RPJosh
/
authelia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

docs: make several openid connect areas uniform (#4824)

pull/4825/head^2
James Elliott 2023-01-26 10:59:18 +11:00 committed by GitHub
parent 65705a646d
commit a33b37a9cd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
20 changed files with 61 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/content/en/configuration/identity-providers/introduction.md
View File

@ -16,4 +16,4 @@ aliases:
## OpenID Connect
The only identity provider implementation supported at this time is [OpenID Connect](open-id-connect.md).
The only identity provider implementation supported at this time is [OpenID Connect 1.0](open-id-connect.md).

29
docs/content/en/configuration/identity-providers/open-id-connect.md
View File

@ -1,7 +1,7 @@
---
title: "OpenID Connect"
description: "OpenID Connect Configuration"
lead: "Authelia can operate as an OpenID Connect provider. This section describes how to configure this."
lead: "Authelia can operate as an OpenID Connect 1.0 Provider. This section describes how to configure this."
date: 2022-06-15T17:51:47+10:00
draft: false
images: []
@ -15,13 +15,14 @@ aliases:
- /docs/configuration/identity-providers/oidc.html
---
__Authelia__ currently supports the [OpenID Connect] OP role as a [__beta__](../../roadmap/active/openid-connect.md)
feature. The OP role is the [OpenID Connect] Provider role, not the Relying Party or RP role. This means other
applications that implement the [OpenID Connect] RP role can use Authelia as an authentication and authorization backend
similar to how you may use social media or development platforms for login.
__Authelia__ currently supports the [OpenID Connect 1.0] Provider role as an open
[__beta__](../../roadmap/active/openid-connect.md) feature. We currently do not support the [OpenID Connect 1.0] Relying
Party role. This means other applications that implement the [OpenID Connect 1.0] Relying Party role can use Authelia as
an [OpenID Connect 1.0] Provider similar to how you may use social media or development platforms for login.
The Relying Party role is the role which allows an application to use GitHub, Google, or other [OpenID Connect]
providers for authentication and authorization. We do not intend to support this functionality at this moment in time.
The [OpenID Connect 1.0] Relying Party role is the role which allows an application to use GitHub, Google, or other
[OpenID Connect 1.0] Providers for authentication and authorization. We do not intend to support this functionality at
this moment in time.
More information about the beta can be found in the [roadmap](../../roadmap/active/openid-connect.md).
@ -165,7 +166,7 @@ with 64 or more characters.
{{< confkey type="string" required="no" >}}
The certificate chain/bundle to be used with the [issuer_private_key](#issuer_private_key) DER base64 ([RFC4648])
encoded PEM format used to sign/encrypt the [OpenID Connect] [JWT]'s. When configured it enables the [x5c] and [x5t]
encoded PEM format used to sign/encrypt the [OpenID Connect 1.0] [JWT]'s. When configured it enables the [x5c] and [x5t]
JSON key's in the JWKs [Discoverable Endpoint](../../integration/openid-connect/introduction.md#discoverable-endpoints)
as per [RFC7517].
@ -184,7 +185,7 @@ certificate immediately following it if present.
*__Important Note:__ This can also be defined using a [secret](../methods/secrets.md) which is __strongly recommended__
especially for containerized deployments.*
The private key used to sign/encrypt the [OpenID Connect] issued [JWT]'s. The key must be generated by the administrator
The private key used to sign/encrypt the [OpenID Connect 1.0] issued [JWT]'s. The key must be generated by the administrator
and can be done by following the
[Generating an RSA Keypair](../../reference/guides/generating-secure-values.md#generating-an-rsa-keypair) guide.
@ -273,7 +274,7 @@ method instead.
### cors
Some [OpenID Connect] Endpoints need to allow cross-origin resource sharing, however some are optional. This section allows
Some [OpenID Connect 1.0] Endpoints need to allow cross-origin resource sharing, however some are optional. This section allows
you to configure the optional parts. We reply with CORS headers when the request includes the Origin header.
#### endpoints
@ -298,7 +299,7 @@ A list of permitted origins.
Any origin with https is permitted unless this option is configured or the
[allowed_origins_from_client_redirect_uris](#allowed_origins_from_client_redirect_uris) option is enabled. This means
you must configure this option manually if you want http endpoints to be permitted to make cross-origin requests to the
[OpenID Connect] endpoints, however this is not recommended.
[OpenID Connect 1.0] endpoints, however this is not recommended.
Origins must only have the scheme, hostname and port, they may not have a trailing slash or path.
@ -386,7 +387,7 @@ the lookup of the subject identifier.
2. any client with a differing sector identifier.
In specific but limited scenarios this option is beneficial for privacy reasons. In particular this is useful when the
party utilizing the *Authelia* [OpenID Connect] Authorization Server is foreign and not controlled by the user. It would
party utilizing the *Authelia* [OpenID Connect 1.0] Authorization Server is foreign and not controlled by the user. It would
prevent the third party utilizing the subject identifier with another third party in order to track the user.
Keep in mind depending on the other claims they may still be able to perform this tracking and it is not a silver
@ -524,11 +525,11 @@ match exactly with the granted scopes/audience.
## Integration
To integrate Authelia's [OpenID Connect] implementation with a relying party please see the
To integrate Authelia's [OpenID Connect 1.0] implementation with a relying party please see the
[integration docs](../../integration/openid-connect/introduction.md).
[token lifespan]: https://docs.apigee.com/api-platