh

4
Dockerfile.dev
View File

@ -13,7 +13,7 @@ RUN yarn install --frozen-lockfile && yarn build
# =======================================
# ===== Build image for the backend =====
# =======================================
FROM golang:1.19.5-alpine AS builder-backend
FROM golang:1.20.1-alpine AS builder-backend
WORKDIR /go/src/app
@ -43,7 +43,7 @@ RUN \
# ===================================
# ===== Authelia official image =====
# ===================================
FROM alpine:3.17.1
FROM alpine:3.17.2
WORKDIR /app

268
api/openapi.yml
View File

@ -20,7 +20,9 @@ tags:
- name: State
description: Configuration, health and state endpoints
- name: Authentication
description: Authentication and verification endpoints
description: Authentication endpoints
- name: Authorization
description: Authorization endpoints
{{- if .PasswordReset }}
- name: Password Reset
description: Password reset endpoints
@ -101,18 +103,58 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/handlers.StateResponse'
/api/verify:
{{- range $name, $config := .EndpointsAuthz }}
{{- $uri := printf "/api/authz/%s" $name }}
{{- if (eq $name "legacy") }}{{ $uri = "/api/verify" }}{{ end }}
{{ $uri }}:
{{- if (eq $config.Implementation "Legacy") }}
{{- range $method := list "get" "head" "options" "post" "put" "patch" "delete" "trace" }}
{{ $method }}:
tags:
- Authentication
summary: Verification
- Authorization
summary: Authorization Verification (Legacy)
description: >
The verify endpoint provides the ability to verify if a user has the necessary permissions to access a specified
domain.
The legacy authorization verification endpoint provides the ability to verify if a user has the necessary
permissions to access a specified domain with several proxies. It's generally recommended users use a proxy
specific endpoint instead.
parameters:
- $ref: '#/components/parameters/originalURLParam'
- name: X-Original-URL
in: header
description: Redirection URL
required: false
style: simple
explode: true
schema:
type: string
- $ref: '#/components/parameters/forwardedMethodParam'
- name: X-Forwarded-Proto
in: header
description: Redirection URL (Scheme / Protocol)
required: false
style: simple
explode: true
example: "https"
schema:
type: string
- name: X-Forwarded-Host
in: header
description: Redirection URL (Host)
required: false
style: simple
explode: true
example: "example.com"
schema:
type: string
- name: X-Forwarded-Uri
in: header
description: Redirection URL (URI)
required: false
style: simple
explode: true
example: "/path/example"
schema:
type: string
- $ref: '#/components/parameters/forwardedForParam'
- $ref: '#/components/parameters/authParam'
responses:
"200":
@ -143,6 +185,136 @@ paths:
security:
- authelia_auth: []
{{- end }}
{{- else if (eq $config.Implementation "ExtAuthz") }}
{{- range $method := list "get" "head" "options" "post" "put" "patch" "delete" "trace" }}
{{ $method }}:
tags:
- Authorization
summary: Authorization Verification (ExtAuthz)
description: >
The ExtAuthz authorization verification endpoint provides the ability to verify if a user has the necessary
permissions to access a specified resource with the Envoy proxy.
parameters:
- $ref: '#/components/parameters/forwardedMethodParam'
- $ref: '#/components/parameters/forwardedHostParam'
- $ref: '#/components/parameters/forwardedURIParam'
- $ref: '#/components/parameters/forwardedForParam'
- $ref: '#/components/parameters/autheliaURLParam'
responses:
"200":
description: Successful Operation
headers:
remote-user:
description: Username
schema:
type: string
example: john
remote-name:
description: Name
schema:
type: string
example: John Doe
remote-email:
description: Email
schema:
type: string
example: john.doe@authelia.com
remote-groups:
description: Comma separated list of Groups
schema:
type: string
example: admin,devs
"401":
description: Unauthorized
security:
- authelia_auth: []
{{- end }}
{{- else if (eq $config.Implementation "ForwardAuth") }}
{{- range $method := list "get" "head" }}
{{ $method }}:
tags:
- Authorization
summary: Authorization Verification (ForwardAuth)
description: >
The ForwardAuth authorization verification endpoint provides the ability to verify if a user has the necessary
permissions to access a specified resource with the Traefik, Caddy, or Skipper proxies.
parameters:
- $ref: '#/components/parameters/forwardedMethodParam'
- $ref: '#/components/parameters/forwardedHostParam'
- $ref: '#/components/parameters/forwardedURIParam'
- $ref: '#/components/parameters/forwardedForParam'
responses:
"200":
description: Successful Operation
headers:
remote-user:
description: Username
schema:
type: string
example: john
remote-name:
description: Name
schema:
type: string
example: John Doe
remote-email:
description: Email
schema:
type: string
example: john.doe@authelia.com
remote-groups:
description: Comma separated list of Groups
schema:
type: string
example: admin,devs
"401":
description: Unauthorized
security:
- authelia_auth: []
{{- end }}
{{- else if (eq $config.Implementation "AuthRequest") }}
{{- range $method := list "get" "head" }}
{{ $method }}:
tags:
- Authorization
summary: Authorization Verification (AuthRequest)
description: >
The AuthRequest authorization verification endpoint provides the ability to verify if a user has the necessary
permissions to access a specified resource with the HAPROXY, NGINX, or NGINX-based proxies.
parameters:
- $ref: '#/components/parameters/originalMethodParam'
- $ref: '#/components/parameters/originalURLParam'
responses:
"200":
description: Successful Operation
headers:
remote-user:
description: Username
schema:
type: string
example: john
remote-name:
description: Name
schema:
type: string
example: John Doe
remote-email:
description: Email
schema:
type: string
example: john.doe@authelia.com
remote-groups:
description: Comma separated list of Groups
schema:
type: string
example: admin,devs
"401":
description: Unauthorized
security:
- authelia_auth: []
{{- end }}
{{- end }}
{{- end }}
/api/firstfactor:
post:
tags:
@ -644,7 +816,7 @@ paths:
summary: OAuth 2.0 Authorization Server Metadata
description: >
This endpoint retrieves the OAuth 2.0 Authorization Server Metadata document (RFC8414) used by clients to
perform discovery for an OAuth 2.0 Authorization Server. See https://www.rfc-editor.org/rfc/rfc8414.
perform discovery for an OAuth 2.0 Authorization Server. See https://datatracker.ietf.org/doc/html/rfc8414.
responses:
"200":
description: OK
@ -1135,6 +1307,32 @@ paths:
{{- end }}
components:
parameters:
originalMethodParam:
name: X-Original-Method
in: header
description: Request Method
required: true
style: simple
explode: true
schema:
type: string
enum:
- "GET"
- "HEAD"
- "POST"
- "PUT"
- "PATCH"
- "DELETE"
- "TRACE"
- "CONNECT"
- "OPTIONS"
- "COPY"
- "LOCK"
- "MKCOL"
- "MOVE"
- "PROPFIND"
- "PROPPATCH"
- "UNLOCK"
originalURLParam:
name: X-Original-URL
in: header
@ -1170,6 +1368,56 @@ components:
- "PROPFIND"
- "PROPPATCH"
- "UNLOCK"
forwardedProtoParam:
name: X-Forwarded-Proto
in: header
description: Redirection URL (Scheme / Protocol)
required: true
style: simple
explode: true
example: "https"
schema:
type: string
forwardedHostParam:
name: X-Forwarded-Host
in: header
description: Redirection URL (Host)
required: true
style: simple
explode: true
example: "example.com"
schema:
type: string
forwardedURIParam:
name: X-Forwarded-Uri
in: header
description: Redirection URL (URI)
required: true
style: simple
explode: true
example: "/path/example"
schema:
type: string
forwardedForParam:
name: X-Forwarded-For
in: header
description: Clients IP address or IP address chain
required: false
style: simple
explode: true
example: "192.168.0.55,192.168.0.20"
schema:
type: string
autheliaURLParam:
name: X-Authelia-URL
in: header
description: Authelia Portal URL
required: false
style: simple
explode: true
example: "https://auth.example.com"
schema:
type: string
authParam:
name: auth
in: query
@ -2574,8 +2822,8 @@ components:
description: >
JSON array containing a list of the JWS [JWS] signing algorithms (alg values) [JWA] supported by the
UserInfo Endpoint to encode the Claims in a JWT [JWT]. The value none MAY be included. See Also:
JWS: https://datatracker.ietf.org/doc/html/rfc7515 JWA: https://datatracker.ietf.org/doc/html/rfc7518 JWT:
https://datatracker.ietf.org/doc/html/rfc7519
JWS: https://datatracker.ietf.org/doc/html/rfc7515 JWA: https://datatracker.ietf.org/doc/html/rfc7518
JWT: https://datatracker.ietf.org/doc/html/rfc7519
type: array
example: ["none", "RS256"]
items:

120
cmd/authelia-gen/cmd_code.go
View File

@ -1,18 +1,13 @@
package main
import (
"crypto/ecdsa"
"crypto/rsa"
"encoding/json"
"fmt"
"io"
"net/http"
"net/mail"
"net/url"
"os"
"path/filepath"
"reflect"
"regexp"
"strings"
"time"
@ -182,7 +177,7 @@ func codeKeysRunE(cmd *cobra.Command, args []string) (err error) {
data := tmplConfigurationKeysData{
Timestamp: time.Now(),
Keys: readTags("", reflect.TypeOf(schema.Configuration{})),
Keys: readTags("", reflect.TypeOf(schema.Configuration{}), false),
}
if root, err = cmd.Flags().GetString(cmdFlagRoot); err != nil {
@ -215,116 +210,3 @@ func codeKeysRunE(cmd *cobra.Command, args []string) (err error) {
return nil
}
var decodedTypes = []reflect.Type{
reflect.TypeOf(mail.Address{}),
reflect.TypeOf(regexp.Regexp{}),
reflect.TypeOf(url.URL{}),
reflect.TypeOf(time.Duration(0)),
reflect.TypeOf(schema.Address{}),
reflect.TypeOf(rsa.PrivateKey{}),
reflect.TypeOf(ecdsa.PrivateKey{}),
}
func containsType(needle reflect.Type, haystack []reflect.Type) (contains bool) {
for _, t := range haystack {
if needle.Kind() == reflect.Ptr {
if needle.Elem() == t {
return true
}
} else if needle == t {
return true
}
}
return false
}
//nolint:gocyclo
func readTags(prefix string, t reflect.Type) (tags []string) {
tags = make([]string, 0)
if t.Kind() != reflect.Struct {
if t.Kind() == reflect.Slice {
tags = append(tags, readTags(getKeyNameFromTagAndPrefix(prefix, "", true), t.Elem())...)
}
return
}
for i := 0; i < t.NumField(); i++ {
field := t.Field(i)
tag := field.Tag.Get("koanf")
if tag == "" {
tags = append(tags, prefix)
continue
}
switch field.Type.Kind() {
case reflect.Struct:
if !containsType(field.Type, decodedTypes) {
tags = append(tags, readTags(getKeyNameFromTagAndPrefix(prefix, tag, false), field.Type)...)
continue
}
case reflect.Slice:
switch field.Type.Elem().Kind() {
case reflect.Struct:
if !containsType(field.Type.Elem(), decodedTypes) {
tags = append(tags, getKeyNameFromTagAndPrefix(prefix, tag, false))
tags = append(tags, readTags(getKeyNameFromTagAndPrefix(prefix, tag, true), field.Type.Elem())...)
continue
}
case reflect.Slice:
tags = append(tags, readTags(getKeyNameFromTagAndPrefix(prefix, tag, true), field.Type.Elem())...)
}
case reflect.Ptr:
switch field.Type.Elem().Kind() {
case reflect.Struct:
if !containsType(field.Type.Elem(), decodedTypes) {
tags = append(tags, readTags(getKeyNameFromTagAndPrefix(prefix, tag, false), field.Type.Elem())...)
continue
}
case reflect.Slice:
if field.Type.Elem().Elem().Kind() == reflect.Struct {
if !containsType(field.Type.Elem(), decodedTypes) {
tags = append(tags, readTags(getKeyNameFromTagAndPrefix(prefix, tag, true), field.Type.Elem())...)
continue
}
}
}
}
tags = append(tags, getKeyNameFromTagAndPrefix(prefix, tag, false))
}
return tags
}
func getKeyNameFromTagAndPrefix(prefix, name string, slice bool) string {
nameParts := strings.SplitN(name, ",", 2)
if prefix == "" {
return nameParts[0]
}
if len(nameParts) == 2 && nameParts[1] == "squash" {
return prefix
}
if slice {
if name == "" {
return fmt.Sprintf("%s[]", prefix)
}
return fmt.Sprintf("%s.%s[]", prefix, nameParts[0])
}
return fmt.Sprintf("%s.%s", prefix, nameParts[0])
}

2
cmd/authelia-gen/cmd_commit_msg.go
View File

@ -110,7 +110,7 @@ func commitLintRunE(cmd *cobra.Command, args []string) (err error) {
return err
}
if pathCommitLintConfig, err = cmd.Flags().GetString(cmdFlagFileConfigCommitLint); err != nil {
if pathCommitLintConfig, err = getPFlagPath(cmd.Flags(), cmdFlagRoot, cmdFlagWeb, cmdFlagFileConfigCommitLint); err != nil {
return err
}

5
cmd/authelia-gen/cmd_docs_cli.go
View File

@ -108,8 +108,9 @@ func genCLIDocWriteIndex(path, name string) (err error) {
func prepend(input string) string {
now := time.Now()
pathz := strings.Split(strings.Replace(input, ".md", "", 1), "\\")
parts := strings.Split(pathz[len(pathz)-1], "_")
_, filename := filepath.Split(strings.Replace(input, ".md", "", 1))
parts := strings.Split(filename, "_")
cmd := parts[0]

26
cmd/authelia-gen/cmd_docs_data.go
View File

@ -51,6 +51,26 @@ func docsDataMiscRunE(cmd *cobra.Command, args []string) (err error) {
data.CSP.TemplateDefault = strings.ReplaceAll(data.CSP.TemplateDefault, "%s", codeCSPNonce)
data.CSP.TemplateDevelopment = strings.ReplaceAll(data.CSP.TemplateDevelopment, "%s", codeCSPNonce)
var (
pathPackageJSON string
dataPackageJSON []byte
packageJSON PackageJSON
)
if pathPackageJSON, err = getPFlagPath(cmd.Flags(), cmdFlagRoot, cmdFlagWeb, cmdFlagFileWebPackage); err != nil {
return err
}
if dataPackageJSON, err = os.ReadFile(pathPackageJSON); err != nil {
return err
}
if err = json.Unmarshal(dataPackageJSON, &packageJSON); err != nil {
return fmt.Errorf("failed to unmarshall package.json: %w", err)
}
data.Latest = packageJSON.Version
var (
outputPath string
dataJSON []byte
@ -89,13 +109,9 @@ func docsKeysRunE(cmd *cobra.Command, args []string) (err error) {
data []ConfigurationKey
)
keys := readTags("", reflect.TypeOf(schema.Configuration{}))
keys := readTags("", reflect.TypeOf(schema.Configuration{}), true)
for _, key := range keys {
if strings.Contains(key, "[]") {
continue
}
ck := ConfigurationKey{
Path: key,
Secret: configuration.IsSecretKey(key),

2
cmd/authelia-gen/cmd_locales.go
View File

@ -42,7 +42,7 @@ func localesRunE(cmd *cobra.Command, args []string) (err error) {
return err
}
if pathWebI18NIndex, err = cmd.Flags().GetString(cmdFlagFileWebI18N); err != nil {
if pathWebI18NIndex, err = getPFlagPath(cmd.Flags(), cmdFlagRoot, cmdFlagWeb, cmdFlagFileWebI18N); err != nil {
return err
}

4
cmd/authelia-gen/cmd_root.go
View File

@ -26,12 +26,14 @@ func newRootCmd() *cobra.Command {
cmd.PersistentFlags().StringP(cmdFlagCwd, "C", "", "Sets the CWD for git commands")
cmd.PersistentFlags().StringP(cmdFlagRoot, "d", dirCurrent, "The repository root")
cmd.PersistentFlags().String(cmdFlagWeb, dirWeb, "The repository web directory in relation to the root directory")
cmd.PersistentFlags().StringSliceP(cmdFlagExclude, "X", nil, "Sets the names of excluded generators")
cmd.PersistentFlags().String(cmdFlagFeatureRequest, fileGitHubIssueTemplateFR, "Sets the path of the feature request issue template file")
cmd.PersistentFlags().String(cmdFlagBugReport, fileGitHubIssueTemplateBR, "Sets the path of the bug report issue template file")
cmd.PersistentFlags().Int(cmdFlagVersions, 5, "the maximum number of minor versions to list in output templates")
cmd.PersistentFlags().String(cmdFlagDirLocales, dirLocales, "The locales directory in relation to the root")
cmd.PersistentFlags().String(cmdFlagFileWebI18N, fileWebI18NIndex, "The i18n typescript configuration file in relation to the root")
cmd.PersistentFlags().String(cmdFlagFileWebI18N, fileWebI18NIndex, "The i18n typescript configuration file in relation to the web directory")
cmd.PersistentFlags().String(cmdFlagFileWebPackage, fileWebPackage, "The node package configuration file in relation to the web directory")
cmd.PersistentFlags().String(cmdFlagDocsDataLanguages, fileDocsDataLanguages, "The languages docs data file in relation to the docs data folder")
cmd.PersistentFlags().String(cmdFlagDocsDataMisc, fileDocsDataMisc, "The misc docs data file in relation to the docs data folder")
cmd.PersistentFlags().String(cmdFlagDocsCLIReference, dirDocsCLIReference, "The directory to store the markdown in")

25
cmd/authelia-gen/const.go
View File

@ -3,12 +3,14 @@ package main
const (
dirCurrent = "./"
dirLocales = "internal/server/locales"
dirWeb = "web"
subPathCmd = "cmd"
subPathInternal = "internal"
fileCICommitLintConfig = "web/.commitlintrc.js"
fileWebI18NIndex = "web/src/i18n/index.ts"
fileCICommitLintConfig = ".commitlintrc.js"
fileWebI18NIndex = "src/i18n/index.ts"
fileWebPackage = "package.json"
fileDocsCommitMessageGuidelines = "docs/content/en/contributing/guidelines/commit-message.md"
@ -68,27 +70,30 @@ const (
const (
cmdFlagRoot = "dir.root"
cmdFlagExclude = "exclude"
cmdFlagVersions = "versions"
cmdFlagWeb = "dir.web"
cmdFlagFileWebI18N = "file.web.i18n"
cmdFlagFileWebPackage = "file.web.package"
cmdFlagDocs = "dir.docs"
cmdFlagDirLocales = "dir.locales"
cmdFlagDocsCLIReference = "dir.docs.cli-reference"
cmdFlagDocsContent = "dir.docs.content"
cmdFlagDocsData = "dir.docs.data"
cmdFlagDocs = "dir.docs"
cmdFlagDocsDataLanguages = "file.docs.data.languages"
cmdFlagDocsDataMisc = "file.docs.data.misc"
cmdFlagDocsDataKeys = "file.docs.data.keys"
cmdFlagCwd = "cwd"
cmdFlagDocsDataLanguages = "file.docs.data.languages"
cmdFlagFileConfigKeys = "file.configuration-keys"
cmdFlagFileScriptsGen = "file.scripts.gen"
cmdFlagFileServerGenerated = "file.server.generated"
cmdFlagFileConfigCommitLint = "file.commit-lint-config"
cmdFlagFileDocsCommitMsgGuidelines = "file.docs-commit-msg-guidelines"
cmdFlagFileWebI18N = "file.web-i18n"
cmdFlagFeatureRequest = "file.feature-request"
cmdFlagBugReport = "file.bug-report"
cmdFlagPackageConfigKeys = "package.configuration.keys"
cmdFlagPackageScriptsGen = "package.scripts.gen"
cmdFlagExclude = "exclude"
cmdFlagVersions = "versions"
cmdFlagCwd = "cwd"
cmdFlagPackageConfigKeys = "package.configuration.keys"
cmdFlagPackageScriptsGen = "package.scripts.gen"
)
const (

143
cmd/authelia-gen/helpers.go
View File

@ -1,11 +1,20 @@
package main
import (
"crypto/ecdsa"
"crypto/rsa"
"fmt"
"net/mail"
"net/url"
"path/filepath"
"reflect"
"regexp"
"strings"
"time"
"github.com/spf13/pflag"
"github.com/authelia/authelia/v4/internal/configuration/schema"
)
func getPFlagPath(flags *pflag.FlagSet, flagNames ...string) (fullPath string, err error) {
@ -46,3 +55,137 @@ func buildCSP(defaultSrc string, ruleSets ...[]CSPValue) string {
return strings.Join(rules, "; ")
}
var decodedTypes = []reflect.Type{
reflect.TypeOf(mail.Address{}),
reflect.TypeOf(regexp.Regexp{}),
reflect.TypeOf(url.URL{}),
reflect.TypeOf(time.Duration(0)),
reflect.TypeOf(schema.Address{}),
reflect.TypeOf(schema.X509CertificateChain{}),
reflect.TypeOf(schema.PasswordDigest{}),
reflect.TypeOf(rsa.PrivateKey{}),
reflect.TypeOf(ecdsa.PrivateKey{}),
}
func containsType(needle reflect.Type, haystack []reflect.Type) (contains bool) {
for _, t := range haystack {
if needle.Kind() == reflect.Ptr {
if needle.Elem() == t {
return true
}
} else if needle == t {
return true
}
}
return false
}
//nolint:gocyclo
func readTags(prefix string, t reflect.Type, envSkip bool) (tags []string) {
tags = make([]string, 0)
if envSkip && (t.Kind() == reflect.Slice || t.Kind() == reflect.Map) {
return
}
if t.Kind() != reflect.Struct {
if t.Kind() == reflect.Slice {
tags = append(tags, readTags(getKeyNameFromTagAndPrefix(prefix, "", true, false), t.Elem(), envSkip)...)
}
return
}
for i := 0; i < t.NumField(); i++ {
field := t.Field(i)
tag := field.Tag.Get("koanf")
if tag == "" {
tags = append(tags, prefix)
continue
}
switch kind := field.Type.Kind(); kind {
case reflect.Struct:
if !containsType(field.Type, decodedTypes) {
tags = append(tags, readTags(getKeyNameFromTagAndPrefix(prefix, tag, false, false), field.Type, envSkip)...)
continue
}
case reflect.Slice, reflect.Map:
if envSkip {
continue
}
switch field.Type.Elem().Kind() {
case reflect.Struct:
if !containsType(field.Type.Elem(), decodedTypes) {
tags = append(tags, getKeyNameFromTagAndPrefix(prefix, tag, false, false))
tags = append(tags, readTags(getKeyNameFromTagAndPrefix(prefix, tag, kind == reflect.Slice, kind == reflect.Map), field.Type.Elem(), envSkip)...)
continue
}
case reflect.Slice:
tags = append(tags, readTags(getKeyNameFromTagAndPrefix(prefix, tag, kind == reflect.Slice, kind == reflect.Map), field.Type.Elem(), envSkip)...)
}
case reflect.Ptr:
switch field.Type.Elem().Kind() {
case reflect.Struct:
if !containsType(field.Type.Elem(), decodedTypes) {
tags = append(tags, readTags(getKeyNameFromTagAndPrefix(prefix, tag, false, false), field.Type.Elem(), envSkip)...)
continue
}
case reflect.Slice, reflect.Map:
if envSkip {
continue
}
if field.Type.Elem().Elem().Kind() == reflect.Struct {
if !containsType(field.Type.Elem(), decodedTypes) {
tags = append(tags, readTags(getKeyNameFromTagAndPrefix(prefix, tag, true, false), field.Type.Elem(), envSkip)...)
continue
}
}
}
}
tags = append(tags, getKeyNameFromTagAndPrefix(prefix, tag, false, false))
}
return tags
}
func getKeyNameFromTagAndPrefix(prefix, name string, isSlice, isMap bool) string {
nameParts := strings.SplitN(name, ",", 2)
if prefix == "" {
return nameParts[0]
}
if len(nameParts) == 2 && nameParts[1] == "squash" {
return prefix
}
switch {
case isMap:
if name == "" {
return fmt.Sprintf("%s.*", prefix)
}
return fmt.Sprintf("%s.%s.*", prefix, nameParts[0])
case isSlice:
if name == "" {
return fmt.Sprintf("%s[]", prefix)
}
return fmt.Sprintf("%s.%s[]", prefix, nameParts[0])
default:
return fmt.Sprintf("%s.%s", prefix, nameParts[0])
}
}

9
cmd/authelia-gen/types.go
View File

@ -32,7 +32,8 @@ type GitHubTagsJSON struct {
// DocsDataMisc represents the docs misc data schema.
type DocsDataMisc struct {
CSP TemplateCSP `json:"csp"`
CSP TemplateCSP `json:"csp"`
Latest string `json:"latest"`
}
// TemplateCSP represents the CSP template vars.
@ -139,7 +140,13 @@ func (t labelType) String() string {
return fmt.Sprintf("%s/%s", labelAreaPrefixType, labelTypeDescriptions[t])
}
// CSPValue represents individual CSP values.
type CSPValue struct {
Name string
Value string
}
// PackageJSON represents a NPM package.json file.
type PackageJSON struct {
Version string `json:"version"`
}

2
cmd/authelia-scripts/cmd/bootstrap.go
View File

@ -64,7 +64,7 @@ func cmdBootstrapRun(_ *cobra.Command, _ []string) {
fmt.Println()
bootstrapPrintln("Run 'authelia-scripts suites setup Standalone' to start Authelia and visit https://home.example.com:8080.")
bootstrapPrintln("More details at https://github.com/authelia/authelia/blob/master/docs/getting-started.md")
bootstrapPrintln("More details at https://www.authelia.com/contributing/development/build-and-test/")
}
var hostEntries = []HostEntry{

2
cmd/authelia-scripts/cmd/suites.go
View File

@ -348,6 +348,8 @@ func runSuiteTests(suiteName string, withEnv bool) error {
cmd.Env = append(cmd.Env, "HEADLESS=y")
}
cmd.Env = append(cmd.Env, "SUITES_LOG_LEVEL="+log.GetLevel().String())
testErr := cmd.Run()
// If the tests failed, run the error hook.

4
cmd/authelia-suites/main.go
View File

@ -140,9 +140,7 @@ func setupSuite(cmd *cobra.Command, args []string) {
log.Fatal(err)
}
err = s.SetUp(suiteTmpDirectory)
if err != nil {
if err = s.SetUp(suiteTmpDirectory); err != nil {
log.Error("Failure during environment deployment.")
teardownSuite(nil, args)
log.Fatal(err)

43
cmd/authelia/coverage_test.go
View File

@ -1,43 +0,0 @@
// +build coverage
package main
import (
"os"
"os/signal"
"strings"
"syscall"
"testing"
)
func TestCoverage(t *testing.T) {
var (
args []string
)
for _, arg := range os.Args {
switch {
case strings.HasPrefix(arg, "COVERAGE"):
case strings.HasPrefix(arg, "-test"):
default:
args = append(args, arg)
}
}
waitCh := make(chan int, 1)
os.Args = args
go func() {
main()
close(waitCh)
}()
signalCh := make(chan os.Signal, 1)
signal.Notify(signalCh, syscall.SIGINT, syscall.SIGQUIT, syscall.SIGTERM, syscall.SIGHUP)
select {
case <-signalCh:
return
case <-waitCh:
return
}
}

50
config.template.yml
View File

@ -51,12 +51,6 @@ server:
## Useful to allow overriding of specific static assets.
# asset_path: /config/assets/
## Enables the pprof endpoint.
enable_pprof: false
## Enables the expvars endpoint.
enable_expvars: false
## Disables writing the health check vars to /app/.healthcheck.env which makes healthcheck.sh return exit code 0.
## This is disabled by default if either /app/.healthcheck.env or /app/healthcheck.sh do not exist.
disable_healthcheck: false
@ -104,6 +98,30 @@ server:
## Idle timeout.
# idle: 30s
## Server Endpoints configuration.
## This section is considered advanced and it SHOULD NOT be configured unless you've read the relevant documentation.
# endpoints:
## Enables the pprof endpoint.
# enable_pprof: false
## Enables the expvars endpoint.
# enable_expvars: false
## Configure the authz endpoints.
# authz:
# forward-auth:
# implementation: ForwardAuth
# authn_strategies: []
# ext-authz:
# implementation: ExtAuthz
# authn_strategies: []
# auth-request:
# implementation: AuthRequest
# authn_strategies: []
# legacy:
# implementation: Legacy
# authn_strategies: []
##
## Log Configuration
##
@ -408,7 +426,7 @@ authentication_backend:
## changed once attributed to a user otherwise it would break the configuration for that user. Technically,
## non-unique attributes like 'mail' can also be used but we don't recommend using them, we instead advise to use
## a filter to perform alternative lookups and the attributes mentioned above (sAMAccountName and uid) to
## follow https://www.ietf.org/rfc/rfc2307.txt.
## follow https://datatracker.ietf.org/doc/html/rfc2307.
# username_attribute: uid
## The additional_users_dn is prefixed to base_dn and delimited by a comma when searching for users.
@ -505,7 +523,6 @@ authentication_backend:
# variant: standard
# cost: 12
##
## Password Policy Configuration.
##
@ -540,6 +557,23 @@ password_policy:
## Configures the minimum score allowed.
min_score: 3
##
## Privacy Policy Configuration
##
## Parameters used for displaying the privacy policy link and drawer.
privacy_policy:
## Enables the display of the privacy policy using the policy_url.
enabled: false
## Enables the display of the privacy policy drawer which requires users accept the privacy policy
## on a per-browser basis.
require_user_acceptance: false
## The URL of the privacy policy document. Must be an absolute URL and must have the 'https://' scheme.
## If the privacy policy enabled option is true, this MUST be provided.
policy_url: ''
##
## Access Control Configuration
##

2
docs/config/next/config.toml
View File

@ -1 +1 @@
canonifyURLs = false
baseurl = "https://authelia-staging.netlify.app/"

1
docs/config/production/config.toml
View File

@ -1 +0,0 @@
canonifyURLs = false

1
docs/config/staging/config.toml
View File

@ -1,2 +1 @@
canonifyURLs = false
baseurl = "https://authelia-staging.netlify.app/"

262
docs/content/en/blog/pre-release-notes-4.38/index.md 100644
View File

@ -0,0 +1,262 @@
---
title: "4.38: Pre-Release Notes"
description: "Authelia 4.38 is just around the corner. This version has several additional features and improvements to existing features. In this blog post we'll discuss the new features and roughly what it means for users."
lead: "Pre-Release Notes for 4.38"
excerpt: "Authelia 4.38 is just around the corner. This version has several additional features and improvements to existing features. In this blog post we'll discuss the new features and roughly what it means for users."
date: 2023-01-21T00:18:00+11:00
draft: false
images: []
categories: ["News", "Release Notes"]
tags: ["releases", "pre-release-notes"]
contributors: ["James Elliott"]
pinned: false
homepage: false
---
Authelia [4.38](https://github.com/authelia/authelia/milestone/17) is just around the corner. This version has several
additional features and improvements to existing features. In this blog post we'll discuss the new features and roughly
what it means for users.
Overall this release adds several major roadmap items. It's quite a big release. We expect a few bugs here and there but
nothing major. It's one of our biggest releases to date, so while it's taken a longer time than usual it's for good
reason we think.
We understand it's taking a bit longer than usual and people are getting anxious for their particular feature of
interest. We're trying to ensure that we sufficiently add automated tests to all of the new features in both the backend
and in the frontend via automated browser-based testing in Chromium to ensure a high quality user experience.
As this is a larger release we're probably going to ask users to help with some experimentation. If you're comfortable
backing up your database then please keep your eyes peeled in the [chat](../../information/contact.md#chat).
_**Note:** These features discussed in this blog post are still subject to change however they represent the most likely
outcome._
_**Important Note:** There are some changes in this release which deprecate older configurations. The changes should be
backwards compatible, however mistakes happen. In addition we advise making the adjustments to your configuration as
necessary as several new features will not be available or even possible without making the necessary adjustments. We
will be publishing some guides on making these adjustments on the blog in the near future, including an FAQ catered to
specific scenarios._
## Builds
The following contains information on getting access to the pre-production builds of 4.38.0.
_**Note:** We strongly recommend people who wish to try the beta builds make backups of their proxy configuration,
authelia configuration, and authelia database prior to attempting to do so._
### 4.38.0-beta1
Notable Missing Features from this build:
- OpenID Connect 1.0 PAR
- Multi-Device Webauthn
- Device Registration OTP
- Container Images:
- [docker.io/authelia/authelia:v4.38.0-beta1](https://hub.docker.com/layers/authelia/authelia/v4.38.0-beta1/images/sha256-53faae6b6a0616f71f1f77069237d92969433b0037b9825be12852e013812bd0?context=explore)
- [ghcr.io/authelia/authelia:v4.38.0-beta1](https://github.com/authelia/authelia/pkgs/container/authelia/65909221?tag=v4.38.0-beta1)
- [Binaries](https://buildkite.com/authelia/authelia/builds/18261)
- [Documentation](https://deploy-preview-4828--authelia-staging.netlify.app/)
Major Documentation Changes:
- [LDAP](https://63d20934fa12200009e12cbf--authelia-staging.netlify.app/configuration/first-factor/ldap/)
- [Reference Guide](https://63d20934fa12200009e12cbf--authelia-staging.netlify.app/reference/guides/ldap/)
- [Server](https://63d20934fa12200009e12cbf--authelia-staging.netlify.app/configuration/miscellaneous/server/)
- [Authz Endpoints](https://63d20934fa12200009e12cbf--authelia-staging.netlify.app/configuration/miscellaneous/server-endpoints-authz/)
- [Reference Guide](https://63d20934fa12200009e12cbf--authelia-staging.netlify.app/reference/guides/proxy-authorization/)
- [Session](https://63d20934fa12200009e12cbf--authelia-staging.netlify.app/configuration/session/introduction/)
- [Configuration Files](https://63d20934fa12200009e12cbf--authelia-staging.netlify.app/configuration/methods/files/)
- [Configuration Files](https://63d20934fa12200009e12cbf--authelia-staging.netlify.app/configuration/methods/files/)
- [Proxy Integration](https://63d20934fa12200009e12cbf--authelia-staging.netlify.app/integration/proxies/introduction/)
- [Caddy](https://63d20934fa12200009e12cbf--authelia-staging.netlify.app/integration/proxies/caddy/)
- [Envoy](https://63d20934fa12200009e12cbf--authelia-staging.netlify.app/integration/proxies/envoy/)
- [HAProxy](https://63d20934fa12200009e12cbf--authelia-staging.netlify.app/integration/proxies/haproxy/)
- [HAProxy](https://63d20934fa12200009e12cbf--authelia-staging.netlify.app/integration/proxies/haproxy/)
- [NGINX](https://63d20934fa12200009e12cbf--authelia-staging.netlify.app/integration/proxies/nginx/)
- [Traefik](https://63d20934fa12200009e12cbf--authelia-staging.netlify.app/integration/proxies/traefik/)
- [Kubernetes Integration](https://63d20934fa12200009e12cbf--authelia-staging.netlify.app/integration/kubernetes/introduction/)
- [Traefik Ingress](https://63d20934fa12200009e12cbf--authelia-staging.netlify.app/integration/kubernetes/traefik-ingress/)
- [Istio](https://63d20934fa12200009e12cbf--authelia-staging.netlify.app/integration/kubernetes/istio/)
- [NGINX Ingress](https://63d20934fa12200009e12cbf--authelia-staging.netlify.app/integration/kubernetes/nginx-ingress/)
- [Templating Reference Guide](https://63d20934fa12200009e12cbf--authelia-staging.netlify.app/reference/guides/templating/)
## OpenID Connect 1.0
As part of our ongoing effort for comprehensive support for [OpenID Connect 1.0] we'll be introducing several important
features. Please see the [roadmap](../../roadmap/active/openid-connect.md) for more information.
##### OAuth 2.0 Pushed Authorization Requests
Support for [RFC9126] known as [Pushed Authorization Requests] is one of the main features being added to our
[OpenID Connect 1.0] implementation in this release.
[Pushed Authorization Requests] allows for relying parties / clients to send the Authorization Request parameters over a
back-channel and receive an opaque URI to be used as the `redirect_uri` on the standard Authorization endpoint in place
of the standard Authorization Request parameters.
The endpoint used by this mechanism requires the relying party provides the Token Endpoint authentication parameters.
This means the actual Authorization Request parameters are never sent in the clear over the front-channel. This helps
mitigate a few things:
1. Enhanced privacy. This is the primary focus of this specification.
2. Part of conforming to the [OpenID Connect 1.0] specification [Financial-grade API Security Profile 1.0 (Advanced)].
3. Reduces the attack surface by preventing an attacker from adjusting request parameters prior to the Authorization
Server receiving them.
4. Reduces the attack surface marginally as less information is available over the front-channel which is the most
likely location where an attacker would have access to information. While reducing access to information is not
a reasonable primary security method, when combined with other mechanisms present in [OpenID Connect 1.0] it is
meaningful.
Even if an attacker gets the [Authorization Code], they are unlikely to have the `client_id` for example, and this is
required to exchange the [Authorization Code] for an [Access Token] and ID Token.
This option can be enforced globally for users who only use relying parties which support
[Pushed Authorization Requests], or can be individually enforced for each relying party which has support.
##### Proof Key for Code Exchange by OAuth Public Clients
While we already support [RFC7636] commonly known as [Proof Key for Code Exchange], and support enforcement at a global
level for either public clients or all clients, we're adding a feature where administrators will be able to enforce
[Proof Key for Code Exchange] on individual clients.
It should also be noted that [Proof Key for Code Exchange] can be used at the same time as
[OAuth 2.0 Pushed Authorization Requests](#oauth-20-pushed-authorization-requests).
These features combined with our requirement for the HTTPS scheme are very powerful security measures.
[RFC7636]: https://datatracker.ietf.org/doc/html/rfc7636
[RFC9126]: https://datatracker.ietf.org/doc/html/rfc9126
[Proof Key for Code Exchange]: https://oauth.net/2/pkce/
[Access Token]: https://oauth.net/2/access-tokens/
[Authorization Code]: https://oauth.net/2/grant-types/authorization-code/
[Financial-grade API Security Profile 1.0 (Advanced)]: https://openid.net/specs/openid-financial-api-part-2-1_0.html
[OpenID Connect 1.0]: https://openid.net/
[OpenID Connect 1.0]: https://openid.net/
[Pushed Authorization Requests]: https://oauth.net/2/pushed-authorization-requests/
## Multi-Domain Protection
In this release we are releasing the main implementation of the Multi-Domain Protection roadmap item.
Please see the [roadmap](../../roadmap/active/openid-connect.md) for more information.
##### Initial Implementation
_**Important Note:** This feature at the time of this writing, will not work well with Webauthn. Steps are being taken
to address this however it will not specifically delay the release of this feature._
This release see's the initial implementation of multi-domain protection. Users will be able to configure more than a
single root domain for cookies provided none of them are a subdomain of another domain configured. In addition each
domain can have individual settings.
This does not allow single sign-on between these distinct domains. When surveyed users had very low interest in this
feature and technically speaking it's not trivial to implement such a feature as a lot of critical security
considerations need to be addressed.
In addition this feature will allow configuration based detection of the Authelia Portal URI on proxies other than
NGINX/NGINX Proxy Manager/SWAG/HAProxy with the use of the new
[Customizable Authorization Endpoints](#customizable-authorization-endpoints). This is important as it means you only
need to configure a single middleware or helper to perform automatic redirection.
## Webauthn
As part of our ongoing effort for comprehensive support for Webauthn we'll be introducing several important
features. Please see the [roadmap](../../roadmap/active/webauthn.md) for more information.
##### Multiple Webauthn Credentials Per-User
In this release we see full support for multiple Webauthn credentials. This is a fairly basic feature but getting the
frontend experience right is important to us. This is going to be supported via the
[User Control Panel](#user-dashboard--control-panel).
## Customizable Authorization Endpoints
For the longest time we've managed to have the `/api/verify` endpoint perform all authorization verification. This has
served us well however we've been growing out of it. This endpoint is being deprecated in favor of new customizable
per-implementation endpoints. Each existing proxy we support uses one of these distinct implementations.
The old endpoint will still work, in fact you can technically configure an additional endpoint using the methodology of
it via the `Legacy` implementation. However this is strongly discouraged and will not intentionally have new features or
fixes (excluding security fixes) going forward.
In addition to being able to customize them you can create your own, and completely disable support for all other
implementations in the process. Use of these new endpoints will require reconfiguration of your proxy, we plan to
release a guide for each proxy.
See the server authz endpoints docs and reference guide in the [builds](#builds) section for more information.
## User Dashboard / Control Panel
As part of our ongoing effort for comprehensive support for a User Dashboard / Control Panel we'll be introducing
several important features. Please see the [roadmap](../../roadmap/active/dashboard-control-panel.md) for more
information.
##### Device Registration OTP
Instead of the current link, in this release users will instead be sent a One Time Password, cryptographically randomly
generated by Authelia. This One Time Password will grant users a duration to perform security sensitive tasks.
The motivation for this is that it works in more situations, and is slightly less prone to phishing.
##### TOTP Registration
Instead of just assuming that users have successfully registered their TOTP application, we will require users to enter
the TOTP code prior to it being saved to the database.
## Configuration
Several enhancements are landing for the configuration.
##### Directories
Users will now be able to configure a directory where all `.yml` and `.yaml` files will be loaded in lexical order.
This will not allow combining lists of items, but it will allow you to split portions of the configuration easily.
##### Discovery
Environment variables are being added to assist with configuration discovery, and this will be the default method for
our containers. The advantage is that since the variable will be available when execing into the container, even if
the configuration paths have changed or you've defined additional paths, the `authelia` command will know where the
files are if you properly use this variables.
##### Templating
The file based configuration will have access to several experimental templating filters which will assist in creating
configuration templates. The initial one will just expand *most* environment variables into the configuration. The
second will use the go template engine in a very similar way to how Helm operates.
As these features are experimental they may break, be removed, or otherwise not operate as expected. However most of our
testing indicates they're incredibly solid.
See the templating reference guide in the [builds](#builds) section for more information.
##### LDAP Implementation
Several new LDAP implementations which provide defaults are being introduced in this version to assist users in
integrating their LDAP server with Authelia.
## Miscellaneous
Some miscellaneous notes about this release.
##### Email Notifications
Events triggered by users will generate new notifications sent to their inbox, for example adding a new 2FA device.
##### Storage Import/Export
Utility functions to assist in exporting and subsequently importing the important values in Authelia are being added and
unified in this release.
##### Privacy Policy
We'll be introducing a feature which allows administrators to more easily comply with the GDPR which optionally shows a
link to their individual privacy policy on the frontend, and optionally requires users to accept it before using
Authelia.
##### LDAP Implementations
This release adds several LDAP implementations into our existing set. See the reference guide in the [builds](#builds)
section for more information.

4
docs/content/en/configuration/first-factor/file.md
View File

@ -256,8 +256,8 @@ truncation that [Bcrypt] does. It is not supported by many other systems.*
Controls the hashing cost when hashing passwords using [Bcrypt].
[Argon2]: https://www.rfc-editor.org/rfc/rfc9106.html
[Argon2]: https://datatracker.ietf.org/doc/html/rfc9106
[Scrypt]: https://en.wikipedia.org/wiki/Scrypt
[PBKDF2]: https://www.ietf.org/rfc/rfc2898.html
[PBKDF2]: https://datatracker.ietf.org/doc/html/rfc2898
[SHA2 Crypt]: https://www.akkadia.org/drepper/SHA-crypt.txt
[Bcrypt]: https://en.wikipedia.org/wiki/Bcrypt

2
docs/content/en/configuration/first-factor/ldap.md
View File

@ -316,4 +316,4 @@ for your users.
[username attribute]: #usernameattribute
[TechNet wiki]: https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx
[RFC2307]: https://www.rfc-editor.org/rfc/rfc2307.html
[RFC2307]: https://datatracker.ietf.org/doc/html/rfc2307

2
docs/content/en/configuration/identity-providers/introduction.md
View File

@ -16,4 +16,4 @@ aliases:
## OpenID Connect
The only identity provider implementation supported at this time is [OpenID Connect](open-id-connect.md).
The only identity provider implementation supported at this time is [OpenID Connect 1.0](open-id-connect.md).

100
docs/content/en/configuration/identity-providers/open-id-connect.md
View File

@ -1,7 +1,7 @@
---
title: "OpenID Connect"
description: "OpenID Connect Configuration"
lead: "Authelia can operate as an OpenID Connect provider. This section describes how to configure this."
lead: "Authelia can operate as an OpenID Connect 1.0 Provider. This section describes how to configure this."
date: 2022-06-15T17:51:47+10:00
draft: false
images: []
@ -15,13 +15,14 @@ aliases:
- /docs/configuration/identity-providers/oidc.html
---
__Authelia__ currently supports the [OpenID Connect] OP role as a [__beta__](../../roadmap/active/openid-connect.md)
feature. The OP role is the [OpenID Connect] Provider role, not the Relying Party or RP role. This means other
applications that implement the [OpenID Connect] RP role can use Authelia as an authentication and authorization backend
similar to how you may use social media or development platforms for login.
__Authelia__ currently supports the [OpenID Connect 1.0] Provider role as an open
[__beta__](../../roadmap/active/openid-connect.md) feature. We currently do not support the [OpenID Connect 1.0] Relying
Party role. This means other applications that implement the [OpenID Connect 1.0] Relying Party role can use Authelia as
an [OpenID Connect 1.0] Provider similar to how you may use social media or development platforms for login.
The Relying Party role is the role which allows an application to use GitHub, Google, or other [OpenID Connect]
providers for authentication and authorization. We do not intend to support this functionality at this moment in time.
The [OpenID Connect 1.0] Relying Party role is the role which allows an application to use GitHub, Google, or other
[OpenID Connect 1.0] Providers for authentication and authorization. We do not intend to support this functionality at
this moment in time.
More information about the beta can be found in the [roadmap](../../roadmap/active/openid-connect.md).
@ -118,7 +119,7 @@ identity_providers:
clients:
- id: myapp
description: My Application
secret: '$plaintext$this_is_a_secret'
secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
sector_identifier: ''
public: false
authorization_policy: two_factor
@ -165,13 +166,13 @@ with 64 or more characters.
{{< confkey type="string" required="no" >}}
The certificate chain/bundle to be used with the [issuer_private_key](#issuer_private_key) DER base64 ([RFC4648])
encoded PEM format used to sign/encrypt the [OpenID Connect] [JWT]'s. When configured it enables the [x5c] and [x5t]
encoded PEM format used to sign/encrypt the [OpenID Connect 1.0] [JWT]'s. When configured it enables the [x5c] and [x5t]
JSON key's in the JWKs [Discoverable Endpoint](../../integration/openid-connect/introduction.md#discoverable-endpoints)
as per [RFC7517].
[RFC7517]: https://www.rfc-editor.org/rfc/rfc7517
[x5c]: https://www.rfc-editor.org/rfc/rfc7517#section-4.7
[x5t]: https://www.rfc-editor.org/rfc/rfc7517#section-4.8
[RFC7517]: https://datatracker.ietf.org/doc/html/rfc7517
[x5c]: https://datatracker.ietf.org/doc/html/rfc7517#section-4.7
[x5t]: https://datatracker.ietf.org/doc/html/rfc7517#section-4.8
The first certificate in the chain must have the public key for the [issuer_private_key](#issuerprivatekey), each
certificate in the chain must be valid for the current date, and each certificate in the chain should be signed by the
@ -184,7 +185,7 @@ certificate immediately following it if present.
*__Important Note:__ This can also be defined using a [secret](../methods/secrets.md) which is __strongly recommended__
especially for containerized deployments.*
The private key used to sign/encrypt the [OpenID Connect] issued [JWT]'s. The key must be generated by the administrator
The private key used to sign/encrypt the [OpenID Connect 1.0] issued [JWT]'s. The key must be generated by the administrator
and can be done by following the
[Generating an RSA Keypair](../../reference/guides/generating-secure-values.md#generating-an-rsa-keypair) guide.
@ -250,7 +251,7 @@ this value.
{{< confkey type="string" default="public_clients_only" required="no" >}}
[Proof Key for Code Exchange](https://www.rfc-editor.org/rfc/rfc7636.html) enforcement policy: if specified, must be
[Proof Key for Code Exchange](https://datatracker.ietf.org/doc/html/rfc7636) enforcement policy: if specified, must be
either `never`, `public_clients_only` or `always`.
If set to `public_clients_only` (default), [PKCE] will be required for public clients using the
@ -273,7 +274,7 @@ method instead.
### cors
Some [OpenID Connect] Endpoints need to allow cross-origin resource sharing, however some are optional. This section allows
Some [OpenID Connect 1.0] Endpoints need to allow cross-origin resource sharing, however some are optional. This section allows
you to configure the optional parts. We reply with CORS headers when the request includes the Origin header.
#### endpoints
@ -298,7 +299,7 @@ A list of permitted origins.
Any origin with https is permitted unless this option is configured or the
[allowed_origins_from_client_redirect_uris](#allowed_origins_from_client_redirect_uris) option is enabled. This means
you must configure this option manually if you want http endpoints to be permitted to make cross-origin requests to the
[OpenID Connect] endpoints, however this is not recommended.
[OpenID Connect 1.0] endpoints, however this is not recommended.
Origins must only have the scheme, hostname and port, they may not have a trailing slash or path.
@ -386,7 +387,7 @@ the lookup of the subject identifier.
2. any client with a differing sector identifier.
In specific but limited scenarios this option is beneficial for privacy reasons. In particular this is useful when the
party utilizing the *Authelia* [OpenID Connect] Authorization Server is foreign and not controlled by the user. It would
party utilizing the *Authelia* [OpenID Connect 1.0] Authorization Server is foreign and not controlled by the user. It would
prevent the third party utilizing the subject identifier with another third party in order to track the user.
Keep in mind depending on the other claims they may still be able to perform this tracking and it is not a silver
@ -401,9 +402,6 @@ This enables the public client type for this client. This is for clients that ar
confidentiality of credentials, you can read more about client types in [RFC6749 Section 2.1]. This is particularly
useful for SPA's and CLI tools. This option requires setting the [client secret](#secret) to a blank string.
In addition to the standard rules for redirect URIs, public clients can use the `urn:ietf:wg:oauth:2.0:oob` redirect
URI.
#### redirect_uris
{{< confkey type="list(string)" required="yes" >}}
@ -419,7 +417,6 @@ their redirect URIs are as follows:
attempt to authorize will fail and an error will be generated.
2. The redirect URIs are case-sensitive.
3. The URI must include a scheme and that scheme must be one of `http` or `https`.
4. The client can ignore rule 3 and use `urn:ietf:wg:oauth:2.0:oob` if it is a [public](#public) client type.
#### audience
@ -433,30 +430,41 @@ A list of audiences this client is allowed to request.
A list of scopes to allow this client to consume. See
[scope definitions](../../integration/openid-connect/introduction.md#scope-definitions) for more information. The
documentation for the application you want to use with Authelia will most-likely provide you with the scopes to allow.
documentation for the application you are trying to configure [OpenID Connect 1.0] for will likely have a list of scopes
or claims required which can be matched with the above guide.
#### grant_types
{{< confkey type="list(string)" default="refresh_token, authorization_code" required="no" >}}
A list of grant types this client can return. *It is recommended that this isn't configured at this time unless you
know what you're doing*. Valid options are: `implicit`, `refresh_token`, `authorization_code`, `password`,
`client_credentials`.
*__Important Note:__ It is recommended that this isn't configured at this time unless you know what you're doing.*
The list of grant types this client is permitted to use in order to obtain access to the relevant tokens.
See the [Grant Types](../../integration/openid-connect/introduction.md#grant-types) section of the
[OpenID Connect 1.0 Integration Guide](../../integration/openid-connect/introduction.md#grant-types) for more information.
#### response_types
{{< confkey type="list(string)" default="code" required="no" >}}
A list of response types this client can return. *It is recommended that this isn't configured at this time unless you
know what you're doing*. Valid options are: `code`, `code id_token`, `id_token`, `token id_token`, `token`,
`token id_token code`.
*__Important Note:__ It is recommended that this isn't configured at this time unless you know what you're doing.*
A list of response types this client supports.
See the [Response Types](../../integration/openid-connect/introduction.md#response-types) section of the
[OpenID Connect 1.0 Integration Guide](../../integration/openid-connect/introduction.md#response-types) for more information.
#### response_modes
{{< confkey type="list(string)" default="form_post, query, fragment" required="no" >}}
A list of response modes this client can return. It is recommended that this isn't configured at this time unless you
know what you're doing. Potential values are `form_post`, `query`, and `fragment`.
*__Important Note:__ It is recommended that this isn't configured at this time unless you know what you're doing.*
A list of response modes this client supports.
See the [Response Modes](../../integration/openid-connect/introduction.md#response-modes) section of the
[OpenID Connect 1.0 Integration Guide](../../integration/openid-connect/introduction.md#response-modes) for more information.
#### authorization_policy
@ -494,14 +502,18 @@ more information.
{{< confkey type="string" default="auto" required="no" >}}
*__Important Note:__ the `implicit` consent mode is not technically part of the specification. It theoretically could be
misused in certain conditions specifically with public clients or when the client credentials (i.e. client secret) has
been exposed to an attacker. For these reasons this mode is discouraged.*
Configures the consent mode. The following table describes the different modes:
| Value | Description |
|:--------------:|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------:|
| auto | Automatically determined (default). Uses `explicit` unless [pre_configured_consent_duration] is specified in which case uses `pre-configured`. |
| explicit | Requires the user provide unique explicit consent for every authorization. |
| implicit | Automatically assumes consent for every authorization, never asking the user if they wish to give consent. *__Note:__* this option is not technically part of the specification. |
| pre-configured | Allows the end-user to remember their consent for the [pre_configured_consent_duration]. |
| Value | Description |
|:--------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|
| auto | Automatically determined (default). Uses `explicit` unless [pre_configured_consent_duration] is specified in which case uses `pre-configured`. |
| explicit | Requires the user provide unique explicit consent for every authorization. |
| implicit | Automatically assumes consent for every authorization, never asking the user if they wish to give consent. |
| pre-configured | Allows the end-user to remember their consent for the [pre_configured_consent_duration]. |
[pre_configured_consent_duration]: #preconfiguredconsentduration
@ -524,17 +536,17 @@ match exactly with the granted scopes/audience.
## Integration
To integrate Authelia's [OpenID Connect] implementation with a relying party please see the
To integrate Authelia's [OpenID Connect 1.0] implementation with a relying party please see the
[integration docs](../../integration/openid-connect/introduction.md).
[token lifespan]: https://docs.apigee.com/api-platform/antipatterns/oauth-long-expiration
[OpenID Connect]: https://openid.net/connect/
[JWT]: https://www.rfc-editor.org/rfc/rfc7519.html
[RFC6234]: https://www.rfc-editor.org/rfc/rfc6234.html
[RFC4648]: https://www.rfc-editor.org/rfc/rfc4648.html
[RFC7468]: https://www.rfc-editor.org/rfc/rfc7468.html
[RFC6749 Section 2.1]: https://www.rfc-editor.org/rfc/rfc6749.html#section-2.1
[PKCE]: https://www.rfc-editor.org/rfc/rfc7636.html
[OpenID Connect 1.0]: https://openid.net/connect/
[JWT]: https://datatracker.ietf.org/doc/html/rfc7519
[RFC6234]: https://datatracker.ietf.org/doc/html/rfc6234
[RFC4648]: https://datatracker.ietf.org/doc/html/rfc4648
[RFC7468]: https://datatracker.ietf.org/doc/html/rfc7468
[RFC6749 Section 2.1]: https://datatracker.ietf.org/doc/html/rfc6749#section-2.1
[PKCE]: https://datatracker.ietf.org/doc/html/rfc7636
[Authorization Code Flow]: https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth
[Subject Identifier Type]: https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
[Pairwise Identifier Algorithm]: https://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg

5
docs/content/en/configuration/methods/environment.md
View File

@ -15,8 +15,9 @@ toc: true
Environment variables are applied after the configuration file meaning anything specified as part of the environment
overrides the configuration files.
*__Please Note:__ It is not possible to configure the access control rules section or OpenID Connect identity provider
clients section using environment variables at this time.*
*__Please Note:__ It is not possible to configure several sections at this time, these include but may not be
limited to the rules section in access control, the clients section in the OpenID Connect identity provider, the cookies
section of in session, and the authz section in the server endpoints.*
## Prefix

72
docs/content/en/configuration/miscellaneous/privacy-policy.md 100644
View File

@ -0,0 +1,72 @@
---
title: "Privacy Policy"
description: "Privacy Policy Configuration."
lead: "This describes a section of the configuration for enabling a Privacy Policy link display."
date: 2023-01-22T19:58:07+11:00
draft: false
images: []
menu:
configuration:
parent: "miscellaneous"
weight: 199100
toc: true
---
## Configuration
```yaml
privacy_policy:
enabled: false
require_user_acceptance: false
policy_url: ''
```
## Options
### enabled
{{< confkey type="boolean" default="false" required="no" >}}
Enables the display of the Privacy Policy link.
### require_user_acceptance
{{< confkey type="boolean" default="false" required="no" >}}
Requires users accept per-browser the Privacy Policy via a Dialog Drawer at the bottom of the page. The fact they have
accepted is recorded and checked in the browser
[localStorage](https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage).
If the user has not accepted the policy they should not be able to interact with the Authelia UI via normal means.
Administrators who are required to abide by the [GDPR] or other privacy laws should be advised that
[OpenID Connect 1.0](../identity-providers/open-id-connect.md) clients configured with the `implicit` consent mode are
unlikely to trigger the display of the Authelia UI if the user is already authenticated.
We wont be adding checks like this to the `implicit` consent mode when that mode in particular is unlikely to be
compliant with those laws, and that mode is not strictly compliant with the OpenID Connect 1.0 specifications. It is
therefore recommended if `require_user_acceptance` is enabled then administrators should avoid using the `implicit`
consent mode or do so at their own risk.
### policy_url
{{< confkey type="string" required="situational" >}}
The privacy policy URL is a URL which optionally is displayed in the frontend linking users to the administrators
privacy policy. This is useful for users who wish to abide by laws such as the [GDPR].
Administrators can view the particulars of what _Authelia_ collects out of the box with our
[Privacy Policy](https://www.authelia.com/privacy/#application).
This value must be an absolute URL, and must have the `https://` scheme.
This option is required if the [enabled](#enabled) option is true.
[GDPR]: https://gdpr-info.eu/
_**Example:**_
```yaml
privacy_policy:
enabled: true
policy_url: 'https://www.example.com/privacy-policy'
```

72
docs/content/en/configuration/miscellaneous/server-endpoints-authz.md 100644
View File

@ -0,0 +1,72 @@
---
title: "Server Authz Endpoints"
description: "Configuring the Server Authz Endpoint Settings."
lead: "Authelia supports several authorization endpoints on the internal webserver. This section describes how to configure and tune them."
date: 2023-01-25T20:36:40+11:00
draft: false
images: []
menu:
configuration:
parent: "miscellaneous"
weight: 199210
toc: true
aliases:
- /c/authz
---
## Configuration
```yaml
server:
endpoints:
authz:
forward-auth:
implementation: ForwardAuth
authn_strategies: []
ext-authz:
implementation: ExtAuthz
authn_strategies: []
auth-request:
implementation: AuthRequest
authn_strategies: []
legacy:
implementation: Legacy
authn_strategies: []
```
## Name
{{< confkey type="string" required="yes" >}}
The first level under the `authz` directive is the name of the endpoint. In the example these names are `forward-auth`,
`ext-authz`, `auth-request`, and `legacy`.
The name correlates with the path of the endpoint. All endpoints start with `/api/authz/`, and end with the name. In the
example the `forward-auth` endpoint has a full path of `/api/authz/forward-auth`.
Valid characters for the name are alphanumeric as well as `-` and `_`. They MUST start AND end with an
alphanumeric character.
### implementation
{{< confkey type="string" required="yes" >}}
The underlying implementation for the endpoint. Valid case-sensitive values are `ForwardAuth`, `ExtAuthz`,
`AuthRequest`, and `Legacy`. Read more about the implementations in the
[reference guide](../../reference/guides/proxy-authorization.md#implementations).
### authn_strategies
{{< confkey type="list" required="no" >}}
A list of authentication strategies and their configuration options. These strategies are in order, and the first one
which succeeds is used. Failures other than lacking the sufficient information in the request to perform the strategy
immediately short-circuit the authentication, otherwise the next strategy in the list is attempted.
#### name
{{< confkey type="string" required="yes" >}}
The name of the strategy. Valid case-sensitive values are `CookieSession`, `HeaderAuthorization`,
`HeaderProxyAuthorization`, `HeaderAuthRequestProxyAuthorization`, and `HeaderLegacy`. Read more about the strategies in
the [reference guide](../../reference/guides/proxy-authorization.md#authn-strategies).

56
docs/content/en/configuration/miscellaneous/server.md
View File

@ -22,8 +22,6 @@ server:
host: 0.0.0.0
port: 9091
path: ""
enable_pprof: false
enable_expvars: false
disable_healthcheck: false
tls:
key: ""
@ -38,6 +36,22 @@ server:
read: 6s
write: 6s
idle: 30s
endpoints:
enable_pprof: false
enable_expvars: false
authz:
forward-auth:
implementation: ForwardAuth
authn_strategies: []
ext-authz:
implementation: ExtAuthz
authn_strategies: []
auth-request:
implementation: AuthRequest
authn_strategies: []
legacy:
implementation: Legacy
authn_strategies: []
```
## Options
@ -100,18 +114,6 @@ assets that can be overridden must be placed in the `asset_path`. The structure
can be overriden is documented in the
[Sever Asset Overrides Reference Guide](../../reference/guides/server-asset-overrides.md).
### enable_pprof
{{< confkey type="boolean" default="false" required="no" >}}
Enables the go pprof endpoints.
### enable_expvars
{{< confkey type="boolean" default="false" required="no" >}}
Enables the go expvars endpoints.
### disable_healthcheck
{{< confkey type="boolean" default="false" required="no" >}}
@ -177,6 +179,32 @@ information.
Configures the server timeouts. See the [Server Timeouts](../prologue/common.md#server-timeouts) documentation for more
information.
### endpoints
#### enable_pprof
{{< confkey type="boolean" default="false" required="no" >}}
*__Security Note:__ This is a developer endpoint. __DO NOT__ enable it unless you know why you're enabling it.
__DO NOT__ enable this in production.*
Enables the go [pprof](https://pkg.go.dev/net/http/pprof) endpoints.
#### enable_expvars
*__Security Note:__ This is a developer endpoint. __DO NOT__ enable it unless you know why you're enabling it.
__DO NOT__ enable this in production.*
{{< confkey type="boolean" default="false" required="no" >}}
Enables the go [expvar](https://pkg.go.dev/expvar) endpoints.
#### authz
This is an *__advanced__* option allowing configuration of the authorization endpoints and has its own section.
Generally this does not need to be configured for most use cases. See the
[authz configuration](./server-endpoints-authz.md) for more information.
## Additional Notes
### Buffer Sizes

2
docs/content/en/configuration/notifications/smtp.md
View File

@ -164,7 +164,7 @@ characters and the user password is changed to this value.
{{< confkey type="string" required="yes" >}}
The sender is used to construct both the SMTP command `MAIL FROM` and to add the `FROM` header. This address must be
in [RFC5322](https://www.rfc-editor.org/rfc/rfc5322.html#section-3.4) format. This means it must one of two formats:
in [RFC5322](https://datatracker.ietf.org/doc/html/rfc5322#section-3.4) format. This means it must one of two formats:
* jsmith@domain.com
* John Smith <jsmith@domain.com>

29
docs/content/en/configuration/prologue/common.md
View File

@ -35,10 +35,18 @@ The way this format works is you can either configure an integer or a string in
supply an integer, it is considered a representation of seconds. If you supply a string, it parses the string in blocks
of quantities and units (number followed by a unit letter). For example `5h` indicates a quantity of 5 units of `h`.
The following is ignored:
- all spaces
- leading zeros
While you can use multiple of these blocks in combination, we suggest keeping it simple and use a single value.
### Unit Legend
#### Short Units
These values have been available for a long time.
| Unit | Associated Letter |
|:-------:|:-----------------:|
| Years | y |
@ -49,6 +57,21 @@ While you can use multiple of these blocks in combination, we suggest keeping it
| Minutes | m |
| Seconds | s |
#### Long Units
These values are more human readable but have only been available since v4.38.0.
| Unit | Human Readable Long Unit |
|:------------:|:-----------------------------:|
| Years | `year`, `years` |
| Months | `month`, `months` |
| Weeks | `week`, `weeks` |
| Days | `day`, `days` |
| Hours | `hour`, `hours` |
| Minutes | `minute`, `minutes` |
| Seconds | `second`, `seconds` |
| Milliseconds | `millisecond`, `milliseconds` |
### Examples
| Desired Value | Configuration Examples |
@ -154,7 +177,7 @@ The value must be one or more certificates encoded in the DER base64 ([RFC4648])
### private_key
{{< confkey type="string" required="yes" >}}
{{< confkey type="string" required="no" >}}
*__Important Note:__ This can also be defined using a [secret](../methods/secrets.md) which is __strongly recommended__
especially for containerized deployments.*
@ -163,6 +186,8 @@ The private key to be used with the [certificate_chain](#certificatechain) for m
The value must be one private key encoded in the DER base64 ([RFC4648]) encoded PEM format.
[RFC4648]: https://datatracker.ietf.org/doc/html/rfc4648
## Server Buffers
### read
@ -204,4 +229,4 @@ Configures the server write timeout.
*__Note:__ This setting uses the [duration notation format](#duration-notation-format). Please see the
[common options](#duration-notation-format) documentation for information on this format.*
Configures the server write timeout.
Configures the server idle timeout.

4
docs/content/en/configuration/second-factor/time-based-one-time-password.md
View File

@ -172,5 +172,5 @@ at least a minimal configuration that has the storage backend connection details
See the [CLI Documentation](../../reference/cli/authelia/authelia_storage_user_totp_export.md) for methods to perform
exports.
[RFC4226]: https://www.rfc-editor.org/rfc/rfc4226.html
[RFC6238]: https://www.rfc-editor.org/rfc/rfc6238.html
[RFC4226]: https://datatracker.ietf.org/doc/html/rfc4226
[RFC6238]: https://datatracker.ietf.org/doc/html/rfc6238

10
docs/content/en/configuration/security/access-control.md
View File

@ -588,8 +588,8 @@ The match type `Equals` matches if the value extracted from the pattern is equal
match value is a list/slice).
The regex groups are case-insensitive due to the fact that the regex groups are used in domain criteria and domain names
should not be compared in a case-sensitive way as per the [RFC4343](https://www.rfc-editor.org/rfc/rfc4343.html)
abstract and [RFC3986 Section 3.2.2](https://www.rfc-editor.org/rfc/rfc3986#section-3.2.2).
should not be compared in a case-sensitive way as per the [RFC4343](https://datatracker.ietf.org/doc/html/rfc4343)
abstract and [RFC3986 Section 3.2.2](https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2).
We do not currently apply any other normalization to usernames or groups when matching these groups. As such it's
generally *__not recommended__* to use these patterns with usernames or groups which contain characters that are not
@ -664,6 +664,6 @@ access_control:
policy: bypass
```
[RFC7231]: https://www.rfc-editor.org/rfc/rfc7231.html
[RFC5789]: https://www.rfc-editor.org/rfc/rfc5789.html
[RFC4918]: https://www.rfc-editor.org/rfc/rfc4918.html
[RFC7231]: https://datatracker.ietf.org/doc/html/rfc7231
[RFC5789]: https://datatracker.ietf.org/doc/html/rfc5789
[RFC4918]: https://datatracker.ietf.org/doc/html/rfc4918

63
docs/content/en/configuration/session/introduction.md
View File

@ -15,11 +15,8 @@ aliases:
- /docs/configuration/session/
---
__Authelia__ relies on session cookies to authenticate users. When the user visits a website of the protected domain
`example.com` for the first time, Authelia detects that there is no cookie for that user. Consequently, Authelia
redirects the user to the login portal through which the user should authenticate to get a cookie which is valid for
`*.example.com`, meaning all websites of the domain. At the next request, Authelia receives the cookie associated to the
authenticated user and can then order the reverse proxy to let the request pass through to the application.
__Authelia__ relies on session cookies to authorize user access to various protected websites. This section configures
the session cookie behaviour and the domains which Authelia can service authorization requests for.
## Configuration
@ -34,8 +31,9 @@ session:
remember_me: 1M
cookies:
- name: authelia_session
domain: example.com
- domain: example.com
authelia_url: https://auth.example.com
name: authelia_session
same_site: lax
inactivity: 5m
expiration: 1h
@ -75,10 +73,8 @@ characters.
{{< confkey type="string" required="no" >}}
_**Deprecation Notice:** This option is deprecated. See the [cookies](#cookies) section instead._
The domain the cookie is assigned to protect. This must be the same as the domain Authelia is served on or the root
of the domain. For example if listening on auth.example.com the cookie should be auth.example.com or example.com.
_**Deprecation Notice:** This option is deprecated. See the [cookies](#cookies) section and specifically the
[cookies domain](#domain-1) option instead._
This value automatically maps to a single cookies configuration using the default values. It cannot be assigned at the
same time as a `cookies` configuration.
@ -128,28 +124,25 @@ The list of specific cookie domains that Authelia is configured to handle. Domai
automatically be denied by Authelia. The list allows administrators to define multiple session cookie domain
configurations with individual settings.
#### name
{{< confkey type="string" required="no" >}}
*__Default Value:__ This option takes its default value from the [name](#name) setting above.*
The name of the session cookie. By default this is set to the `name` value in the main session configuration section.
#### domain
{{< confkey type="string" required="yes" >}}
The domain the cookie is assigned to protect. This must be the same as the domain Authelia is served on or the root
of the domain, and consequently if the [authelia_url](#authelia_url) is configured must be able to read and write cookies
for the domain. For example if listening on `auth.example.com` the cookie should be either `auth.example.com` or
`example.com`.
*__Important Note:__ Browsers have rules regarding which cookie domains a website can write. In particular this.*
Please note most good DynamicDNS solutions fall into a specially protected group of domains and browsers do not allow
you to write cookies for the root domain. i.e. if you have been assigned `john.duckdns.org` you can't use `duckdns.org`
for the domain value as browsers will not allow `john.duckdns.org` to read or write cookies for `duckdns.org`.
The domain the session cookie is assigned to protect. This must be the same as the domain Authelia is served on or the
root of the domain, and consequently if the [authelia_url](#authelia_url) is configured must be able to read and write
cookies for this domain.
Consequently, if you have `john.duckdns.org` and `mary.duckdns.org` you cannot share cookies between these domains.
For example if Authelia is accessible via the URL `https://auth.example.com` the domain should be either
`auth.example.com` or `example.com`.
The value must not match a domain on the [Public Suffix List](https://publicsuffix.org/list/) as browsers do not allow
websites to write cookies for these domains. This includes most Dynamic DNS services such as `duckdns.org`. You should
use your domain instead of `duckdns.org` for this value, for example `example.duckdns.org`.
Consequently, if you have `example.duckdns.org` and `example-auth.duckdns.org` you cannot share cookies between these
domains.
#### authelia_url
@ -160,10 +153,24 @@ that the `authelia_url` option is ineffectual for both NGINX and HAProxy, or any
implementation.*
This is a completely optional URL which is the root URL of your Authelia installation for this cookie domain which can
be used to generate the appropriate redirection for proxies which support this.
be used to generate the appropriate redirection for proxies which support this. This URL must:
1. Be able to read and write cookies for the configured [domain](#domain-1).
2. Use the `https://` scheme.
3. Include the path if relevant (i.e. `https://example.com/authelia` rather than `https://example.com` if you're using the
[server path option](../miscellaneous/server.md#path) of `authelia` and if the Authelia portal is inaccessible from
`https://example.com`).
If this option is absent you must use the appropriate query parameter or header for your relevant proxy.
#### name
{{< confkey type="string" required="no" >}}
*__Default Value:__ This option takes its default value from the [name](#name) setting above.*
The name of the session cookie. By default this is set to the `name` value in the main session configuration section.
#### same_site
{{< confkey type="string" required="no" >}}

22
docs/content/en/contributing/development/environment.md
View File

@ -18,18 +18,25 @@ __Authelia__ and its development workflow can be tested with [Docker] and [Docke
In order to build and contribute to __Authelia__, you need to make sure the following are installed in your environment:
* [go] *(v1.18 or greater)*
* [Docker]
* [Docker Compose]
* [Node.js] *(v16 or greater)*
* [pnpm]
* General:
* [git]
* Backend Development:
* [go] *(v1.20 or greater)*
* [gcc]
* Frontend Development
* [Node.js] *(v18 or greater)*
* [pnpm]
* Integration Suites:
* [Docker]
* [Docker Compose]
* [chromium]
The additional tools are recommended:
* [golangci-lint]
* [goimports-reviser]
* [yamllint]
* Either the [VSCodium] or [GoLand] IDE
* [VSCodium] or [GoLand]
## Scripts
@ -80,3 +87,6 @@ listed subdomains from your browser, and they will be served by the reverse prox
[yamllint]: https://yamllint.readthedocs.io/en/stable/quickstart.html
[VSCodium]: https://vscodium.com/
[GoLand]: https://www.jetbrains.com/go/
[chromium]: https://www.chromium.org/
[git]: https://git-scm.com/
[gcc]: https://gcc.gnu.org/

18
docs/content/en/integration/kubernetes/istio.md
View File

@ -39,27 +39,23 @@ spec:
envoyExtAuthzHttp:
service: 'authelia.default.svc.cluster.local'
port: 80
pathPrefix: '/api/verify/'
pathPrefix: '/api/authz/ext-authz/'
includeRequestHeadersInCheck:
- accept
- cookie
- proxy-authorization
- 'accept'
- 'cookie'
- 'authorization'
- 'proxy-authorization'
headersToUpstreamOnAllow:
- 'authorization'
- 'proxy-authorization'
- 'remote-*'
- 'authelia-*'
includeAdditionalHeadersInCheck:
X-Authelia-URL: 'https://auth.example.com/'
X-Forwarded-Method: '%REQ(:METHOD)%'
X-Forwarded-Proto: '%REQ(:SCHEME)%'
X-Forwarded-Host: '%REQ(:AUTHORITY)%'
X-Forwarded-URI: '%REQ(:PATH)%'
X-Forwarded-For: '%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%'
headersToDownstreamOnDeny:
- set-cookie
- 'set-cookie'
headersToDownstreamOnAllow:
- set-cookie
- 'set-cookie'
```
### Authorization Policy

6
docs/content/en/integration/kubernetes/nginx-ingress.md
View File

@ -41,11 +41,9 @@ be applied to the Authelia Ingress itself.*
```yaml
annotations:
nginx.ingress.kubernetes.io/auth-method: GET
nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local/api/verify
nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local/api/authz/auth-request
nginx.ingress.kubernetes.io/auth-signin: https://auth.example.com?rm=$request_method
nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
nginx.ingress.kubernetes.io/auth-snippet: |
proxy_set_header X-Forwarded-Method $request_method;
nginx.ingress.kubernetes.io/auth-response-headers: Authorization,Proxy-Authorization,Remote-User,Remote-Name,Remote-Groups,Remote-Email
```
[ingress-nginx]: https://kubernetes.github.io/ingress-nginx/

15
docs/content/en/integration/kubernetes/traefik-ingress.md
View File

@ -61,12 +61,17 @@ metadata:
app.kubernetes.io/name: authelia
spec:
forwardAuth:
address: http://authelia.default.svc.cluster.local/api/verify?rd=https%3A%2F%2Fauth.example.com%2F
address: 'http://authelia.default.svc.cluster.local/api/authz/forward-auth'
## The following commented line is for configuring the Authelia URL in the proxy. We strongly suggest this is
## configured in the Session Cookies section of the Authelia configuration.
# address: 'http://authelia.default.svc.cluster.local/api/authz/forward-auth?authelia_url=https%3A%2F%2Fauth.example.com%2F'
authResponseHeaders:
- Remote-User
- Remote-Name
- Remote-Email
- Remote-Groups
- 'Authorization'
- 'Proxy-Authorization'
- 'Remote-User'
- 'Remote-Groups'
- 'Remote-Email'
- 'Remote-Name'
...
```
{{< /details >}}

17
docs/content/en/integration/openid-connect/apache-guacamole/index.md
View File

@ -22,14 +22,7 @@ community: true
## Before You Begin
### Common Notes
1. You are *__required__* to utilize a unique client id for every client.
2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
[Generating Client Secrets] guide instead.
[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
{{% oidc-common %}}
### Assumptions
@ -38,13 +31,13 @@ This example makes the following assumptions:
* __Application Root URL:__ `https://guacamole.example.com`
* __Authelia Root URL:__ `https://auth.example.com`
* __Client ID:__ `guacamole`
* __Client Secret:__ `guacamole_client_secret`
* __Client Secret:__ `insecure_secret`
## Configuration
### Application
To configure [Apache Guacamole] to utilize Authelia as an [OpenID Connect] Provider use the following configuration:
To configure [Apache Guacamole] to utilize Authelia as an [OpenID Connect 1.0] Provider use the following configuration:
```yaml
openid-client-id: guacamole
@ -66,7 +59,7 @@ The following YAML configuration is an example __Authelia__
```yaml
- id: guacamole
description: Apache Guacamole
secret: '$plaintext$guacamole_client_secret'
secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
public: false
authorization_policy: two_factor
redirect_uris:
@ -89,7 +82,7 @@ The following YAML configuration is an example __Authelia__
[Authelia]: https://www.authelia.com
[Apache Guacamole]: https://guacamole.apache.org/
[OpenID Connect]: ../../openid-connect/introduction.md
[OpenID Connect 1.0]: ../../openid-connect/introduction.md

19
docs/content/en/integration/openid-connect/argocd/index.md
View File

@ -22,14 +22,7 @@ community: true
## Before You Begin
### Common Notes
1. You are *__required__* to utilize a unique client id for every client.
2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
[Generating Client Secrets] guide instead.
[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
{{% oidc-common %}}
### Assumptions
@ -38,20 +31,20 @@ This example makes the following assumptions:
* __Application Root URL:__ `https://argocd.example.com`
* __Authelia Root URL:__ `https://auth.example.com`
* __Client ID:__ `argocd`
* __Client Secret:__ `argocd_client_secret`
* __Client Secret:__ `insecure_secret`
* __CLI Client ID:__ `argocd-cli`
## Configuration
### Application
To configure [Argo CD] to utilize Authelia as an [OpenID Connect] Provider use the following configuration:
To configure [Argo CD] to utilize Authelia as an [OpenID Connect 1.0] Provider use the following configuration:
```yaml
name: Authelia
issuer: https://auth.example.com
clientID: argocd
clientSecret: argocd_client_secret
clientSecret: insecure_secret
cliClientID: argocd-cli
requestedScopes:
- openid
@ -69,7 +62,7 @@ which will operate with the above example:
```yaml
- id: argocd
description: Argo CD
secret: '$plaintext$argocd_client_secret'
secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
public: false
authorization_policy: two_factor
redirect_uris:
@ -101,7 +94,7 @@ which will operate with the above example:
[Authelia]: https://www.authelia.com
[Argo CD]: https://argo-cd.readthedocs.io/en/stable/
[OpenID Connect]: ../../openid-connect/introduction.md
[OpenID Connect 1.0]: ../../openid-connect/introduction.md

21
docs/content/en/integration/openid-connect/bookstack/index.md
View File

@ -22,14 +22,7 @@ community: true
## Before You Begin
### Common Notes
1. You are *__required__* to utilize a unique client id for every client.
2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
[Generating Client Secrets] guide instead.
[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
{{% oidc-common %}}
### Assumptions
@ -38,19 +31,19 @@ This example makes the following assumptions:
* __Application Root URL:__ `https://bookstack.example.com`
* __Authelia Root URL:__ `https://auth.example.com`
* __Client ID:__ `bookstack`
* __Client Secret:__ `bookstack_client_secret`
* __Client Secret:__ `insecure_secret`
*__Important Note:__ [BookStack] does not properly URL encode the secret per [RFC6749 Appendix B] at the time this
article was last modified (noted at the bottom). This means you'll either have to use only alphanumeric characters for
the secret or URL encode the secret yourself.*
[RFC6749 Appendix B]: https://www.rfc-editor.org/rfc/rfc6749#appendix-B
[RFC6749 Appendix B]: https://datatracker.ietf.org/doc/html/rfc6749#appendix-B
## Configuration
### Application
To configure [BookStack] to utilize Authelia as an [OpenID Connect] Provider:
To configure [BookStack] to utilize Authelia as an [OpenID Connect 1.0] Provider:
1. Edit your .env file
2. Set the following values:
@ -58,7 +51,7 @@ To configure [BookStack] to utilize Authelia as an [OpenID Connect] Provider:
2. OIDC_NAME: `Authelia`
3. OIDC_DISPLAY_NAME_CLAIMS: `name`
4. OIDC_CLIENT_ID: `bookstack`
5. OIDC_CLIENT_SECRET: `bookstack_client_secret`
5. OIDC_CLIENT_SECRET: `insecure_secret`
6. OIDC_ISSUER: `https://auth.example.com`
7. OIDC_ISSUER_DISCOVER: `true`
@ -71,7 +64,7 @@ which will operate with the above example:
```yaml
- id: bookstack
description: BookStack
secret: '$plaintext$bookstack_client_secret'
secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
public: false
authorization_policy: two_factor
redirect_uris:
@ -89,4 +82,4 @@ which will operate with the above example:
[Authelia]: https://www.authelia.com
[BookStack]: https://www.bookstackapp.com/
[OpenID Connect]: ../../openid-connect/introduction.md
[OpenID Connect 1.0]: ../../openid-connect/introduction.md

21
docs/content/en/integration/openid-connect/cloudflare-zerotrust/index.md
View File

@ -20,14 +20,7 @@ community: true
## Before You Begin
### Common Notes
1. You are *__required__* to utilize a unique client id for every client.
2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
[Generating Client Secrets] guide instead.
[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
{{% oidc-common %}}
### Assumptions
@ -36,13 +29,13 @@ This example makes the following assumptions:
* __Cloudflare Team Name:__ `example-team`
* __Authelia Root URL:__ `https://auth.example.com`
* __Client ID:__ `cloudflare`
* __Client Secret:__ `cloudflare_client_secret`
* __Client Secret:__ `insecure_secret`
*__Important Note:__ [Cloudflare Zero Trust] does not properly URL encode the secret per [RFC6749 Appendix B] at the
time this article was last modified (noted at the bottom). This means you'll either have to use only alphanumeric
characters for the secret or URL encode the secret yourself.*
[RFC6749 Appendix B]: https://www.rfc-editor.org/rfc/rfc6749#appendix-B
[RFC6749 Appendix B]: https://datatracker.ietf.org/doc/html/rfc6749#appendix-B
## Configuration
@ -52,7 +45,7 @@ characters for the secret or URL encode the secret yourself.*
means that the URL's are accessible to foreign clients on the internet. There may be a way to configure this without
accessibility to foreign clients on the internet on Cloudflare's end but this is beyond the scope of this document.*
To configure [Cloudflare Zero Trust] to utilize Authelia as an [OpenID Connect] Provider:
To configure [Cloudflare Zero Trust] to utilize Authelia as an [OpenID Connect 1.0] Provider:
1. Visit the [Cloudflare Zero Trust Dashboard](https://dash.teams.cloudflare.com)
2. Visit `Settings`
@ -62,7 +55,7 @@ To configure [Cloudflare Zero Trust] to utilize Authelia as an [OpenID Connect]
6. Set the following values:
1. Name: `Authelia`
2. App ID: `cloudflare`
3. Client Secret: `cloudflare_client_secret`
3. Client Secret: `insecure_secret`
4. Auth URL: `https://auth.example.com/api/oidc/authorization`
5. Token URL: `https://auth.example.com/api/oidc/token`
6. Certificate URL: `https://auth.example.com/jwks.json`
@ -79,7 +72,7 @@ which will operate with the above example:
```yaml
- id: cloudflare
description: Cloudflare ZeroTrust
secret: '$plaintext$cloudflare_client_secret'
secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
public: false
authorization_policy: two_factor
redirect_uris:
@ -98,4 +91,4 @@ which will operate with the above example:
[Authelia]: https://www.authelia.com
[Cloudflare]: https://www.cloudflare.com/
[Cloudflare Zero Trust]: https://www.cloudflare.com/products/zero-trust/
[OpenID Connect]: ../../openid-connect/introduction.md
[OpenID Connect 1.0]: ../../openid-connect/introduction.md

25
docs/content/en/integration/openid-connect/gitea/index.md
View File

@ -22,14 +22,7 @@ community: true
## Before You Begin
### Common Notes
1. You are *__required__* to utilize a unique client id for every client.
2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
[Generating Client Secrets] guide instead.
[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
{{% oidc-common %}}
### Assumptions
@ -38,13 +31,17 @@ This example makes the following assumptions:
* __Application Root URL:__ `https://gitea.example.com`
* __Authelia Root URL:__ `https://auth.example.com`
* __Client ID:__ `gitea`
* __Client Secret:__ `gitea_client_secret`
* __Client Secret:__ `insecure_secret`
* __Authentication Name (Gitea):__ `authelia`:
* This option determines the redirect URI in the format of
`https://gitea.example.com/user/oauth2/<Authentication Name>/callback`.
This means if you change this value you need to update the redirect URI.
## Configuration
### Application
To configure [Gitea] to utilize Authelia as an [OpenID Connect] Provider:
To configure [Gitea] to utilize Authelia as an [OpenID Connect 1.0] Provider:
1. Expand User Options
2. Visit Site Administration
@ -54,12 +51,12 @@ To configure [Gitea] to utilize Authelia as an [OpenID Connect] Provider:
1. Authentication Name: `authelia`
2. OAuth2 Provider: `OpenID Connect`
3. Client ID (Key): `gitea`
4. Client Secret: `gitea_client_secret`
4. Client Secret: `insecure_secret`
5. OpenID Connect Auto Discovery URL: `https://auth.example.com/.well-known/openid-configuration`
{{< figure src="gitea.png" alt="Gitea" width="300" >}}
To configure [Gitea] to perform automatic user creation for the `auth.example.com` domain via [OpenID Connect]:
To configure [Gitea] to perform automatic user creation for the `auth.example.com` domain via [OpenID Connect 1.0]:
1. Edit the following values in the [Gitea] `app.ini`:
```ini
@ -86,7 +83,7 @@ will operate with the above example:
```yaml
- id: gitea
description: Gitea
secret: '$plaintext$gitea_client_secret'
secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
public: false
authorization_policy: two_factor
redirect_uris:
@ -105,4 +102,4 @@ will operate with the above example:
- [Authelia]: https://www.authelia.com
[Gitea]: https://gitea.io/
[OpenID Connect]: ../../openid-connect/introduction.md
[OpenID Connect 1.0]: ../../openid-connect/introduction.md

21
docs/content/en/integration/openid-connect/gitlab/index.md
View File

@ -22,14 +22,7 @@ community: true
## Before You Begin
### Common Notes
1. You are *__required__* to utilize a unique client id for every client.
2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
[Generating Client Secrets] guide instead.
[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
{{% oidc-common %}}
### Assumptions
@ -38,15 +31,15 @@ This example makes the following assumptions:
* __Application Root URL:__ `https://gitlab.example.com`
* __Authelia Root URL:__ `https://auth.example.com`
* __Client ID:__ `gitlab`
* __Client Secret:__ `gitlab_client_secret`
* __Client Secret:__ `insecure_secret`
## Configuration
### Application
To configure [GitLab] to utilize Authelia as an [OpenID Connect] Provider:
To configure [GitLab] to utilize Authelia as an [OpenID Connect 1.0] Provider:
1. Add the Omnibus [OpenID Connect] OmniAuth configuration to `gitlab.rb`:
1. Add the Omnibus [OpenID Connect 1.0] OmniAuth configuration to `gitlab.rb`:
```ruby
gitlab_rails['omniauth_providers'] = [
@ -65,7 +58,7 @@ gitlab_rails['omniauth_providers'] = [
send_scope_to_token_endpoint: "false",
client_options: {
identifier: "gitlab",
secret: "gitlab_client_secret",
secret: "insecure_secret",
redirect_uri: "https://gitlab.example.com/users/auth/openid_connect/callback"
}
}
@ -82,7 +75,7 @@ which will operate with the above example:
```yaml
- id: gitlab
description: GitLab
secret: '$plaintext$gitlab_client_secret'
secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
public: false
authorization_policy: two_factor
redirect_uris:
@ -101,4 +94,4 @@ which will operate with the above example:
[Authelia]: https://www.authelia.com
[GitLab]: https://about.gitlab.com/
[OpenID Connect]: ../../openid-connect/introduction.md
[OpenID Connect 1.0]: ../../openid-connect/introduction.md

21
docs/content/en/integration/openid-connect/grafana/index.md
View File

@ -22,14 +22,7 @@ community: true
## Before You Begin
### Common Notes
1. You are *__required__* to utilize a unique client id for every client.
2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
[Generating Client Secrets] guide instead.
[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
{{% oidc-common %}}
### Assumptions
@ -38,13 +31,13 @@ This example makes the following assumptions:
* __Application Root URL:__ `https://grafana.example.com`
* __Authelia Root URL:__ `https://auth.example.com`
* __Client ID:__ `grafana`
* __Client Secret:__ `grafana_client_secret`
* __Client Secret:__ `insecure_secret`
## Configuration
### Application
To configure [Grafana] to utilize Authelia as an [OpenID Connect] Provider you have two effective options:
To configure [Grafana] to utilize Authelia as an [OpenID Connect 1.0] Provider you have two effective options:
#### Configuration File
@ -58,7 +51,7 @@ enabled = true
name = Authelia
icon = signin
client_id = grafana
client_secret = grafana_client_secret
client_secret = insecure_secret
scopes = openid profile email groups
empty_scopes = false
auth_url = https://auth.example.com/api/oidc/authorization
@ -80,7 +73,7 @@ Configure the following environment variables:
| GF_AUTH_GENERIC_OAUTH_ENABLED | true |
| GF_AUTH_GENERIC_OAUTH_NAME | Authelia |
| GF_AUTH_GENERIC_OAUTH_CLIENT_ID | grafana |
| GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET | grafana_client_secret |
| GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET | insecure_secret |
| GF_AUTH_GENERIC_OAUTH_SCOPES | openid profile email groups |
| GF_AUTH_GENERIC_OAUTH_EMPTY_SCOPES | false |
| GF_AUTH_GENERIC_OAUTH_AUTH_URL | https://auth.example.com/api/oidc/authorization |
@ -100,7 +93,7 @@ which will operate with the above example:
```yaml
- id: grafana
description: Grafana
secret: '$plaintext$grafana_client_secret'
secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
public: false
authorization_policy: two_factor
redirect_uris:
@ -119,4 +112,4 @@ which will operate with the above example:
[Authelia]: https://www.authelia.com
[Grafana]: https://grafana.com/
[OpenID Connect]: ../../openid-connect/introduction.md
[OpenID Connect 1.0]: ../../openid-connect/introduction.md

19
docs/content/en/integration/openid-connect/harbor/index.md
View File

@ -22,14 +22,7 @@ community: true
## Before You Begin
### Common Notes
1. You are *__required__* to utilize a unique client id for every client.
2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
[Generating Client Secrets] guide instead.
[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
{{% oidc-common %}}
### Assumptions
@ -38,13 +31,13 @@ This example makes the following assumptions:
* __Application Root URL:__ `https://harbor.example.com`
* __Authelia Root URL:__ `https://auth.example.com`
* __Client ID:__ `harbor`
* __Client Secret:__ `harbor_client_secret`
* __Client Secret:__ `insecure_secret`
## Configuration
### Application
To configure [Harbor] to utilize Authelia as an [OpenID Connect] Provider:
To configure [Harbor] to utilize Authelia as an [OpenID Connect 1.0] Provider:
1. Visit Administration
2. Visit Configuration
@ -54,7 +47,7 @@ To configure [Harbor] to utilize Authelia as an [OpenID Connect] Provider:
1. OIDC Provider Name: `Authelia`
2. OIDC Provider Endpoint: `https://auth.example.com`
3. OIDC Client ID: `harbor`
4. OIDC Client Secret: `harbor_client_secret`
4. OIDC Client Secret: `insecure_secret`
5. Group Claim Name: `groups`
6. OIDC Scope: `openid,profile,email,groups`
7. For OIDC Admin Group you can specify a group name that matches your authentication backend.
@ -73,7 +66,7 @@ which will operate with the above example:
```yaml
- id: harbor
description: Harbor
secret: '$plaintext$harbor_client_secret'
secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
public: false
authorization_policy: two_factor
redirect_uris:
@ -92,4 +85,4 @@ which will operate with the above example:
[Authelia]: https://www.authelia.com
[Harbor]: https://goharbor.io/
[OpenID Connect]: ../../openid-connect/introduction.md
[OpenID Connect 1.0]: ../../openid-connect/introduction.md

17
docs/content/en/integration/openid-connect/hashicorp-vault/index.md
View File

@ -22,14 +22,7 @@ community: true
## Before You Begin
### Common Notes
1. You are *__required__* to utilize a unique client id for every client.
2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
[Generating Client Secrets] guide instead.
[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
{{% oidc-common %}}
### Assumptions
@ -38,13 +31,13 @@ This example makes the following assumptions:
* __Application Root URL:__ `https://vault.example.com`
* __Authelia Root URL:__ `https://auth.example.com`
* __Client ID:__ `vault`
* __Client Secret:__ `vault_client_secret`
* __Client Secret:__ `insecure_secret`
## Configuration
### Application
To configure [HashiCorp Vault] to utilize Authelia as an [OpenID Connect] Provider please see the links in the
To configure [HashiCorp Vault] to utilize Authelia as an [OpenID Connect 1.0] Provider please see the links in the
[see also](#see-also) section.
### Authelia
@ -56,7 +49,7 @@ which will operate with the above example:
```yaml
- id: vault
description: HashiCorp Vault
secret: '$plaintext$vault_client_secret'
secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
public: false
authorization_policy: two_factor
redirect_uris:
@ -77,4 +70,4 @@ which will operate with the above example:
[Authelia]: https://www.authelia.com
[HashiCorp Vault]: https://www.vaultproject.io/
[OpenID Connect]: ../../openid-connect/introduction.md
[OpenID Connect 1.0]: ../../openid-connect/introduction.md

89
docs/content/en/integration/openid-connect/introduction.md
View File

@ -14,21 +14,22 @@ aliases:
- /docs/community/oidc-integrations.html
---
Authelia supports [OpenID Connect] as part of an open beta. This section details implementation specifics that can be
used for integrating Authelia with relying parties, as well as specific documentation for some relying parties.
Authelia can act as an [OpenID Connect 1.0] Provider as part of an open beta. This section details implementation
specifics that can be used for integrating Authelia with an [OpenID Connect 1.0] Relying Party, as well as specific
documentation for some [OpenID Connect 1.0] Relying Party implementations.
See the [configuration documentation](../../configuration/identity-providers/open-id-connect.md) for information on how
to configure [OpenID Connect].
to configure the Authelia [OpenID Connect 1.0] Provider.
## Scope Definitions
### openid
This is the default scope for [OpenID Connect]. This field is forced on every client by the configuration validation
This is the default scope for [OpenID Connect 1.0]. This field is forced on every client by the configuration validation
that Authelia does.
*__Important Note:__ The subject identifiers or `sub` [Claim] has been changed to a [RFC4122] UUID V4 to identify the
individual user as per the [Subject Identifier Types] section of the [OpenID Connect] specification. Please use the
individual user as per the [Subject Identifier Types] section of the [OpenID Connect 1.0] specification. Please use the
`preferred_username` [Claim] instead.*
| [Claim] | JWT Type | Authelia Attribute | Description |
@ -86,12 +87,74 @@ This scope includes the profile information the authentication backend reports a
| preferred_username | string | username | The username the user used to login with |
| name | string | display_name | The users display name |
## Parameters
The following section describes advanced parameters which can be used in various endpoints as well as their related
configuration options.
### Grant Types
The following describes the various [OAuth 2.0] and [OpenID Connect 1.0] grant types and their support level. The value
field is both the required value for the `grant_type` parameter in the authorization request and the `grant_types`
configuration option.
| Grant Type | Supported | Value | Notes |
|:-----------------------------------------------:|:---------:|:----------------------------------------------:|:-------------------------------------------------------------------:|
| [OAuth 2.0 Authorization Code] | Yes | `authorization_code` | |
| [OAuth 2.0 Resource Owner Password Credentials] | No | `password` | This Grant Type has been deprecated and should not normally be used |
| [OAuth 2.0 Client Credentials] | Yes | `client_credentials` | |
| [OAuth 2.0 Implicit] | Yes | `implicit` | This Grant Type has been deprecated and should not normally be used |
| [OAuth 2.0 Refresh Token] | Yes | `refresh_token` | |
| [OAuth 2.0 Device Code] | No | `urn:ietf:params:oauth:grant-type:device_code` | |
|
[OAuth 2.0 Authorization Code]: https://datatracker.ietf.org/doc/html/rfc6749#section-1.3.1
[OAuth 2.0 Implicit]: https://datatracker.ietf.org/doc/html/rfc6749#section-1.3.2
[OAuth 2.0 Resource Owner Password Credentials]: https://datatracker.ietf.org/doc/html/rfc6749#section-1.3.3
[OAuth 2.0 Client Credentials]: https://datatracker.ietf.org/doc/html/rfc6749#section-1.3.4
[OAuth 2.0 Refresh Token]: https://datatracker.ietf.org/doc/html/rfc6749#section-1.5
[OAuth 2.0 Device Code]: https://datatracker.ietf.org/doc/html/rfc8628#section-3.4
### Response Types
The following describes the supported response types. See the [OAuth 2.0 Multiple Response Type Encoding Practices] for
more technical information.
| Flow Type | Values |
|:-------------------------:|:---------------------:|
| [Authorization Code Flow] | `code` |
| [Implicit Flow] | `token id_token` |
| [Implicit Flow] | `id_token` |
| [Implicit Flow] | `token` |
| [Hybrid Flow] | `code token` |
| [Hybrid Flow] | `code id_token` |
| [Hybrid Flow] | `code token id_token` |
[Authorization Code Flow]: https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth
[Implicit Flow]: https://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth
[Hybrid Flow]: https://openid.net/specs/openid-connect-core-1_0.html#HybridFlowAuth
[OAuth 2.0 Multiple Response Type Encoding Practices]: https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html
### Response Modes
The following describes the supported response modes. See the [OAuth 2.0 Multiple Response Type Encoding Practices] for
more technical information.
| Name | Value |
|:---------------------:|:-----------:|
| Query String | `query` |
| Fragment | `fragment` |
| [OAuth 2.0 Form Post] | `form_post` |
[OAuth 2.0 Form Post]: https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html
## Authentication Method References
Authelia currently supports adding the `amr` [Claim] to the [ID Token] utilizing the [RFC8176] Authentication Method
Reference values.
The values this [Claim] has are not strictly defined by the [OpenID Connect] specification. As such, some backends may
The values this [Claim] has are not strictly defined by the [OpenID Connect 1.0] specification. As such, some backends may
expect a specification other than [RFC8176] for this purpose. If you have such an application and wish for us to support
it then you're encouraged to create a [feature request](https://www.authelia.com/l/fr).
@ -162,19 +225,19 @@ These endpoints implement OpenID Connect elements.
[Claims]: https://openid.net/specs/openid-connect-core-1_0.html#Claims
[Claim]: https://openid.net/specs/openid-connect-core-1_0.html#Claims
[OpenID Connect]: https://openid.net/connect/
[OpenID Connect 1.0]: https://openid.net/connect/
[OpenID Connect Discovery]: https://openid.net/specs/openid-connect-discovery-1_0.html
[OAuth 2.0 Authorization Server Metadata]: https://www.rfc-editor.org/rfc/rfc8414.html
[OAuth 2.0 Authorization Server Metadata]: https://datatracker.ietf.org/doc/html/rfc8414
[JSON Web Key Sets]: https://www.rfc-editor.org/rfc/rfc7517.html#section-5
[JSON Web Key Sets]: https://datatracker.ietf.org/doc/html/rfc7517#section-5
[Authorization]: https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint
[Token]: https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint
[UserInfo]: https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
[Introspection]: https://www.rfc-editor.org/rfc/rfc7662.html
[Revocation]: https://www.rfc-editor.org/rfc/rfc7009.html
[Introspection]: https://datatracker.ietf.org/doc/html/rfc7662
[Revocation]: https://datatracker.ietf.org/doc/html/rfc7009
[RFC8176]: https://www.rfc-editor.org/rfc/rfc8176.html
[RFC4122]: https://www.rfc-editor.org/rfc/rfc4122.html
[RFC8176]: https://datatracker.ietf.org/doc/html/rfc8176
[RFC4122]: https://datatracker.ietf.org/doc/html/rfc4122
[Subject Identifier Types]: https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes

19
docs/content/en/integration/openid-connect/komga/index.md
View File

@ -22,14 +22,7 @@ community: true
## Before You Begin
### Common Notes
1. You are *__required__* to utilize a unique client id for every client.
2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
[Generating Client Secrets] guide instead.
[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
{{% oidc-common %}}
### Assumptions
@ -38,13 +31,13 @@ This example makes the following assumptions:
* __Application Root URL:__ `https://komga.example.com`
* __Authelia Root URL:__ `https://auth.example.com`
* __Client ID:__ `komga`
* __Client Secret:__ `komga_client_secret`
* __Client Secret:__ `insecure_secret`
## Configuration
### Application
To configure [Komga] to utilize Authelia as an [OpenID Connect] Provider:
To configure [Komga] to utilize Authelia as an [OpenID Connect 1.0] Provider:
1. Configure the security section of the [Komga] configuration:
```yaml
@ -58,7 +51,7 @@ spring:
registration:
authelia:
client-id: `komga`
client-secret: `komga_client_secret`
client-secret: `insecure_secret`
client-name: Authelia
scope: openid,profile,email
authorization-grant-type: authorization_code
@ -78,7 +71,7 @@ which will operate with the above example:
```yaml
- id: komga
description: Komga
secret: '$plaintext$komga_client_secret'
secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
public: false
authorization_policy: two_factor
redirect_uris:
@ -99,4 +92,4 @@ which will operate with the above example:
[Authelia]: https://www.authelia.com
[Komga]: https://www.komga.org
[OpenID Connect]: ../../openid-connect/introduction.md
[OpenID Connect 1.0]: ../../openid-connect/introduction.md

19
docs/content/en/integration/openid-connect/nextcloud/index.md
View File

@ -22,14 +22,7 @@ community: true
## Before You Begin
### Common Notes
1. You are *__required__* to utilize a unique client id for every client.
2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
[Generating Client Secrets] guide instead.
[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
{{% oidc-common %}}
### Assumptions
@ -38,13 +31,13 @@ This example makes the following assumptions:
* __Application Root URL:__ `https://nextcloud.example.com`
* __Authelia Root URL:__ `https://auth.example.com`
* __Client ID:__ `nextcloud`
* __Client Secret:__ `nextcloud_client_secret`
* __Client Secret:__ `insecure_secret`
## Configuration
### Application
To configure [Nextcloud] to utilize Authelia as an [OpenID Connect] Provider:
To configure [Nextcloud] to utilize Authelia as an [OpenID Connect 1.0] Provider:
1. Install the [Nextcloud OpenID Connect Login app]
2. Add the following to the [Nextcloud] `config.php` configuration:
@ -55,7 +48,7 @@ $CONFIG = array (
'lost_password_link' => 'disabled',
'oidc_login_provider_url' => 'https://auth.example.com',
'oidc_login_client_id' => 'nextcloud',
'oidc_login_client_secret' => 'nextcloud_client_secret',
'oidc_login_client_secret' => 'insecure_secret',
'oidc_login_auto_redirect' => false,
'oidc_login_end_session_redirect' => false,
'oidc_login_button_text' => 'Log in with Authelia',
@ -94,7 +87,7 @@ which will operate with the above example:
```yaml
- id: nextcloud
description: NextCloud
secret: '$plaintext$nextcloud_client_secret'
secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
public: false
authorization_policy: two_factor
redirect_uris:
@ -115,4 +108,4 @@ which will operate with the above example:
[Authelia]: https://www.authelia.com
[Nextcloud]: https://nextcloud.com/
[Nextcloud OpenID Connect Login app]: https://apps.nextcloud.com/apps/oidc_login
[OpenID Connect]: ../../openid-connect/introduction.md
[OpenID Connect 1.0]: ../../openid-connect/introduction.md

19
docs/content/en/integration/openid-connect/outline/index.md
View File

@ -22,14 +22,7 @@ community: true
## Before You Begin
### Common Notes
1. You are *__required__* to utilize a unique client id for every client.
2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
[Generating Client Secrets] guide instead.
[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
{{% oidc-common %}}
### Assumptions
@ -38,7 +31,7 @@ This example makes the following assumptions:
* __Application Root URL:__ `https://outline.example.com`
* __Authelia Root URL:__ `https://auth.example.com`
* __Client ID:__ `outline`
* __Client Secret:__ `outline_client_secret`
* __Client Secret:__ `insecure_secret`
*__Important Note:__ At the time of this writing [Outline] requires the `offline_access` scope by default. Failure to include this scope will result
in an error as [Outline] will attempt to use a refresh token that is never issued.*
@ -47,7 +40,7 @@ in an error as [Outline] will attempt to use a refresh token that is never issue
### Application
To configure [Outline] to utilize Authelia as an [OpenID Connect] Provider:
To configure [Outline] to utilize Authelia as an [OpenID Connect 1.0] Provider:
1. Configure the following environment options:
```text
@ -55,7 +48,7 @@ URL=https://outline.example.com
FORCE_HTTPS=true
OIDC_CLIENT_ID=outline
OIDC_CLIENT_SECRET=outline_client_secret
OIDC_CLIENT_SECRET=insecure_secret
OIDC_AUTH_URI=https://auth.example.com/api/oidc/authorization
OIDC_TOKEN_URI=https://auth.example.com/api/oidc/token
OIDC_USERINFO_URI=https://auth.example.com/api/oidc/userinfo
@ -73,7 +66,7 @@ which will operate with the above example:
```yaml
- id: outline
description: Outline
secret: '$plaintext$outline_client_secret'
secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
public: false
authorization_policy: two_factor
redirect_uris:
@ -92,4 +85,4 @@ which will operate with the above example:
[Authelia]: https://www.authelia.com
[Outline]: https://www.getoutline.com/
[OpenID Connect]: ../../openid-connect/introduction.md
[OpenID Connect 1.0]: ../../openid-connect/introduction.md

19
docs/content/en/integration/openid-connect/portainer/index.md
View File

@ -24,14 +24,7 @@ aliases:
## Before You Begin
### Common Notes
1. You are *__required__* to utilize a unique client id for every client.
2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
[Generating Client Secrets] guide instead.
[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
{{% oidc-common %}}
### Assumptions
@ -40,13 +33,13 @@ This example makes the following assumptions:
* __Application Root URL:__ `https://portainer.example.com`
* __Authelia Root URL:__ `https://auth.example.com`
* __Client ID:__ `portainer`
* __Client Secret:__ `portainer_client_secret`
* __Client Secret:__ `insecure_secret`
## Configuration
### Application
To configure [Portainer] to utilize Authelia as an [OpenID Connect] Provider:
To configure [Portainer] to utilize Authelia as an [OpenID Connect 1.0] Provider:
1. Visit Settings
2. Visit Authentication
@ -55,7 +48,7 @@ To configure [Portainer] to utilize Authelia as an [OpenID Connect] Provider:
2. Provider: Custom
3. Enable *Automatic User Provision* if you want users to automatically be created in [Portainer].
4. Client ID: `portainer`
5. Client Secret: `portainer_client_secret`
5. Client Secret: `insecure_secret`
6. Authorization URL: `https://auth.example.com/api/oidc/authorization`
7. Access Token URL: `https://auth.example.com/api/oidc/token`
8. Resource URL: `https://auth.example.com/api/oidc/userinfo`
@ -74,7 +67,7 @@ which will operate with the above example:
```yaml
- id: portainer
description: Portainer
secret: '$plaintext$portainer_client_secret'
secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
public: false
authorization_policy: two_factor
redirect_uris:
@ -93,4 +86,4 @@ which will operate with the above example:
[Authelia]: https://www.authelia.com
[Portainer]: https://www.portainer.io/
[OpenID Connect]: ../../openid-connect/introduction.md
[OpenID Connect 1.0]: ../../openid-connect/introduction.md

10
docs/content/en/integration/openid-connect/proxmox/index.md
View File

@ -43,14 +43,14 @@ This example makes the following assumptions:
* __Application Root URL:__ `https://proxmox.example.com`
* __Authelia Root URL:__ `https://auth.example.com`
* __Client ID:__ `proxmox`
* __Client Secret:__ `proxmox_client_secret`
* __Client Secret:__ `insecure_secret`
* __Realm__ `authelia`
## Configuration
### Application
To configure [Proxmox] to utilize Authelia as an [OpenID Connect] Provider:
To configure [Proxmox] to utilize Authelia as an [OpenID Connect 1.0] Provider:
1. Visit Datacenter
2. Visit Permission
@ -60,7 +60,7 @@ To configure [Proxmox] to utilize Authelia as an [OpenID Connect] Provider:
1. Issuer URL: `https://auth.example.com`
2. Realm: `authelia`
3. Client ID: `proxmox`
4. Client Key: `proxmox_client_secret`
4. Client Key: `insecure_secret`
5. Username Claim `preferred_username`
6. Scopes: `openid profile email`
7. Enable *Autocreate Users* if you want users to automatically be created in [Proxmox].
@ -76,7 +76,7 @@ which will operate with the above example:
```yaml
- id: proxmox
description: Proxmox
secret: '$plaintext$proxmox_client_secret'
secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
public: false
authorization_policy: two_factor
redirect_uris:
@ -94,4 +94,4 @@ which will operate with the above example:
[Authelia]: https://www.authelia.com
[Proxmox]: https://www.proxmox.com/
[OpenID Connect]: ../../openid-connect/introduction.md
[OpenID Connect 1.0]: ../../openid-connect/introduction.md

19
docs/content/en/integration/openid-connect/seafile/index.md
View File

@ -22,14 +22,7 @@ community: true
## Before You Begin
### Common Notes
1. You are *__required__* to utilize a unique client id for every client.
2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
[Generating Client Secrets] guide instead.
[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
{{% oidc-common %}}
### Assumptions
@ -38,13 +31,13 @@ This example makes the following assumptions:
* __Application Root URL:__ `https://seafile.example.com`
* __Authelia Root URL:__ `https://auth.example.com`
* __Client ID:__ `seafile`
* __Client Secret:__ `seafile_client_secret`
* __Client Secret:__ `insecure_secret`
## Configuration
### Application
To configure [Seafile] to utilize Authelia as an [OpenID Connect] Provider:
To configure [Seafile] to utilize Authelia as an [OpenID Connect 1.0] Provider:
1. [Seafile] may require some dependencies such as `requests_oauthlib` to be manually installed.
See the [Seafile] documentation in the [see also](#see-also) section for more information.
@ -55,7 +48,7 @@ To configure [Seafile] to utilize Authelia as an [OpenID Connect] Provider:
ENABLE_OAUTH = True
OAUTH_ENABLE_INSECURE_TRANSPORT = False
OAUTH_CLIENT_ID = "seafile"
OAUTH_CLIENT_SECRET = "seafile_client_secret"
OAUTH_CLIENT_SECRET = "insecure_secret"
OAUTH_REDIRECT_URL = 'https://seafile.example.com/oauth/callback/'
OAUTH_PROVIDER_DOMAIN = 'auth.example.com'
OAUTH_AUTHORIZATION_URL = 'https://auth.example.com/api/oidc/authorization'
@ -82,7 +75,7 @@ which will operate with the above example:
```yaml
- id: seafile
description: Seafile
secret: '$plaintext$seafile_client_secret'
secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
public: false
authorization_policy: two_factor
redirect_uris:
@ -100,4 +93,4 @@ which will operate with the above example:
[Authelia]: https://www.authelia.com
[Seafile]: https://www.seafile.com/
[OpenID Connect]: ../../openid-connect/introduction.md
[OpenID Connect 1.0]: ../../openid-connect/introduction.md

22
docs/content/en/integration/openid-connect/specific-information.md
View File

@ -34,6 +34,22 @@ using PBKDF2 which can be stored in the Authelia configuration.
### Plaintext
Authelia supports storing the plaintext secret in the configuration. This may be discontinued in the future. Plaintext
is either denoted by the `$plaintext$` prefix where everything after the prefix is the secret. In addition if the secret
does not start with the `$` character it's considered as a plaintext secret for the time being but is deprecated.
Authelia *technically* supports storing the plaintext secret in the configuration. This will likely be completely
unavailable in the future as it was a mistake to implement it like this in the first place. While some other OpenID
Connect 1.0 providers operate in this way, it's more often than not that they operating in this way in error. The
current *technical support* for this is only to prevent massive upheaval to users and give them time to migrate.
As per [RFC6819 Section 5.1.4.1.3](https://datatracker.ietf.org/doc/html/rfc6819#section-5.1.4.1.3) the secret should
only be stored by the authorization server as hashes / digests unless there is a very specific specification or protocol
that is implemented by the authorization server which requires access to the secret in the clear to operate properly in
which case the secret should be encrypted and not be stored in plaintext. The most likely long term outcome is that the
client configurations will be stored in the database with the secret both salted and peppered.
Authelia currently does not implement any of the specifications or protocols which require secrets being accessible in
the clear and currently has no plans to implement any of these. As such it's *__strongly discouraged and heavily
deprecated__* and we instead recommended that users remove this from their configuration entirely and use the
[Generating Client Secrets](#generating-client-secrets) guide.
Plaintext is either denoted by the `$plaintext$` prefix where everything after the prefix is the secret. In addition if
the secret does not start with the `$` character it's considered as a plaintext secret for the time being but is
deprecated as is the `$plaintext$` prefix.

19
docs/content/en/integration/openid-connect/synapse/index.md
View File

@ -22,14 +22,7 @@ community: true
## Before You Begin
### Common Notes
1. You are *__required__* to utilize a unique client id for every client.
2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
[Generating Client Secrets] guide instead.
[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
{{% oidc-common %}}
### Assumptions
@ -38,13 +31,13 @@ This example makes the following assumptions:
* __Application Root URL:__ `https://matrix.example.com/`
* __Authelia Root URL:__ `https://auth.example.com`
* __Client ID:__ `synapse`
* __Client Secret:__ `synapse_client_secret`
* __Client Secret:__ `insecure_secret`
## Configuration
### Application
To configure [Synapse] to utilize Authelia as an [OpenID Connect] Provider:
To configure [Synapse] to utilize Authelia as an [OpenID Connect 1.0] Provider:
1. Edit your [Synapse] `homeserver.yaml` configuration file and add configure the following:
@ -56,7 +49,7 @@ oidc_providers:
discover: true
issuer: "https://auth.example.com"
client_id: "synapse"
client_secret: "synapse_client_secret"
client_secret: "insecure_secret"
scopes: ["openid", "profile", "email"]
allow_existing_users: true
user_mapping_provider:
@ -76,7 +69,7 @@ which will operate with the above example:
```yaml
- id: synapse
description: Synapse
secret: '$plaintext$synapse_client_secret'
secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
public: false
authorization_policy: two_factor
redirect_uris:
@ -94,4 +87,4 @@ which will operate with the above example:
[Authelia]: https://www.authelia.com
[Synapse]: https://github.com/matrix-org/synapse
[OpenID Connect]: ../../openid-connect/introduction.md
[OpenID Connect 1.0]: ../../openid-connect/introduction.md

21
docs/content/en/integration/openid-connect/synology-dsm/index.md
View File

@ -22,18 +22,11 @@ community: true
## Before You Begin
### Common Notes
1. You are *__required__* to utilize a unique client id for every client.
2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
3. You *__should not__* use the client secret in this example, We *__strongly recommend__* reading the
[Generating Client Secrets] guide instead.
[Generating Client Secrets]: ../specific-information.md#generating-client-secrets
{{% oidc-common %}}
### Specific Notes
*__Important Note:__ [Synology DSM] does not support automatically creating users via [OpenID Connect]. It is therefore
*__Important Note:__ [Synology DSM] does not support automatically creating users via [OpenID Connect 1.0]. It is therefore
recommended that you ensure Authelia and [Synology DSM] share a LDAP server.*
### Assumptions
@ -43,13 +36,13 @@ This example makes the following assumptions:
* __Application Root URL:__ `https://dsm.example.com/`
* __Authelia Root URL:__ `https://auth.example.com`
* __Client ID:__ `synology-dsm`
* __Client Secret:__ `synology-dsm_client_secret`
* __Client Secret:__ `insecure_secret`
## Configuration
### Application
To configure [Synology DSM] to utilize Authelia as an [OpenID Connect] Provider:
To configure [Synology DSM] to utilize Authelia as an [OpenID Connect 1.0] Provider:
1. Go to DSM.
2. Go to `Control Panel`.
@ -61,7 +54,7 @@ To configure [Synology DSM] to utilize Authelia as an [OpenID Connect] Provider:
* Name: `Authelia`
* Well Known URL: `https://auth.example.com/.well-known/openid-configuration`
* Application ID: `synology-dsm`
* Application Key: `synology-dsm_client_secret`
* Application Key: `insecure_secret`
* Redirect URL: `https://dsm.example.com`
* Authorisation Scope: `openid profile groups email`
* Username Claim: `preferred_username`
@ -78,7 +71,7 @@ which will operate with the above example:
```yaml
- id: synology-dsm
description: Synology DSM
secret: '$plaintext$synology-dsm_client_secret'
secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
public: false
authorization_policy: two_factor
redirect_uris:
@ -97,4 +90,4 @@ which will operate with the above example:
[Authelia]: https://www.authelia.com
[Synology DSM]: https://www.synology.com/en-global/dsm
[OpenID Connect]: ../../openid-connect/introduction.md
[OpenID Connect 1.0]: ../../openid-connect/introduction.md

25
docs/content/en/integration/proxies/caddy.md
View File

@ -59,7 +59,7 @@ In the example we have a commented `trusted_proxies` directive which shows an ex
to the trusted proxy list in [Caddy]:
* 10.0.0.0/8
* 172.16.0.0/16
* 172.16.0.0/12
* 192.168.0.0/16
* fc00::/7
@ -84,7 +84,7 @@ support to ensure the basic example covers your use case in a secure way.
## https://www.authelia.com/integration/proxies/caddy/#forwarded-header-trust#trusted-proxies
(trusted_proxy_list) {
## Uncomment & adjust the following line to configure specific ranges which should be considered as trustworthy.
# trusted_proxies 10.0.0.0/8 172.16.0.0/16 192.168.0.0/16 fc00::/7
# trusted_proxies 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 fc00::/7
}
# Authelia Portal.
@ -98,8 +98,11 @@ auth.example.com {
# Protected Endpoint.
nextcloud.example.com {
forward_auth authelia:9091 {
uri /api/verify?rd=https://auth.example.com/
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
uri /api/authz/forward-auth
## The following commented line is for configuring the Authelia URL in the proxy. We strongly suggest
## this is configured in the Session Cookies section of the Authelia configuration.
# uri /api/authz/forward-auth?authelia_url=https://auth.example.com/
copy_headers Authorization Proxy-Authorization Remote-User Remote-Groups Remote-Email Remote-Name
## This import needs to be included if you're relying on a trusted proxies configuration.
import trusted_proxy_list
@ -120,7 +123,7 @@ nextcloud.example.com {
## https://www.authelia.com/integration/proxies/caddy/#forwarded-header-trust#trusted-proxies
(trusted_proxy_list) {
## Uncomment & adjust the following line to configure specific ranges which should be considered as trustworthy.
# trusted_proxies 10.0.0.0/8 172.16.0.0/16 192.168.0.0/16 fc00::/7
# trusted_proxies 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 fc00::/7
}
example.com {
@ -137,8 +140,8 @@ example.com {
@nextcloud path /nextcloud /nextcloud/*
handle @nextcloud {
forward_auth authelia:9091 {
uri /api/verify?rd=https://example.com/authelia/
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
uri /api/authz/forward-auth?authelia_url=https://example.com/authelia/
copy_headers Authorization Proxy-Authorization Remote-User Remote-Groups Remote-Email Remote-Name
## This import needs to be included if you're relying on a trusted proxies configuration.
import trusted_proxy_list
@ -165,7 +168,7 @@ preferred in *most* situations. If you are unsure of what you're doing please do
## https://www.authelia.com/integration/proxies/caddy/#forwarded-header-trust#trusted-proxies
(trusted_proxy_list) {
## Uncomment & adjust the following line to configure specific ranges which should be considered as trustworthy.
# trusted_proxies 10.0.0.0/8 172.16.0.0/16 192.168.0.0/16 fc00::/7
# trusted_proxies 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 fc00::/7
}
# Authelia Portal.
@ -183,7 +186,7 @@ nextcloud.example.com {
import trusted_proxy_list
method GET
rewrite "/api/verify?rd=https://auth.example.com/"
rewrite "/api/authz/forward-auth?authelia_url=https://auth.example.com/"
header_up X-Forwarded-Method {method}
header_up X-Forwarded-Uri {uri}
@ -195,10 +198,12 @@ nextcloud.example.com {
## 2. Copy the relevant headers from the auth request and provide them to the backend.
@good status 2xx
handle_response @good {
request_header Authorization {http.reverse_proxy.header.Authorization}
request_header Proxy-Authorization {http.reverse_proxy.header.Proxy-Authorization}
request_header Remote-User {http.reverse_proxy.header.Remote-User}
request_header Remote-Groups {http.reverse_proxy.header.Remote-Groups}
request_header Remote-Name {http.reverse_proxy.header.Remote-Name}
request_header Remote-Email {http.reverse_proxy.header.Remote-Email}
request_header Remote-Name {http.reverse_proxy.header.Remote-Name}
}
}

49
docs/content/en/integration/proxies/envoy.md
View File

@ -168,8 +168,15 @@ static_resources:
- name: envoy.filters.http.ext_authz
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
transport_api_version: v3
allowed_headers:
patterns:
- exact: authorization
- exact: proxy-authorization
- exact: accept
- exact: cookie
http_service:
path_prefix: '/api/verify/'
path_prefix: /api/authz/ext-authz/
server_uri:
uri: authelia:9091
cluster: authelia
@ -177,22 +184,17 @@ static_resources:
authorization_request:
allowed_headers:
patterns:
- exact: authorization
- exact: proxy-authorization
- exact: accept
- exact: cookie
- exact: proxy-authorization
headers_to_add:
- key: X-Authelia-URL
value: 'https://auth.example.com/'
- key: X-Forwarded-Method
value: '%REQ(:METHOD)%'
- key: X-Forwarded-Proto
value: '%REQ(:SCHEME)%'
- key: X-Forwarded-Host
value: '%REQ(:AUTHORITY)%'
- key: X-Forwarded-Uri
value: '%REQ(:PATH)%'
- key: X-Forwarded-For
value: '%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%'
## The following commented lines are for configuring the Authelia URL in the proxy. We
## strongly suggest this is configured in the Session Cookies section of the Authelia configuration.
# - key: X-Authelia-URL
# value: https://auth.example.com
authorization_response:
allowed_upstream_headers:
patterns:
@ -213,9 +215,9 @@ static_resources:
clusters:
- name: nextcloud
connect_timeout: 0.25s
type: LOGICAL_DNS
dns_lookup_family: V4_ONLY
lb_policy: ROUND_ROBIN
type: logical_dns
dns_lookup_family: v4_only
lb_policy: round_robin
load_assignment:
cluster_name: nextcloud
endpoints:
@ -227,9 +229,9 @@ static_resources:
port_value: 80
- name: authelia
connect_timeout: 0.25s
type: LOGICAL_DNS
dns_lookup_family: V4_ONLY
lb_policy: ROUND_ROBIN
type: logical_dns
dns_lookup_family: v4_only
lb_policy: round_robin
load_assignment:
cluster_name: authelia
endpoints:
@ -239,6 +241,17 @@ static_resources:
socket_address:
address: authelia
port_value: 9091
layered_runtime:
layers:
- name: static_layer_0
static_layer:
envoy:
resource_limits:
listener:
example_listener_name:
connection_limit: 10000
overload:
global_downstream_max_connections: 50000
```
{{< /details >}}

73
docs/content/en/integration/proxies/haproxy.md
View File

@ -62,7 +62,7 @@ line in the main configuration which shows an example of not trusting any proxie
the following networks to the trusted proxy list in [HAProxy]:
* 10.0.0.0/8
* 172.16.0.0/16
* 172.16.0.0/12
* 192.168.0.0/16
* fc00::/7
@ -193,13 +193,11 @@ frontend fe_http
# Required headers
http-request set-header X-Real-IP %[src]
http-request set-header X-Forwarded-Method %[var(req.method)]
http-request set-header X-Forwarded-Proto %[var(req.scheme)]
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
http-request set-header X-Forwarded-Uri %[path]%[var(req.questionmark)]%[query]
http-request set-header X-Original-Method %[var(req.method)]
http-request set-header X-Original-URL %[var(req.scheme)]://%[req.hdr(Host)]%[path]%[var(req.questionmark)]%[query]
# Protect endpoints with haproxy-auth-request and Authelia
http-request lua.auth-request be_authelia /api/verify if protected-frontends
http-request lua.auth-request be_authelia /api/authz/auth-request if protected-frontends
# Force `Authorization` header via query arg to /api/verify
http-request lua.auth-request be_authelia /api/verify?auth=basic if protected-frontends-basic
@ -220,29 +218,53 @@ backend be_authelia
server authelia authelia:9091
backend be_nextcloud
# Pass Remote-User, Remote-Name, Remote-Email and Remote-Groups headers
## Pass the special authorization response headers to the protected application.
acl authorization_exist var(req.auth_response_header.authorization) -m found
acl proxy_authorization_exist var(req.auth_response_header.proxy_authorization) -m found
http-request set-header Authorization %[var(req.auth_response_header.authorization)] if authorization_exist
http-request set-header Proxy-Authorization %[var(req.auth_response_header.proxy_authorization)] if proxy_authorization_exist
## Pass the special metadata response headers to the protected application.
acl remote_user_exist var(req.auth_response_header.remote_user) -m found
acl remote_groups_exist var(req.auth_response_header.remote_groups) -m found
acl remote_name_exist var(req.auth_response_header.remote_name) -m found
acl remote_email_exist var(req.auth_response_header.remote_email) -m found
http-request set-header Remote-User %[var(req.auth_response_header.remote_user)] if remote_user_exist
http-request set-header Remote-Groups %[var(req.auth_response_header.remote_groups)] if remote_groups_exist
http-request set-header Remote-Name %[var(req.auth_response_header.remote_name)] if remote_name_exist
http-request set-header Remote-Email %[var(req.auth_response_header.remote_email)] if remote_email_exist
## Pass the Set-Cookie response headers to the user.
acl set_cookie_exist var(req.auth_response_header.set_cookie) -m found
http-response set-header Set-Cookie %[var(req.auth_response_header.set_cookie)] if set_cookie_exist
server nextcloud nextcloud:443 ssl verify none
backend be_heimdall
# Pass Remote-User, Remote-Name, Remote-Email and Remote-Groups headers
## Pass the special authorization response headers to the protected application.
acl authorization_exist var(req.auth_response_header.authorization) -m found
acl proxy_authorization_exist var(req.auth_response_header.proxy_authorization) -m found
http-request set-header Authorization %[var(req.auth_response_header.authorization)] if authorization_exist
http-request set-header Proxy-Authorization %[var(req.auth_response_header.proxy_authorization)] if proxy_authorization_exist
## Pass the special metadata response headers to the protected application.
acl remote_user_exist var(req.auth_response_header.remote_user) -m found
acl remote_groups_exist var(req.auth_response_header.remote_groups) -m found
acl remote_name_exist var(req.auth_response_header.remote_name) -m found
acl remote_email_exist var(req.auth_response_header.remote_email) -m found
http-request set-header Remote-User %[var(req.auth_response_header.remote_user)] if remote_user_exist
http-request set-header Remote-Groups %[var(req.auth_response_header.remote_groups)] if remote_groups_exist
http-request set-header Remote-Name %[var(req.auth_response_header.remote_name)] if remote_name_exist
http-request set-header Remote-Email %[var(req.auth_response_header.remote_email)] if remote_email_exist
## Pass the Set-Cookie response headers to the user.
acl set_cookie_exist var(req.auth_response_header.set_cookie) -m found
http-response set-header Set-Cookie %[var(req.auth_response_header.set_cookie)] if set_cookie_exist
server heimdall heimdall:443 ssl verify none
```
@ -293,12 +315,11 @@ frontend fe_http
# Required headers
http-request set-header X-Real-IP %[src]
http-request set-header X-Forwarded-Proto %[var(req.scheme)]
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
http-request set-header X-Forwarded-Uri %[path]%[var(req.questionmark)]%[query]
http-request set-header X-Original-Method %[var(req.method)]
http-request set-header X-Original-URL %[var(req.scheme)]://%[req.hdr(Host)]%[path]%[var(req.questionmark)]%[query]
# Protect endpoints with haproxy-auth-request and Authelia
http-request lua.auth-request be_authelia_proxy /api/verify if protected-frontends
http-request lua.auth-request be_authelia_proxy /api/authz/auth-request if protected-frontends
# Force `Authorization` header via query arg to /api/verify
http-request lua.auth-request be_authelia_proxy /api/verify?auth=basic if protected-frontends-basic
@ -328,29 +349,53 @@ listen authelia_proxy
server authelia authelia:9091 ssl verify none
backend be_nextcloud
# Pass Remote-User, Remote-Name, Remote-Email and Remote-Groups headers
## Pass the special authorization response headers to the protected application.
acl authorization_exist var(req.auth_response_header.authorization) -m found
acl proxy_authorization_exist var(req.auth_response_header.proxy_authorization) -m found
http-request set-header Authorization %[var(req.auth_response_header.authorization)] if authorization_exist
http-request set-header Proxy-Authorization %[var(req.auth_response_header.proxy_authorization)] if proxy_authorization_exist
## Pass the special metadata response headers to the protected application.
acl remote_user_exist var(req.auth_response_header.remote_user) -m found
acl remote_groups_exist var(req.auth_response_header.remote_groups) -m found
acl remote_name_exist var(req.auth_response_header.remote_name) -m found
acl remote_email_exist var(req.auth_response_header.remote_email) -m found
http-request set-header Remote-User %[var(req.auth_response_header.remote_user)] if remote_user_exist
http-request set-header Remote-Groups %[var(req.auth_response_header.remote_groups)] if remote_groups_exist
http-request set-header Remote-Name %[var(req.auth_response_header.remote_name)] if remote_name_exist
http-request set-header Remote-Email %[var(req.auth_response_header.remote_email)] if remote_email_exist
## Pass the Set-Cookie response headers to the user.
acl set_cookie_exist var(req.auth_response_header.set_cookie) -m found
http-response set-header Set-Cookie %[var(req.auth_response_header.set_cookie)] if set_cookie_exist
server nextcloud nextcloud:443 ssl verify none
backend be_heimdall
# Pass Remote-User, Remote-Name, Remote-Email and Remote-Groups headers
## Pass the special authorization response headers to the protected application.
acl authorization_exist var(req.auth_response_header.authorization) -m found
acl proxy_authorization_exist var(req.auth_response_header.proxy_authorization) -m found
http-request set-header Authorization %[var(req.auth_response_header.authorization)] if authorization_exist
http-request set-header Proxy-Authorization %[var(req.auth_response_header.proxy_authorization)] if proxy_authorization_exist
## Pass the special metadata response headers to the protected application.
acl remote_user_exist var(req.auth_response_header.remote_user) -m found
acl remote_groups_exist var(req.auth_response_header.remote_groups) -m found
acl remote_name_exist var(req.auth_response_header.remote_name) -m found
acl remote_email_exist var(req.auth_response_header.remote_email) -m found
http-request set-header Remote-User %[var(req.auth_response_header.remote_user)] if remote_user_exist
http-request set-header Remote-Groups %[var(req.auth_response_header.remote_groups)] if remote_groups_exist
http-request set-header Remote-Name %[var(req.auth_response_header.remote_name)] if remote_name_exist
http-request set-header Remote-Email %[var(req.auth_response_header.remote_email)] if remote_email_exist
## Pass the Set-Cookie response headers to the user.
acl set_cookie_exist var(req.auth_response_header.set_cookie) -m found
http-response set-header Set-Cookie %[var(req.auth_response_header.set_cookie)] if set_cookie_exist
server heimdall heimdall:443 ssl verify none
```

11
docs/content/en/integration/proxies/introduction.md
View File

@ -31,21 +31,22 @@ See [support](support.md) for support information.
## Integration Implementation
Authelia is capable of being integrated into many proxies due to the decisions regarding the implementation. We handle
requests to the `/api/verify` endpoint with specific headers and return standardized responses based on the headers and
requests to the authz endpoints with specific headers and return standardized responses based on the headers and
the policy engines determination about what must be done.
### Destination Identification
The method to identify the destination of a request relies on metadata headers which need to be set by your reverse
proxy. The headers we rely on are as follows:
Broadly speaking, the method to identify the destination of a request relies on metadata headers which need to be set by
your reverse proxy. The headers we rely on at the authz endpoints are as follows:
* [X-Forwarded-Proto](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto)
* [X-Forwarded-Host](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host)
* X-Forwarded-Uri
* [X-Forwarded-For](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For)
* X-Forwarded-Method
* X-Forwarded-Method / X-Original-Method
* X-Original-URL
Alternatively we utilize `X-Original-URL` header which is expected to contain a fully formatted URL.
The specifics however are dictated by the specific [Authorization Implementation](../../reference/guides/proxy-authorization.md) used.
### User Identification

2
docs/content/en/integration/proxies/nginx-proxy-manager/index.md
View File

@ -68,7 +68,7 @@ services:
volumes:
- ${PWD}/data/nginx-proxy-manager/data:/data
- ${PWD}/data/nginx-proxy-manager/letsencrypt:/etc/letsencrypt
- ${PWD}/data/nginx/snippets:/config/nginx/snippets:ro
- ${PWD}/data/nginx/snippets:/snippets:ro
environment:
TZ: 'Australia/Melbourne'
authelia:

36
docs/content/en/integration/proxies/nginx.md
View File

@ -197,6 +197,10 @@ server {
location /api/verify {
proxy_pass $upstream;
}
location /api/authz/ {
proxy_pass $upstream;
}
}
```
{{< /details >}}
@ -376,7 +380,7 @@ proxy_set_header X-Forwarded-For $remote_addr;
{{< details "/config/nginx/snippets/authelia-location.conf" >}}
```nginx
set $upstream_authelia http://authelia:9091/api/verify;
set $upstream_authelia http://authelia:9091/api/authz/auth-request;
## Virtual endpoint created by nginx to forward auth requests.
location /authelia {
@ -386,12 +390,8 @@ location /authelia {
## Headers
## The headers starting with X-* are required.
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Original-Method $request_method;
proxy_set_header X-Forwarded-Method $request_method;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Content-Length "";
proxy_set_header Connection "";
@ -433,17 +433,29 @@ set_escape_uri $target_url $scheme://$http_host$request_uri;
## Uncomment this line if you're using NGINX without the http_set_misc module.
# set $target_url $scheme://$http_host$request_uri;
## Save the upstream response headers from Authelia to variables.
## Save the upstream authorization response headers from Authelia to variables.
auth_request_set $authorization $upstream_http_authorization;
auth_request_set $proxy_authorization $upstream_http_proxy_authorization;
## Inject the authorization response headers from the variables into the request made to the backend.
proxy_set_header Authorization $authorization;
proxy_set_header Proxy-Authorization $proxy_authorization;
## Save the upstream metadata response headers from Authelia to variables.
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
auth_request_set $name $upstream_http_remote_name;
auth_request_set $email $upstream_http_remote_email;
## Inject the response headers from the variables into the request made to the backend.
## Inject the metadata response headers from the variables into the request made to the backend.
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
proxy_set_header Remote-Name $name;
proxy_set_header Remote-Email $email;
proxy_set_header Remote-Name $name;
## Include the Set-Cookie header if present.
auth_request_set $cookie $upstream_http_set_cookie;
add_header Set-Cookie $cookie;
## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal.
error_page 401 =302 https://auth.example.com/?rd=$target_url;
@ -458,9 +470,12 @@ snippet is rarely required. It's only used if you want to only allow
[HTTP Basic Authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication) for a particular
endpoint. It's recommended to use [authelia-location.conf](#authelia-locationconf) instead.*
_**Note:** This example assumes you configured an authz endpoint with the name `auth-request/basic` and the
implementation `AuthRequest` which contains the `HeaderAuthorization` and `HeaderProxyAuthorization` strategies._
{{< details "/config/nginx/snippets/authelia-location-basic.conf" >}}
```nginx
set $upstream_authelia http://authelia:9091/api/verify?auth=basic;
set $upstream_authelia http://authelia:9091/api/authz/auth-request/basic;
# Virtual endpoint created by nginx to forward auth requests.
location /authelia-basic {
@ -470,6 +485,7 @@ location /authelia-basic {
## Headers
## The headers starting with X-* are required.
proxy_set_header X-Original-Method $request_method;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Original-Method $request_method;
proxy_set_header X-Forwarded-Method $request_method;

31
docs/content/en/integration/proxies/support.md
View File

@ -15,19 +15,24 @@ aliases:
- /docs/home/supported-proxies.html
---
| Proxy | [Standard](#standard) | [Kubernetes](#kubernetes) | [XHR Redirect](#xhr-redirect) | [Request Method](#request-method) |
|:---------------------:|:------------------------------------------------------------------:|:-------------------------------------------------------------------------------------:|:---------------------------------:|:---------------------------------:|
| [Traefik] | {{% support support="full" link="traefik.md" %}} | {{% support support="full" link="../../integration/kubernetes/traefik-ingress.md" %}} | {{% support support="full" %}} | {{% support support="full" %}} |
| [Caddy] | {{% support support="full" link="caddy.md" %}} | {{% support support="unknown" %}} | {{% support support="full" %}} | {{% support support="full" %}} |
| [Envoy] | {{% support support="full" link="envoy.md" %}} | {{% support support="full" link="../../integration/kubernetes/istio.md" %}} | {{% support support="unknown" %}} | {{% support support="full" %}} |
| [NGINX] | {{% support support="full" link="nginx.md" %}} | {{% support support="full" link="../../integration/kubernetes/nginx-ingress.md" %}} | {{% support %}} | {{% support support="full" %}} |
| [NGINX Proxy Manager] | {{% support support="full" link="nginx-proxy-manager/index.md" %}} | {{% support support="unknown" %}} | {{% support %}} | {{% support support="full" %}} |
| [SWAG] | {{% support support="full" link="swag.md" %}} | {{% support support="unknown" %}} | {{% support %}} | {{% support support="full" %}} |
| [HAProxy] | {{% support support="full" link="haproxy.md" %}} | {{% support support="unknown" %}} | {{% support support="unknown" %}} | {{% support support="full" %}} |
| [Skipper] | {{% support support="full" link="skipper.md" %}} | {{% support support="unknown" %}} | {{% support support="unknown" %}} | {{% support support="unknown" %}} |
| [Traefik] 1.x | {{% support support="full" link="traefikv1.md" %}} | {{% support support="unknown" %}} | {{% support support="full" %}} | {{% support support="full" %}} |
| [Apache] | {{% support link="#apache" %}} | {{% support %}} | {{% support %}} | {{% support %}} |
| [IIS] | {{% support link="#iis" %}} | {{% support %}} | {{% support %}} | {{% support %}} |
| Proxy | [Implementation] | [Standard](#standard) | [Kubernetes](#kubernetes) | [XHR Redirect](#xhr-redirect) | [Request Method](#request-method) |
|:---------------------:|:----------------:|:------------------------------------------------------------------:|:-------------------------------------------------------------------------------------:|:---------------------------------:|:---------------------------------:|
| [Traefik] | [ForwardAuth] | {{% support support="full" link="traefik.md" %}} | {{% support support="full" link="../../integration/kubernetes/traefik-ingress.md" %}} | {{% support support="full" %}} | {{% support support="full" %}} |
| [Caddy] | [ForwardAuth] | {{% support support="full" link="caddy.md" %}} | {{% support support="unknown" %}} | {{% support support="full" %}} | {{% support support="full" %}} |
| [Envoy] | [ExtAuthz] | {{% support support="full" link="envoy.md" %}} | {{% support support="full" link="../../integration/kubernetes/istio.md" %}} | {{% support support="unknown" %}} | {{% support support="full" %}} |
| [NGINX] | [AuthRequest] | {{% support support="full" link="nginx.md" %}} | {{% support support="full" link="../../integration/kubernetes/nginx-ingress.md" %}} | {{% support %}} | {{% support support="full" %}} |
| [NGINX Proxy Manager] | [AuthRequest] | {{% support support="full" link="nginx-proxy-manager/index.md" %}} | {{% support support="unknown" %}} | {{% support %}} | {{% support support="full" %}} |
| [SWAG] | [AuthRequest] | {{% support support="full" link="swag.md" %}} | {{% support support="unknown" %}} | {{% support %}} | {{% support support="full" %}} |
| [HAProxy] | [AuthRequest] | {{% support support="full" link="haproxy.md" %}} | {{% support support="unknown" %}} | {{% support support="unknown" %}} | {{% support support="full" %}} |
| [Skipper] | [ForwardAuth] | {{% support support="full" link="skipper.md" %}} | {{% support support="unknown" %}} | {{% support support="unknown" %}} | {{% support support="unknown" %}} |
| [Traefik] 1.x | [ForwardAuth] | {{% support support="full" link="traefikv1.md" %}} | {{% support support="unknown" %}} | {{% support support="full" %}} | {{% support support="full" %}} |
| [Apache] | N/A | {{% support link="#apache" %}} | {{% support %}} | {{% support %}} | {{% support %}} |
| [IIS] | N/A | {{% support link="#iis" %}} | {{% support %}} | {{% support %}} | {{% support %}} |
[ForwardAuth]: ../../reference/guides/proxy-authorization.md#forwardauth
[AuthRequest]: ../../reference/guides/proxy-authorization.md#authrequest
[ExtAuthz]: ../../reference/guides/proxy-authorization.md#extauthz
[Implementation]: ../../reference/guides/proxy-authorization.md#implementations
Legend:

67
docs/content/en/integration/proxies/swag.md
View File

@ -42,22 +42,67 @@ bootstrapping *Authelia*.
### SWAG Caveat
One current caveat of the [SWAG] implementation is that it serves Authelia as a subpath for each domain. We
*__strongly recommend__* instead of using the out of the box method and guide for [SWAG] that you follow the
[NGINX](nginx.md) guide (which *can be used* with [SWAG]) and run Authelia as it's own subdomain.
One current caveat of the [SWAG] implementation is that it serves Authelia as a subpath for each domain by default. We
*__strongly recommend__* instead of using the defaults that you configure Authelia as a subdomain if possible.
This is partly because Webauthn requires that the domain is an exact match when registering and authenticating and it is
There are two potential ways to achieve this:
1. Adjust the default `authelia-server.conf` as per the included directions.
2. Use the supplementary configuration snippets provided officially by Authelia.
This is partly because WebAuthn requires that the domain is an exact match when registering and authenticating and it is
possible that due to web standards this will never change.
In addition this represents a bad user experience in some instances such as:
- Users sometimes visit the `https://app.example.com/authelia` URL which doesn't automatically redirect the user to
`https://app.example.com` (if they visit `https://app.example.com` then they'll be redirected to authenticate then
redirected back to their original URL).
- Administrators may wish to setup OpenID Connect 1.0 in which case it also doesn't represent a good user experience.
- Users sometimes visit the `https://app.example.com/authelia` URL which doesn't automatically redirect the user to
`https://app.example.com` (if they visit `https://app.example.com` then they'll be redirected to authenticate then
redirected back to their original URL).
- Administrators may wish to setup [OpenID Connect 1.0](../../configuration/identity-providers/open-id-connect.md) in
which case it also doesn't represent a good user experience as the `issuer` will be
`https://app.example.com/authelia` for example
- Using the [SWAG] default configurations are more difficult to support as our specific familiarity is with our own
example snippets
Taking these factors into consideration we're adapting our [SWAG] guide to use what we consider best for the users and
most easily supported. Users who wish to use the [SWAG] guide are free to do so but may not receive the same support.
#### Option 1: Adjusting the Default Configuration
Open the generated `authelia-server.conf`. Adjust the following sections. There are two snippets, one before and one
after. The only lines that change are the `set $authelia_backend` lines, and this configuration assumes you're
serving Authelia at `auth.example.com`.
```nginx
## Set $authelia_backend to route requests to the current domain by default
set $authelia_backend $http_host;
## In order for Webauthn to work with multiple domains authelia must operate on a separate subdomain
## To use authelia on a separate subdomain:
## * comment the $authelia_backend line above
## * rename /config/nginx/proxy-confs/authelia.conf.sample to /config/nginx/proxy-confs/authelia.conf
## * make sure that your dns has a cname set for authelia
## * uncomment the $authelia_backend line below and change example.com to your domain
## * restart the swag container
#set $authelia_backend authelia.example.com;
return 302 https://$authelia_backend/authelia/?rd=$target_url;
```
```nginx
## Set $authelia_backend to route requests to the current domain by default
# set $authelia_backend $http_host;
## In order for Webauthn to work with multiple domains authelia must operate on a separate subdomain
## To use authelia on a separate subdomain:
## * comment the $authelia_backend line above
## * rename /config/nginx/proxy-confs/authelia.conf.sample to /config/nginx/proxy-confs/authelia.conf
## * make sure that your dns has a cname set for authelia
## * uncomment the $authelia_backend line below and change example.com to your domain
## * restart the swag container
set $authelia_backend auth.example.com;
return 302 https://$authelia_backend/authelia/?rd=$target_url;
```
#### Option 2: Using the Authelia Supplementary Configuration Snippets
See standard [NGINX](nginx.md) guide (which *can be used* with [SWAG]) and run Authelia as it's own subdomain.
## Trusted Proxies
@ -102,6 +147,8 @@ services:
- '443:443'
volumes:
- ${PWD}/data/swag:/config
#- ${PWD}/data/nginx/snippets:/snippets:ro
## Uncomment the above line if you want to use the Authelia configuration snippets.
environment:
PUID: '1000'
PGID: '1000'

54
docs/content/en/integration/proxies/traefik.md
View File

@ -55,7 +55,7 @@ In the example we have four commented lines which configure `trustedIPs` which s
networks to the trusted proxy list in [Traefik]:
* 10.0.0.0/8
* 172.16.0.0/16
* 172.16.0.0/12
* 192.168.0.0/16
* fc00::/7
@ -109,15 +109,15 @@ services:
- '--entryPoints.http.http.redirections.entryPoint.to=https'
- '--entryPoints.http.http.redirections.entryPoint.scheme=https'
## Please see the Forwarded Header Trust section of the Authelia Traefik Integration documentation.
# - '--entryPoints.http.forwardedHeaders.trustedIPs=10.0.0.0/8,172.16.0.0/16,192.168.0.0/16,fc00::/7'
# - '--entryPoints.http.proxyProtocol.trustedIPs=10.0.0.0/8,172.16.0.0/16,192.168.0.0/16,fc00::/7'
# - '--entryPoints.http.forwardedHeaders.trustedIPs=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,fc00::/7'
# - '--entryPoints.http.proxyProtocol.trustedIPs=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,fc00::/7'
- '--entryPoints.http.forwardedHeaders.insecure=false'
- '--entryPoints.http.proxyProtocol.insecure=false'
- '--entryPoints.https=true'
- '--entryPoints.https.address=:8443/tcp'
## Please see the Forwarded Header Trust section of the Authelia Traefik Integration documentation.
# - '--entryPoints.https.forwardedHeaders.trustedIPs=10.0.0.0/8,172.16.0.0/16,192.168.0.0/16,fc00::/7'
# - '--entryPoints.https.proxyProtocol.trustedIPs=10.0.0.0/8,172.16.0.0/16,192.168.0.0/16,fc00::/7'
# - '--entryPoints.https.forwardedHeaders.trustedIPs=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,fc00::/7'
# - '--entryPoints.https.proxyProtocol.trustedIPs=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,fc00::/7'
- '--entryPoints.https.forwardedHeaders.insecure=false'
- '--entryPoints.https.proxyProtocol.insecure=false'
networks:
@ -152,12 +152,12 @@ services:
- 'traefik.http.routers.authelia.rule=Host(`auth.example.com`)'
- 'traefik.http.routers.authelia.entryPoints=https'
- 'traefik.http.routers.authelia.tls=true'
- 'traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/verify?rd=https%3A%2F%2Fauth.example.com%2F'
- 'traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/authz/forward-auth'
## The following commented line is for configuring the Authelia URL in the proxy. We strongly suggest this is
## configured in the Session Cookies section of the Authelia configuration.
# - 'traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/authz/forward-auth?authelia_url=https%3A%2F%2Fauth.example.com%2F'
- 'traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true'
- 'traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'
- 'traefik.http.middlewares.authelia-basic.forwardAuth.address=http://authelia:9091/api/verify?auth=basic'
- 'traefik.http.middlewares.authelia-basic.forwardAuth.trustForwardHeader=true'
- 'traefik.http.middlewares.authelia-basic.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'
- 'traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Authorization,Proxy-Authorization,Remote-User,Remote-Groups,Remote-Email,Remote-Name'
nextcloud:
container_name: nextcloud
image: linuxserver/nextcloud
@ -364,26 +364,33 @@ http:
middlewares:
authelia:
forwardAuth:
address: https://authelia:9091/api/verify?rd=https%3A%2F%2Fauth.example.com%2F
address: 'http://authelia:9091/api/authz/forward-auth'
## The following commented line is for configuring the Authelia URL in the proxy. We strongly suggest this is
## configured in the Session Cookies section of the Authelia configuration.
# address: 'https://authelia:9091/api/authz/forward-auth?authelia_url=https%3A%2F%2Fauth.example.com%2F'
trustForwardHeader: true
authResponseHeaders:
- "Remote-User"
- "Remote-Groups"
- "Remote-Email"
- "Remote-Name"
- 'Authorization'
- 'Proxy-Authorization'
- 'Remote-User'
- 'Remote-Groups'
- 'Remote-Email'
- 'Remote-Name'
tls:
ca: /certificates/ca.public.crt
cert: /certificates/traefik.public.crt
key: /certificates/traefik.private.pem
authelia-basic:
forwardAuth:
address: https://authelia:9091/api/verify?auth=basic
address: 'https://authelia:9091/api/verify?auth=basic'
trustForwardHeader: true
authResponseHeaders:
- "Remote-User"
- "Remote-Groups"
- "Remote-Email"
- "Remote-Name"
- 'Authorization'
- 'Proxy-Authorization'
- 'Remote-User'
- 'Remote-Groups'
- 'Remote-Email'
- 'Remote-Name'
tls:
ca: /certificates/ca.public.crt
cert: /certificates/traefik.public.crt
@ -491,9 +498,12 @@ This can be avoided a couple different ways:
2. Define the __Authelia__ middleware on your [Traefik] container. See the below example.
```yaml
- 'traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/verify?rd=https%3A%2F%2Fauth.example.com%2F'
- 'traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/authz/forward-auth'
## The following commented line is for configuring the Authelia URL in the proxy. We strongly suggest this is
## configured in the Session Cookies section of the Authelia configuration.
# - 'traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/authz/forward-auth?authelia_url=https%3A%2F%2Fauth.example.com%2F'
- 'traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true'
- 'traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'
- 'traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Authorization,Proxy-Authorization,Remote-User,Remote-Groups,Remote-Email,Remote-Name'
```
## See Also

23
docs/content/en/integration/proxies/traefikv1.md
View File

@ -45,7 +45,7 @@ In the example we have four commented lines which configure `TrustedIPs` which s
networks to the trusted proxy list in [Traefik]:
* 10.0.0.0/8
* 172.16.0.0/16
* 172.16.0.0/12
* 192.168.0.0/16
* fc00::/7
@ -90,9 +90,9 @@ services:
- 'traefik.frontend.rule=Host:traefik.example.com'
- 'traefik.port=8081'
ports:
- 80:80
- 443:443
- 8081:8081
- '80:80'
- '443:443'
- '8081:8081'
restart: unless-stopped
command:
- '--api'
@ -105,8 +105,8 @@ services:
- '--entryPoints=Name:http Address::80'
- '--entryPoints=Name:https Address::443 TLS'
## See the Forwarded Header Trust section. Comment the above two lines, then uncomment and customize the next two lines to configure the TrustedIPs.
# - '--entryPoints=Name:http Address::80 ForwardedHeaders.TrustedIPs:10.0.0.0/8,172.16.0.0/16,192.168.0.0/16,fc00::/7 ProxyProtocol.TrustedIPs:10.0.0.0/8,172.16.0.0/16,192.168.0.0/16,fc00::/7'
# - '--entryPoints=Name:https Address::443 TLS ForwardedHeaders.TrustedIPs:10.0.0.0/8,172.16.0.0/16,192.168.0.0/16,fc00::/7 ProxyProtocol.TrustedIPs:10.0.0.0/8,172.16.0.0/16,192.168.0.0/16,fc00::/7'
# - '--entryPoints=Name:http Address::80 ForwardedHeaders.TrustedIPs:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,fc00::/7 ProxyProtocol.TrustedIPs:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,fc00::/7'
# - '--entryPoints=Name:https Address::443 TLS ForwardedHeaders.TrustedIPs:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,fc00::/7 ProxyProtocol.TrustedIPs:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,fc00::/7'
- '--entryPoints=Name:api Address::8081'
authelia:
image: authelia/authelia
@ -132,9 +132,12 @@ services:
- net
labels:
- 'traefik.frontend.rule=Host:nextcloud.example.com'
- 'traefik.frontend.auth.forward.address=http://authelia:9091/api/verify?rd=https://auth.example.com/'
- 'traefik.frontend.auth.forward.address=http://authelia:9091/api/authz/forward-auth'
## The following commented line is for configuring the Authelia URL in the proxy. We strongly suggest this is
## configured in the Session Cookies section of the Authelia configuration.
# - 'traefik.frontend.auth.forward.address=http://authelia:9091/api/authz/forward-auth?authelia_url=https%3A%2F%2Fauth.example.com%2F'
- 'traefik.frontend.auth.forward.trustForwardHeader=true'
- 'traefik.frontend.auth.forward.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'
- 'traefik.frontend.auth.forward.authResponseHeaders=Authorization,Proxy-Authorization,Remote-User,Remote-Groups,Remote-Email,Remote-Name'
expose:
- 443
restart: unless-stopped
@ -151,9 +154,9 @@ services:
- net
labels:
- 'traefik.frontend.rule=Host:heimdall.example.com'
- 'traefik.frontend.auth.forward.address=http://authelia:9091/api/verify?auth=basic'
- 'traefik.frontend.auth.forward.address=http://authelia:9091/api/authz/forward-auth/basic'
- 'traefik.frontend.auth.forward.trustForwardHeader=true'
- 'traefik.frontend.auth.forward.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'
- 'traefik.frontend.auth.forward.authResponseHeaders=Authorization,Proxy-Authorization,Remote-User,Remote-Groups,Remote-Email,Remote-Name'
expose:
- 443
restart: unless-stopped

6
docs/content/en/overview/security/measures.md
View File

@ -216,9 +216,9 @@ to port 587 (_the `submission` port, a common alternative that uses STARTTLS ins
[docs-config-smtp-port]: ../../configuration/notifications/smtp.md#port
[cleartext]: https://cwe.mitre.org/data/definitions/312.html
[service-submissions]: https://www.rfc-editor.org/rfc/rfc8314#section-7.3
[port-465]: https://www.rfc-editor.org/rfc/rfc8314#section-3.3
[smtp-auth]: https://www.rfc-editor.org/rfc/rfc6409#section-4.3
[service-submissions]: https://datatracker.ietf.org/doc/html/rfc8314#section-7.3
[port-465]: https://datatracker.ietf.org/doc/html/rfc8314#section-3.3
[smtp-auth]: https://datatracker.ietf.org/doc/html/rfc6409#section-4.3
## Protection against open redirects

6
docs/content/en/reference/cli/authelia-gen/authelia-gen.md
View File

@ -30,9 +30,10 @@ authelia-gen [flags]
--dir.docs.data string The directory with the docs data (default "data")
--dir.locales string The locales directory in relation to the root (default "internal/server/locales")
-d, --dir.root string The repository root (default "./")
--dir.web string The repository web directory in relation to the root directory (default "web")
-X, --exclude strings Sets the names of excluded generators
--file.bug-report string Sets the path of the bug report issue template file (default ".github/ISSUE_TEMPLATE/bug-report.yml")
--file.commit-lint-config string The commit lint javascript configuration file in relation to the root (default "web/.commitlintrc.js")
--file.commit-lint-config string The commit lint javascript configuration file in relation to the root (default ".commitlintrc.js")
--file.configuration-keys string Sets the path of the keys file (default "internal/configuration/schema/keys.go")
--file.docs-commit-msg-guidelines string The commit message guidelines documentation file in relation to the root (default "docs/content/en/contributing/guidelines/commit-message.md")
--file.docs.data.keys string Sets the path of the docs keys file (default "configkeys.json")
@ -41,7 +42,8 @@ authelia-gen [flags]
--file.feature-request string Sets the path of the feature request issue template file (default ".github/ISSUE_TEMPLATE/feature-request.yml")
--file.scripts.gen string Sets the path of the authelia-scripts gen file (default "cmd/authelia-scripts/cmd/gen.go")
--file.server.generated string Sets the path of the server generated file (default "internal/server/gen.go")
--file.web-i18n string The i18n typescript configuration file in relation to the root (default "web/src/i18n/index.ts")
--file.web.i18n string The i18n typescript configuration file in relation to the web directory (default "src/i18n/index.ts")
--file.web.package string The node package configuration file in relation to the web directory (default "package.json")
-h, --help help for authelia-gen
--package.configuration.keys string Sets the package name of the keys file (default "schema")
--package.scripts.gen string Sets the package name of the authelia-scripts gen file (default "cmd")

6
docs/content/en/reference/cli/authelia-gen/authelia-gen_code.md
View File

@ -36,9 +36,10 @@ authelia-gen code [flags]
--dir.docs.data string The directory with the docs data (default "data")
--dir.locales string The locales directory in relation to the root (default "internal/server/locales")
-d, --dir.root string The repository root (default "./")
--dir.web string The repository web directory in relation to the root directory (default "web")
-X, --exclude strings Sets the names of excluded generators
--file.bug-report string Sets the path of the bug report issue template file (default ".github/ISSUE_TEMPLATE/bug-report.yml")
--file.commit-lint-config string The commit lint javascript configuration file in relation to the root (default "web/.commitlintrc.js")
--file.commit-lint-config string The commit lint javascript configuration file in relation to the root (default ".commitlintrc.js")
--file.configuration-keys string Sets the path of the keys file (default "internal/configuration/schema/keys.go")
--file.docs-commit-msg-guidelines string The commit message guidelines documentation file in relation to the root (default "docs/content/en/contributing/guidelines/commit-message.md")
--file.docs.data.keys string Sets the path of the docs keys file (default "configkeys.json")
@ -47,7 +48,8 @@ authelia-gen code [flags]
--file.feature-request string Sets the path of the feature request issue template file (default ".github/ISSUE_TEMPLATE/feature-request.yml")
--file.scripts.gen string Sets the path of the authelia-scripts gen file (default "cmd/authelia-scripts/cmd/gen.go")
--file.server.generated string Sets the path of the server generated file (default "internal/server/gen.go")
--file.web-i18n string The i18n typescript configuration file in relation to the root (default "web/src/i18n/index.ts")
--file.web.i18n string The i18n typescript configuration file in relation to the web directory (default "src/i18n/index.ts")
--file.web.package string The node package configuration file in relation to the web directory (default "package.json")
--package.configuration.keys string Sets the package name of the keys file (default "schema")
--package.scripts.gen string Sets the package name of the authelia-scripts gen file (default "cmd")
--versions int the maximum number of minor versions to list in output templates (default 5)

6
docs/content/en/reference/cli/authelia-gen/authelia-gen_code_keys.md
View File

@ -36,9 +36,10 @@ authelia-gen code keys [flags]
--dir.docs.data string The directory with the docs data (default "data")
--dir.locales string The locales directory in relation to the root (default "internal/server/locales")
-d, --dir.root string The repository root (default "./")
--dir.web string The repository web directory in relation to the root directory (default "web")
-X, --exclude strings Sets the names of excluded generators
--file.bug-report string Sets the path of the bug report issue template file (default ".github/ISSUE_TEMPLATE/bug-report.yml")
--file.commit-lint-config string The commit lint javascript configuration file in relation to the root (default "web/.commitlintrc.js")
--file.commit-lint-config string The commit lint javascript configuration file in relation to the root (default ".commitlintrc.js")
--file.configuration-keys string Sets the path of the keys file (default "internal/configuration/schema/keys.go")
--file.docs-commit-msg-guidelines string The commit message guidelines documentation file in relation to the root (default "docs/content/en/contributing/guidelines/commit-message.md")
--file.docs.data.keys string Sets the path of the docs keys file (default "configkeys.json")
@ -47,7 +48,8 @@ authelia-gen code keys [flags]
--file.feature-request string Sets the path of the feature request issue template file (default ".github/ISSUE_TEMPLATE/feature-request.yml")
--file.scripts.gen string Sets the path of the authelia-scripts gen file (default "cmd/authelia-scripts/cmd/gen.go")
--file.server.generated string Sets the path of the server generated file (default "internal/server/gen.go")
--file.web-i18n string The i18n typescript configuration file in relation to the root (default "web/src/i18n/index.ts")
--file.web.i18n string The i18n typescript configuration file in relation to the web directory (default "src/i18n/index.ts")
--file.web.package string The node package configuration file in relation to the web directory (default "package.json")
--package.configuration.keys string Sets the package name of the keys file (default "schema")
--package.scripts.gen string Sets the package name of the authelia-scripts gen file (default "cmd")
--versions int the maximum number of minor versions to list in output templates (default 5)

6
docs/content/en/reference/cli/authelia-gen/authelia-gen_code_scripts.md
View File

@ -36,9 +36,10 @@ authelia-gen code scripts [flags]
--dir.docs.data string The directory with the docs data (default "data")
--dir.locales string The locales directory in relation to the root (default "internal/server/locales")
-d, --dir.root string The repository root (default "./")
--dir.web string The repository web directory in relation to the root directory (default "web")
-X, --exclude strings Sets the names of excluded generators
--file.bug-report string Sets the path of the bug report issue template file (default ".github/ISSUE_TEMPLATE/bug-report.yml")
--file.commit-lint-config string The commit lint javascript configuration file in relation to the root (default "web/.commitlintrc.js")
--file.commit-lint-config string The commit lint javascript configuration file in relation to the root (default ".commitlintrc.js")
--file.configuration-keys string Sets the path of the keys file (default "internal/configuration/schema/keys.go")
--file.docs-commit-msg-guidelines string The commit message guidelines documentation file in relation to the root (default "docs/content/en/contributing/guidelines/commit-message.md")
--file.docs.data.keys string Sets the path of the docs keys file (default "configkeys.json")
@ -47,7 +48,8 @@ authelia-gen code scripts [flags]
--file.feature-request string Sets the path of the feature request issue template file (default ".github/ISSUE_TEMPLATE/feature-request.yml")
--file.scripts.gen string Sets the path of the authelia-scripts gen file (default "cmd/authelia-scripts/cmd/gen.go")
--file.server.generated string Sets the path of the server generated file (default "internal/server/gen.go")
--file.web-i18n string The i18n typescript configuration file in relation to the root (default "web/src/i18n/index.ts")
--file.web.i18n string The i18n typescript configuration file in relation to the web directory (default "src/i18n/index.ts")
--file.web.package string The node package configuration file in relation to the web directory (default "package.json")
--package.configuration.keys string Sets the package name of the keys file (default "schema")
--package.scripts.gen string Sets the package name of the authelia-scripts gen file (default "cmd")
--versions int the maximum number of minor versions to list in output templates (default 5)

6
docs/content/en/reference/cli/authelia-gen/authelia-gen_code_server.md
View File

@ -36,9 +36,10 @@ authelia-gen code server [flags]
--dir.docs.data string The directory with the docs data (default "data")
--dir.locales string The locales directory in relation to the root (default "internal/server/locales")
-d, --dir.root string The repository root (default "./")
--dir.web string The repository web directory in relation to the root directory (default "web")
-X, --exclude strings Sets the names of excluded generators
--file.bug-report string Sets the path of the bug report issue template file (default ".github/ISSUE_TEMPLATE/bug-report.yml")
--file.commit-lint-config string The commit lint javascript configuration file in relation to the root (default "web/.commitlintrc.js")
--file.commit-lint-config string The commit lint javascript configuration file in relation to the root (default ".commitlintrc.js")
--file.configuration-keys string Sets the path of the keys file (default "internal/configuration/schema/keys.go")
--file.docs-commit-msg-guidelines string The commit message guidelines documentation file in relation to the root (default "docs/content/en/contributing/guidelines/commit-message.md")
--file.docs.data.keys string Sets the path of the docs keys file (default "configkeys.json")
@ -47,7 +48,8 @@ authelia-gen code server [flags]
--file.feature-request string Sets the path of the feature request issue template file (default ".github/ISSUE_TEMPLATE/feature-request.yml")
--file.scripts.gen string Sets the path of the authelia-scripts gen file (default "cmd/authelia-scripts/cmd/gen.go")
--file.server.generated string Sets the path of the server generated file (default "internal/server/gen.go")
--file.web-i18n string The i18n typescript configuration file in relation to the root (default "web/src/i18n/index.ts")
--file.web.i18n string The i18n typescript configuration file in relation to the web directory (default "src/i18n/index.ts")
--file.web.package string The node package configuration file in relation to the web directory (default "package.json")
--package.configuration.keys string Sets the package name of the keys file (default "schema")
--package.scripts.gen string Sets the package name of the authelia-scripts gen file (default "cmd")
--versions int the maximum number of minor versions to list in output templates (default 5)

6
docs/content/en/reference/cli/authelia-gen/authelia-gen_commit-lint.md
View File

@ -36,9 +36,10 @@ authelia-gen commit-lint [flags]
--dir.docs.data string The directory with the docs data (default "data")
--dir.locales string The locales directory in relation to the root (default "internal/server/locales")
-d, --dir.root string The repository root (default "./")
--dir.web string The repository web directory in relation to the root directory (default "web")
-X, --exclude strings Sets the names of excluded generators
--file.bug-report string Sets the path of the bug report issue template file (default ".github/ISSUE_TEMPLATE/bug-report.yml")
--file.commit-lint-config string The commit lint javascript configuration file in relation to the root (default "web/.commitlintrc.js")
--file.commit-lint-config string The commit lint javascript configuration file in relation to the root (default ".commitlintrc.js")
--file.configuration-keys string Sets the path of the keys file (default "internal/configuration/schema/keys.go")
--file.docs-commit-msg-guidelines string The commit message guidelines documentation file in relation to the root (default "docs/content/en/contributing/guidelines/commit-message.md")
--file.docs.data.keys string Sets the path of the docs keys file (default "configkeys.json")
@ -47,7 +48,8 @@ authelia-gen commit-lint [flags]
--file.feature-request string Sets the path of the feature request issue template file (default ".github/ISSUE_TEMPLATE/feature-request.yml")
--file.scripts.gen string Sets the path of the authelia-scripts gen file (default "cmd/authelia-scripts/cmd/gen.go")
--file.server.generated string Sets the path of the server generated file (default "internal/server/gen.go")
--file.web-i18n string The i18n typescript configuration file in relation to the root (default "web/src/i18n/index.ts")
--file.web.i18n string The i18n typescript configuration file in relation to the web directory (default "src/i18n/index.ts")
--file.web.package string The node package configuration file in relation to the web directory (default "package.json")
--package.configuration.keys string Sets the package name of the keys file (default "schema")
--package.scripts.gen string Sets the package name of the authelia-scripts gen file (default "cmd")
--versions int the maximum number of minor versions to list in output templates (default 5)

6
docs/content/en/reference/cli/authelia-gen/authelia-gen_docs.md
View File

@ -36,9 +36,10 @@ authelia-gen docs [flags]
--dir.docs.data string The directory with the docs data (default "data")
--dir.locales string The locales directory in relation to the root (default "internal/server/locales")
-d, --dir.root string The repository root (default "./")
--dir.web string The repository web directory in relation to the root directory (default "web")
-X, --exclude strings Sets the names of excluded generators
--file.bug-report string Sets the path of the bug report issue template file (default ".github/ISSUE_TEMPLATE/bug-report.yml")
--file.commit-lint-config string The commit lint javascript configuration file in relation to the root (default "web/.commitlintrc.js")
--file.commit-lint-config string The commit lint javascript configuration file in relation to the root (default ".commitlintrc.js")
--file.configuration-keys string Sets the path of the keys file (default "internal/configuration/schema/keys.go")
--file.docs-commit-msg-guidelines string The commit message guidelines documentation file in relation to the root (default "docs/content/en/contributing/guidelines/commit-message.md")
--file.docs.data.keys string Sets the path of the docs keys file (default "configkeys.json")
@ -47,7 +48,8 @@ authelia-gen docs [flags]
--file.feature-request string Sets the path of the feature request issue template file (default ".github/ISSUE_TEMPLATE/feature-request.yml")
--file.scripts.gen string Sets the path of the authelia-scripts gen file (default "cmd/authelia-scripts/cmd/gen.go")
--file.server.generated string Sets the path of the server generated file (default "internal/server/gen.go")
--file.web-i18n string The i18n typescript configuration file in relation to the root (default "web/src/i18n/index.ts")
--file.web.i18n string The i18n typescript configuration file in relation to the web directory (default "src/i18n/index.ts")
--file.web.package string The node package configuration file in relation to the web directory (default "package.json")
--package.configuration.keys string Sets the package name of the keys file (default "schema")
--package.scripts.gen string Sets the package name of the authelia-scripts gen file (default "cmd")
--versions int the maximum number of minor versions to list in output templates (default 5)

6
docs/content/en/reference/cli/authelia-gen/authelia-gen_docs_cli.md
View File

@ -36,9 +36,10 @@ authelia-gen docs cli [flags]
--dir.docs.data string The directory with the docs data (default "data")
--dir.locales string The locales directory in relation to the root (default "internal/server/locales")
-d, --dir.root string The repository root (default "./")
--dir.web string The repository web directory in relation to the root directory (default "web")
-X, --exclude strings Sets the names of excluded generators
--file.bug-report string Sets the path of the bug report issue template file (default ".github/ISSUE_TEMPLATE/bug-report.yml")
--file.commit-lint-config string The commit lint javascript configuration file in relation to the root (default "web/.commitlintrc.js")
--file.commit-lint-config string The commit lint javascript configuration file in relation to the root (default ".commitlintrc.js")
--file.configuration-keys string Sets the path of the keys file (default "internal/configuration/schema/keys.go")
--file.docs-commit-msg-guidelines string The commit message guidelines documentation file in relation to the root (default "docs/content/en/contributing/guidelines/commit-message.md")
--file.docs.data.keys string Sets the path of the docs keys file (default "configkeys.json")
@ -47,7 +48,8 @@ authelia-gen docs cli [flags]
--file.feature-request string Sets the path of the feature request issue template file (default ".github/ISSUE_TEMPLATE/feature-request.yml")
--file.scripts.gen string Sets the path of the authelia-scripts gen file (default "cmd/authelia-scripts/cmd/gen.go")
--file.server.generated string Sets the path of the server generated file (default "internal/server/gen.go")
--file.web-i18n string The i18n typescript configuration file in relation to the root (default "web/src/i18n/index.ts")
--file.web.i18n string The i18n typescript configuration file in relation to the web directory (default "src/i18n/index.ts")
--file.web.package string The node package configuration file in relation to the web directory (default "package.json")
--package.configuration.keys string Sets the package name of the keys file (default "schema")
--package.scripts.gen string Sets the package name of the authelia-scripts gen file (default "cmd")
--versions int the maximum number of minor versions to list in output templates (default 5)

6
docs/content/en/reference/cli/authelia-gen/authelia-gen_docs_data.md
View File

@ -36,9 +36,10 @@ authelia-gen docs data [flags]
--dir.docs.data string The directory with the docs data (default "data")
--dir.locales string The locales directory in relation to the root (default "internal/server/locales")
-d, --dir.root string The repository root (default "./")
--dir.web string The repository web directory in relation to the root directory (default "web")
-X, --exclude strings Sets the names of excluded generators
--file.bug-report string Sets the path of the bug report issue template file (default ".github/ISSUE_TEMPLATE/bug-report.yml")
--file.commit-lint-config string The commit lint javascript configuration file in relation to the root (default "web/.commitlintrc.js")
--file.commit-lint-config string The commit lint javascript configuration file in relation to the root (default ".commitlintrc.js")
--file.configuration-keys string Sets the path of the keys file (default "internal/configuration/schema/keys.go")
--file.docs-commit-msg-guidelines string The commit message guidelines documentation file in relation to the root (default "docs/content/en/contributing/guidelines/commit-message.md")
--file.docs.data.keys string Sets the path of the docs keys file (default "configkeys.json")
@ -47,7 +48,8 @@ authelia-gen docs data [flags]
--file.feature-request string Sets the path of the feature request issue template file (default ".github/ISSUE_TEMPLATE/feature-request.yml")
--file.scripts.gen string Sets the path of the authelia-scripts gen file (default "cmd/authelia-scripts/cmd/gen.go")
--file.server.generated string Sets the path of the server generated file (default "internal/server/gen.go")
--file.web-i18n string The i18n typescript configuration file in relation to the root (default "web/src/i18n/index.ts")
--file.web.i18n string The i18n typescript configuration file in relation to the web directory (default "src/i18n/index.ts")
--file.web.package string The node package configuration file in relation to the web directory (default "package.json")
--package.configuration.keys string Sets the package name of the keys file (default "schema")
--package.scripts.gen string Sets the package name of the authelia-scripts gen file (default "cmd")
--versions int the maximum number of minor versions to list in output templates (default 5)

6
docs/content/en/reference/cli/authelia-gen/authelia-gen_docs_data_keys.md
View File

@ -36,9 +36,10 @@ authelia-gen docs data keys [flags]
--dir.docs.data string The directory with the docs data (default "data")
--dir.locales string The locales directory in relation to the root (default "internal/server/locales")
-d, --dir.root string The repository root (default "./")
--dir.web string The repository web directory in relation to the root directory (default "web")
-X, --exclude strings Sets the names of excluded generators
--file.bug-report string Sets the path of the bug report issue template file (default ".github/ISSUE_TEMPLATE/bug-report.yml")
--file.commit-lint-config string The commit lint javascript configuration file in relation to the root (default "web/.commitlintrc.js")
--file.commit-lint-config string The commit lint javascript configuration file in relation to the root (default ".commitlintrc.js")
--file.configuration-keys string Sets the path of the keys file (default "internal/configuration/schema/keys.go")
--file.docs-commit-msg-guidelines string The commit message guidelines documentation file in relation to the root (default "docs/content/en/contributing/guidelines/commit-message.md")
--file.docs.data.keys string Sets the path of the docs keys file (default "configkeys.json")
@ -47,7 +48,8 @@ authelia-gen docs data keys [flags]
--file.feature-request string Sets the path of the feature request issue template file (default ".github/ISSUE_TEMPLATE/feature-request.yml")
--file.scripts.gen string Sets the path of the authelia-scripts gen file (default "cmd/authelia-scripts/cmd/gen.go")
--file.server.generated string Sets the path of the server generated file (default "internal/server/gen.go")
--file.web-i18n string The i18n typescript configuration file in relation to the root (default "web/src/i18n/index.ts")
--file.web.i18n string The i18n typescript configuration file in relation to the web directory (default "src/i18n/index.ts")
--file.web.package string The node package configuration file in relation to the web directory (default "package.json")
--package.configuration.keys string Sets the package name of the keys file (default "schema")
--package.scripts.gen string Sets the package name of the authelia-scripts gen file (default "cmd")
--versions int the maximum number of minor versions to list in output templates (default 5)

6
docs/content/en/reference/cli/authelia-gen/authelia-gen_docs_data_misc.md
View File

@ -36,9 +36,10 @@ authelia-gen docs data misc [flags]
--dir.docs.data string The directory with the docs data (default "data")
--dir.locales string The locales directory in relation to the root (default "internal/server/locales")
-d, --dir.root string The repository root (default "./")
--dir.web string The repository web directory in relation to the root directory (default "web")
-X, --exclude strings Sets the names of excluded generators
--file.bug-report string Sets the path of the bug report issue template file (default ".github/ISSUE_TEMPLATE/bug-report.yml")
--file.commit-lint-config string The commit lint javascript configuration file in relation to the root (default "web/.commitlintrc.js")
--file.commit-lint-config string The commit lint javascript configuration file in relation to the root (default ".commitlintrc.js")
--file.configuration-keys string Sets the path of the keys file (default "internal/configuration/schema/keys.go")
--file.docs-commit-msg-guidelines string The commit message guidelines documentation file in relation to the root (default "docs/content/en/contributing/guidelines/commit-message.md")
--file.docs.data.keys string Sets the path of the docs keys file (default "configkeys.json")
@ -47,7 +48,8 @@ authelia-gen docs data misc [flags]
--file.feature-request string Sets the path of the feature request issue template file (default ".github/ISSUE_TEMPLATE/feature-request.yml")
--file.scripts.gen string Sets the path of the authelia-scripts gen file (default "cmd/authelia-scripts/cmd/gen.go")
--file.server.generated string Sets the path of the server generated file (default "internal/server/gen.go")
--file.web-i18n string The i18n typescript configuration file in relation to the root (default "web/src/i18n/index.ts")
--file.web.i18n string The i18n typescript configuration file in relation to the web directory (default "src/i18n/index.ts")
--file.web.package string The node package configuration file in relation to the web directory (default "package.json")
--package.configuration.keys string Sets the package name of the keys file (default "schema")
--package.scripts.gen string Sets the package name of the authelia-scripts gen file (default "cmd")
--versions int the maximum number of minor versions to list in output templates (default 5)

6
docs/content/en/reference/cli/authelia-gen/authelia-gen_docs_date.md
View File

@ -38,9 +38,10 @@ authelia-gen docs date [flags]
--dir.docs.data string The directory with the docs data (default "data")
--dir.locales string The locales directory in relation to the root (default "internal/server/locales")
-d, --dir.root string The repository root (default "./")
--dir.web string The repository web directory in relation to the root directory (default "web")
-X, --exclude strings Sets the names of excluded generators
--file.bug-report string Sets the path of the bug report issue template file (default ".github/ISSUE_TEMPLATE/bug-report.yml")
--file.commit-lint-config string The commit lint javascript configuration file in relation to the root (default "web/.commitlintrc.js")
--file.commit-lint-config string The commit lint javascript configuration file in relation to the root (default ".commitlintrc.js")
--file.configuration-keys string Sets the path of the keys file (default "internal/configuration/schema/keys.go")
--file.docs-commit-msg-guidelines string The commit message guidelines documentation file in relation to the root (default "docs/content/en/contributing/guidelines/commit-message.md")
--file.docs.data.keys string Sets the path of the docs keys file (default "configkeys.json")
@ -49,7 +50,8 @@ authelia-gen docs date [flags]
--file.feature-request string Sets the path of the feature request issue template file (default ".github/ISSUE_TEMPLATE/feature-request.yml")
--file.scripts.gen string Sets the path of the authelia-scripts gen file (default "cmd/authelia-scripts/cmd/gen.go")
--file.server.generated string Sets the path of the server generated file (default "internal/server/gen.go")
--file.web-i18n string The i18n typescript configuration file in relation to the root (default "web/src/i18n/index.ts")
--file.web.i18n string The i18n typescript configuration file in relation to the web directory (default "src/i18n/index.ts")
--file.web.package string The node package configuration file in relation to the web directory (default "package.json")
--package.configuration.keys string Sets the package name of the keys file (default "schema")
--package.scripts.gen string Sets the package name of the authelia-scripts gen file (default "cmd")
--versions int the maximum number of minor versions to list in output templates (default 5)

6
docs/content/en/reference/cli/authelia-gen/authelia-gen_github.md
View File

@ -36,9 +36,10 @@ authelia-gen github [flags]
--dir.docs.data string The directory with the docs data (default "data")
--dir.locales string The locales directory in relation to the root (default "internal/server/locales")
-d, --dir.root string The repository root (default "./")
--dir.web string The repository web directory in relation to the root directory (default "web")
-X, --exclude strings Sets the names of excluded generators
--file.bug-report string Sets the path of the bug report issue template file (default ".github/ISSUE_TEMPLATE/bug-report.yml")
--file.commit-lint-config string The commit lint javascript configuration file in relation to the root (default "web/.commitlintrc.js")
--file.commit-lint-config string The commit lint javascript configuration file in relation to the root (default ".commitlintrc.js")
--file.configuration-keys string Sets the path of the keys file (default "internal/configuration/schema/keys.go")
--file.docs-commit-msg-guidelines string The commit message guidelines documentation file in relation to the root (default "docs/content/en/contributing/guidelines/commit-message.md")
--file.docs.data.keys string Sets the path of the docs keys file (default "configkeys.json")
@ -47,7 +48,8 @@ authelia-gen github [flags]
--file.feature-request string Sets the path of the feature request issue template file (default ".github/ISSUE_TEMPLATE/feature-request.yml")
--file.scripts.gen string Sets the path of the authelia-scripts gen file (default "cmd/authelia-scripts/cmd/gen.go")
--file.server.generated string Sets the path of the server generated file (default "internal/server/gen.go")
--file.web-i18n string The i18n typescript configuration file in relation to the root (default "web/src/i18n/index.ts")
--file.web.i18n string The i18n typescript configuration file in relation to the web directory (default "src/i18n/index.ts")
--file.web.package string The node package configuration file in relation to the web directory (default "package.json")
--package.configuration.keys string Sets the package name of the keys file (default "schema")
--package.scripts.gen string Sets the package name of the authelia-scripts gen file (default "cmd")
--versions int the maximum number of minor versions to list in output templates (default 5)

6
docs/content/en/reference/cli/authelia-gen/authelia-gen_github_issue-templates.md
View File

@ -36,9 +36,10 @@ authelia-gen github issue-templates [flags]
--dir.docs.data string The directory with the docs data (default "data")
--dir.locales string The locales directory in relation to the root (default "internal/server/locales")
-d, --dir.root string The repository root (default "./")
--dir.web string The repository web directory in relation to the root directory (default "web")
-X, --exclude strings Sets the names of excluded generators
--file.bug-report string Sets the path of the bug report issue template file (default ".github/ISSUE_TEMPLATE/bug-report.yml")
--file.commit-lint-config string The commit lint javascript configuration file in relation to the root (default "web/.commitlintrc.js")
--file.commit-lint-config string The commit lint javascript configuration file in relation to the root (default ".commitlintrc.js")
--file.configuration-keys string Sets the path of the keys file (default "internal/configuration/schema/keys.go")
--file.docs-commit-msg-guidelines string The commit message guidelines documentation file in relation to the root (default "docs/content/en/contributing/guidelines/commit-message.md")
--file.docs.data.keys string Sets the path of the docs keys file (default "configkeys.json")
@ -47,7 +48,8 @@ authelia-gen github issue-templates [flags]
--file.feature-request string Sets the path of the feature request issue template file (default ".github/ISSUE_TEMPLATE/feature-request.yml")
--file.scripts.gen string Sets the path of the authelia-scripts gen file (default "cmd/authelia-scripts/cmd/gen.go")
--file.server.generated string Sets the path of the server generated file (default "internal/server/gen.go")
--file.web-i18n string The i18n typescript configuration file in relation to the root (default "web/src/i18n/index.ts")
--file.web.i18n string The i18n typescript configuration file in relation to the web directory (default "src/i18n/index.ts")
--file.web.package string The node package configuration file in relation to the web directory (default "package.json")
--package.configuration.keys string Sets the package name of the keys file (default "schema")
--package.scripts.gen string Sets the package name of the authelia-scripts gen file (default "cmd")
--versions int the maximum number of minor versions to list in output templates (default 5)

6
docs/content/en/reference/cli/authelia-gen/authelia-gen_github_issue-templates_bug-report.md
View File

@ -36,9 +36,10 @@ authelia-gen github issue-templates bug-report [flags]
--dir.docs.data string The directory with the docs data (default "data")
--dir.locales string The locales directory in relation to the root (default "internal/server/locales")
-d, --dir.root string The repository root (default "./")
--dir.web string The repository web directory in relation to the root directory (default "web")
-X, --exclude strings Sets the names of excluded generators
--file.bug-report string Sets the path of the bug report issue template file (default ".github/ISSUE_TEMPLATE/bug-report.yml")
--file.commit-lint-config string The commit lint javascript configuration file in relation to the root (default "web/.commitlintrc.js")
--file.commit-lint-config string The commit lint javascript configuration file in relation to the root (default ".commitlintrc.js")
--file.configuration-keys string Sets the path of the keys file (default "internal/configuration/schema/keys.go")
--file.docs-commit-msg-guidelines string The commit message guidelines documentation file in relation to the root (default "docs/content/en/contributing/guidelines/commit-message.md")
--file.docs.data.keys string Sets the path of the docs keys file (default "configkeys.json")
@ -47,7 +48,8 @@ authelia-gen github issue-templates bug-report [flags]
--file.feature-request string Sets the path of the feature request issue template file (default ".github/ISSUE_TEMPLATE/feature-request.yml")
--file.scripts.gen string Sets the path of the authelia-scripts gen file (default "cmd/authelia-scripts/cmd/gen.go")
--file.server.generated string Sets the path of the server generated file (default "internal/server/gen.go")
--file.web-i18n string The i18n typescript configuration file in relation to the root (default "web/src/i18n/index.ts")
--file.web.i18n string The i18n typescript configuration file in relation to the web directory (default "src/i18n/index.ts")
--file.web.package string The node package configuration file in relation to the web directory (default "package.json")
--package.configuration.keys string Sets the package name of the keys file (default "schema")
--package.scripts.gen string Sets the package name of the authelia-scripts gen file (default "cmd")
--versions int the maximum number of minor versions to list in output templates (default 5)

6
docs/content/en/reference/cli/authelia-gen/authelia-gen_github_issue-templates_feature-request.md
View File

@ -36,9 +36,10 @@ authelia-gen github issue-templates feature-request [flags]
--dir.docs.data string The directory with the docs data (default "data")
--dir.locales string The locales directory in relation to the root (default "internal/server/locales")
-d, --dir.root string The repository root (default "./")
--dir.web string The repository web directory in relation to the root directory (default "web")
-X, --exclude strings Sets the names of excluded generators
--file.bug-report string Sets the path of the bug report issue template file (default ".github/ISSUE_TEMPLATE/bug-report.yml")
--file.commit-lint-config string The commit lint javascript configuration file in relation to the root (default "web/.commitlintrc.js")
--file.commit-lint-config string The commit lint javascript configuration file in relation to the root (default ".commitlintrc.js")
--file.configuration-keys string Sets the path of the keys file (default "internal/configuration/schema/keys.go")
--file.docs-commit-msg-guidelines string The commit message guidelines documentation file in relation to the root (default "docs/content/en/contributing/guidelines/commit-message.md")
--file.docs.data.keys string Sets the path of the docs keys file (default "configkeys.json")
@ -47,7 +48,8 @@ authelia-gen github issue-templates feature-request [flags]
--file.feature-request string Sets the path of the feature request issue template file (default ".github/ISSUE_TEMPLATE/feature-request.yml")
--file.scripts.gen string Sets the path of the authelia-scripts gen file (default "cmd/authelia-scripts/cmd/gen.go")
--file.server.generated string Sets the path of the server generated file (default "internal/server/gen.go")
--file.web-i18n string The i18n typescript configuration file in relation to the root (default "web/src/i18n/index.ts")
--file.web.i18n string The i18n typescript configuration file in relation to the web directory (default "src/i18n/index.ts")
--file.web.package string The node package configuration file in relation to the web directory (default "package.json")
--package.configuration.keys string Sets the package name of the keys file (default "schema")
--package.scripts.gen string Sets the package name of the authelia-scripts gen file (default "cmd")
--versions int the maximum number of minor versions to list in output templates (default 5)

6
docs/content/en/reference/cli/authelia-gen/authelia-gen_locales.md
View File

@ -36,9 +36,10 @@ authelia-gen locales [flags]
--dir.docs.data string The directory with the docs data (default "data")
--dir.locales string The locales directory in relation to the root (default "internal/server/locales")
-d, --dir.root string The repository root (default "./")
--dir.web string The repository web directory in relation to the root directory (default "web")
-X, --exclude strings Sets the names of excluded generators
--file.bug-report string Sets the path of the bug report issue template file (default ".github/ISSUE_TEMPLATE/bug-report.yml")
--file.commit-lint-config string The commit lint javascript configuration file in relation to the root (default "web/.commitlintrc.js")
--file.commit-lint-config string The commit lint javascript configuration file in relation to the root (default ".commitlintrc.js")
--file.configuration-keys string Sets the path of the keys file (default "internal/configuration/schema/keys.go")
--file.docs-commit-msg-guidelines string The commit message guidelines documentation file in relation to the root (default "docs/content/en/contributing/guidelines/commit-message.md")
--file.docs.data.keys string Sets the path of the docs keys file (default "configkeys.json")
@ -47,7 +48,8 @@ authelia-gen locales [flags]
--file.feature-request string Sets the path of the feature request issue template file (default ".github/ISSUE_TEMPLATE/feature-request.yml")
--file.scripts.gen string Sets the path of the authelia-scripts gen file (default "cmd/authelia-scripts/cmd/gen.go")
--file.server.generated string Sets the path of the server generated file (default "internal/server/gen.go")
--file.web-i18n string The i18n typescript configuration file in relation to the root (default "web/src/i18n/index.ts")
--file.web.i18n string The i18n typescript configuration file in relation to the web directory (default "src/i18n/index.ts")
--file.web.package string The node package configuration file in relation to the web directory (default "package.json")
--package.configuration.keys string Sets the package name of the keys file (default "schema")
--package.scripts.gen string Sets the package name of the authelia-scripts gen file (default "cmd")
--versions int the maximum number of minor versions to list in output templates (default 5)

48
docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ecdsa_generate.md
View File

@ -35,28 +35,32 @@ authelia crypto certificate ecdsa generate --help
### Options
```
--ca create the certificate as a certificate authority certificate
-n, --common-name string certificate common name
--country strings certificate country
-b, --curve string Sets the elliptic curve which can be P224, P256, P384, or P521 (default "P256")
-d, --directory string directory where the generated keys, certificates, etc will be stored
--duration duration duration of time the certificate is valid for (default 8760h0m0s)
--extended-usage strings specify the extended usage types of the certificate
--file.ca-certificate string certificate authority certificate to use when signing this certificate (default "ca.public.crt")
--file.ca-private-key string certificate authority private key to use to signing this certificate (default "ca.private.pem")
--file.certificate string name of the file to export the certificate data to (default "public.crt")
--file.private-key string name of the file to export the private key data to (default "private.pem")
-h, --help help for generate
-l, --locality strings certificate locality
--not-before string earliest date and time the certificate is considered valid formatted as Jan 2 15:04:05 2006 (default is now)
-o, --organization strings certificate organization (default [Authelia])
--organizational-unit strings certificate organizational unit
--path.ca string source directory of the certificate authority files, if not provided the certificate will be self-signed
-p, --postcode strings certificate postcode
--province strings certificate province
--sans strings subject alternative names
--signature string signature algorithm for the certificate (default "SHA256")
-s, --street-address strings certificate street address
--bundles strings enables generating bundles options are 'chain' and 'privkey-chain'
--ca create the certificate as a certificate authority certificate
-n, --common-name string certificate common name
--country strings certificate country
-b, --curve string Sets the elliptic curve which can be P224, P256, P384, or P521 (default "P256")
-d, --directory string directory where the generated keys, certificates, etc will be stored
--duration string duration of time the certificate is valid for (default "1y")
--extended-usage strings specify the extended usage types of the certificate
--file.bundle.chain string name of the file to export the certificate chain PEM bundle to when the --bundles flag includes 'chain' (default "public.chain.pem")
--file.bundle.priv-chain string name of the file to export the certificate chain and private key PEM bundle to when the --bundles flag includes 'priv-chain' (default "private.chain.pem")
--file.ca-certificate string certificate authority certificate to use when signing this certificate (default "ca.public.crt")
--file.ca-private-key string certificate authority private key to use to signing this certificate (default "ca.private.pem")
--file.certificate string name of the file to export the certificate data to (default "public.crt")
--file.private-key string name of the file to export the private key data to (default "private.pem")
-h, --help help for generate
-l, --locality strings certificate locality
--not-after string latest date and time the certificate is considered valid in various formats
--not-before string earliest date and time the certificate is considered valid in various formats (default is now)
-o, --organization strings certificate organization (default [Authelia])
--organizational-unit strings certificate organizational unit
--path.ca string source directory of the certificate authority files, if not provided the certificate will be self-signed
-p, --postcode strings certificate postcode
--province strings certificate province
--sans strings subject alternative names
--signature string signature algorithm for the certificate (default "SHA256")
-s, --street-address strings certificate street address
```
### Options inherited from parent commands

5
docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ecdsa_request.md
View File

@ -39,12 +39,13 @@ authelia crypto certificate ecdsa request --help
--country strings certificate country
-b, --curve string Sets the elliptic curve which can be P224, P256, P384, or P521 (default "P256")
-d, --directory string directory where the generated keys, certificates, etc will be stored
--duration duration duration of time the certificate is valid for (default 8760h0m0s)
--duration string duration of time the certificate is valid for (default "1y")
--file.csr string name of the file to export the certificate request data to (default "request.csr")
--file.private-key string name of the file to export the private key data to (default "private.pem")
-h, --help help for request
-l, --locality strings certificate locality
--not-before string earliest date and time the certificate is considered valid formatted as Jan 2 15:04:05 2006 (default is now)
--not-after string latest date and time the certificate is considered valid in various formats
--not-before string earliest date and time the certificate is considered valid in various formats (default is now)
-o, --organization strings certificate organization (default [Authelia])
--organizational-unit strings certificate organizational unit
-p, --postcode strings certificate postcode

46
docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ed25519_generate.md
View File

@ -35,27 +35,31 @@ authelia crypto certificate ed25519 request --help
### Options
```
--ca create the certificate as a certificate authority certificate
-n, --common-name string certificate common name
--country strings certificate country
-d, --directory string directory where the generated keys, certificates, etc will be stored
--duration duration duration of time the certificate is valid for (default 8760h0m0s)
--extended-usage strings specify the extended usage types of the certificate
--file.ca-certificate string certificate authority certificate to use when signing this certificate (default "ca.public.crt")
--file.ca-private-key string certificate authority private key to use to signing this certificate (default "ca.private.pem")
--file.certificate string name of the file to export the certificate data to (default "public.crt")
--file.private-key string name of the file to export the private key data to (default "private.pem")
-h, --help help for generate
-l, --locality strings certificate locality
--not-before string earliest date and time the certificate is considered valid formatted as Jan 2 15:04:05 2006 (default is now)
-o, --organization strings certificate organization (default [Authelia])
--organizational-unit strings certificate organizational unit
--path.ca string source directory of the certificate authority files, if not provided the certificate will be self-signed
-p, --postcode strings certificate postcode
--province strings certificate province
--sans strings subject alternative names
--signature string signature algorithm for the certificate (default "SHA256")
-s, --street-address strings certificate street address
--bundles strings enables generating bundles options are 'chain' and 'privkey-chain'
--ca create the certificate as a certificate authority certificate
-n, --common-name string certificate common name
--country strings certificate country
-d, --directory string directory where the generated keys, certificates, etc will be stored
--duration string duration of time the certificate is valid for (default "1y")
--extended-usage strings specify the extended usage types of the certificate
--file.bundle.chain string name of the file to export the certificate chain PEM bundle to when the --bundles flag includes 'chain' (default "public.chain.pem")
--file.bundle.priv-chain string name of the file to export the certificate chain and private key PEM bundle to when the --bundles flag includes 'priv-chain' (default "private.chain.pem")
--file.ca-certificate string certificate authority certificate to use when signing this certificate (default "ca.public.crt")
--file.ca-private-key string certificate authority private key to use to signing this certificate (default "ca.private.pem")
--file.certificate string name of the file to export the certificate data to (default "public.crt")
--file.private-key string name of the file to export the private key data to (default "private.pem")
-h, --help help for generate
-l, --locality strings certificate locality
--not-after string latest date and time the certificate is considered valid in various formats
--not-before string earliest date and time the certificate is considered valid in various formats (default is now)
-o, --organization strings certificate organization (default [Authelia])
--organizational-unit strings certificate organizational unit
--path.ca string source directory of the certificate authority files, if not provided the certificate will be self-signed
-p, --postcode strings certificate postcode
--province strings certificate province
--sans strings subject alternative names
--signature string signature algorithm for the certificate (default "SHA256")
-s, --street-address strings certificate street address
```
### Options inherited from parent commands

5
docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ed25519_request.md
View File

@ -38,12 +38,13 @@ authelia crypto certificate ed25519 request --help
-n, --common-name string certificate common name
--country strings certificate country
-d, --directory string directory where the generated keys, certificates, etc will be stored
--duration duration duration of time the certificate is valid for (default 8760h0m0s)
--duration string duration of time the certificate is valid for (default "1y")
--file.csr string name of the file to export the certificate request data to (default "request.csr")
--file.private-key string name of the file to export the private key data to (default "private.pem")
-h, --help help for request
-l, --locality strings certificate locality
--not-before string earliest date and time the certificate is considered valid formatted as Jan 2 15:04:05 2006 (default is now)
--not-after string latest date and time the certificate is considered valid in various formats
--not-before string earliest date and time the certificate is considered valid in various formats (default is now)
-o, --organization strings certificate organization (default [Authelia])
--organizational-unit strings certificate organizational unit
-p, --postcode strings certificate postcode

48
docs/content/en/reference/cli/authelia/authelia_crypto_certificate_rsa_generate.md
View File

@ -35,28 +35,32 @@ authelia crypto certificate rsa generate --help
### Options
```
-b, --bits int number of RSA bits for the certificate (default 2048)
--ca create the certificate as a certificate authority certificate
-n, --common-name string certificate common name
--country strings certificate country
-d, --directory string directory where the generated keys, certificates, etc will be stored
--duration duration duration of time the certificate is valid for (default 8760h0m0s)
--extended-usage strings specify the extended usage types of the certificate
--file.ca-certificate string certificate authority certificate to use when signing this certificate (default "ca.public.crt")
--file.ca-private-key string certificate authority private key to use to signing this certificate (default "ca.private.pem")
--file.certificate string name of the file to export the certificate data to (default "public.crt")
--file.private-key string name of the file to export the private key data to (default "private.pem")
-h, --help help for generate
-l, --locality strings certificate locality
--not-before string earliest date and time the certificate is considered valid formatted as Jan 2 15:04:05 2006 (default is now)
-o, --organization strings certificate organization (default [Authelia])
--organizational-unit strings certificate organizational unit
--path.ca string source directory of the certificate authority files, if not provided the certificate will be self-signed
-p, --postcode strings certificate postcode
--province strings certificate province
--sans strings subject alternative names
--signature string signature algorithm for the certificate (default "SHA256")
-s, --street-address strings certificate street address
-b, --bits int number of RSA bits for the certificate (default 2048)
--bundles strings enables generating bundles options are 'chain' and 'privkey-chain'
--ca create the certificate as a certificate authority certificate
-n, --common-name string certificate common name
--country strings certificate country
-d, --directory string directory where the generated keys, certificates, etc will be stored
--duration string duration of time the certificate is valid for (default "1y")
--extended-usage strings specify the extended usage types of the certificate
--file.bundle.chain string name of the file to export the certificate chain PEM bundle to when the --bundles flag includes 'chain' (default "public.chain.pem")
--file.bundle.priv-chain string name of the file to export the certificate chain and private key PEM bundle to when the --bundles flag includes 'priv-chain' (default "private.chain.pem")
--file.ca-certificate string certificate authority certificate to use when signing this certificate (default "ca.public.crt")
--file.ca-private-key string certificate authority private key to use to signing this certificate (default "ca.private.pem")
--file.certificate string name of the file to export the certificate data to (default "public.crt")
--file.private-key string name of the file to export the private key data to (default "private.pem")
-h, --help help for generate
-l, --locality strings certificate locality
--not-after string latest date and time the certificate is considered valid in various formats
--not-before string earliest date and time the certificate is considered valid in various formats (default is now)
-o, --organization strings certificate organization (default [Authelia])
--organizational-unit strings certificate organizational unit
--path.ca string source directory of the certificate authority files, if not provided the certificate will be self-signed
-p, --postcode strings certificate postcode
--province strings certificate province
--sans strings subject alternative names
--signature string signature algorithm for the certificate (default "SHA256")
-s, --street-address strings certificate street address
```
### Options inherited from parent commands

5
docs/content/en/reference/cli/authelia/authelia_crypto_certificate_rsa_request.md
View File

@ -39,12 +39,13 @@ authelia crypto certificate rsa request --help
-n, --common-name string certificate common name
--country strings certificate country
-d, --directory string directory where the generated keys, certificates, etc will be stored
--duration duration duration of time the certificate is valid for (default 8760h0m0s)
--duration string duration of time the certificate is valid for (default "1y")
--file.csr string name of the file to export the certificate request data to (default "request.csr")
--file.private-key string name of the file to export the private key data to (default "private.pem")
-h, --help help for request
-l, --locality strings certificate locality
--not-before string earliest date and time the certificate is considered valid formatted as Jan 2 15:04:05 2006 (default is now)
--not-after string latest date and time the certificate is considered valid in various formats
--not-before string earliest date and time the certificate is considered valid in various formats (default is now)
-o, --organization strings certificate organization (default [Authelia])
--organizational-unit strings certificate organizational unit
-p, --postcode strings certificate postcode

2
docs/content/en/reference/guides/generating-secure-values.md
View File

@ -20,7 +20,7 @@ we provide a convenience layer for this purpose.
### authelia
The __Authelia__ docker container or CLI binary can be used to generate a random alphanumeric string and output the
the string and the hash at the same time.
string and the hash at the same time.
Use the `authelia crypto hash generate --help` command or see the [authelia crypto hash generate] reference guide for
more information on all available options and algorithms.

Some files were not shown because too many files have changed in this diff Show More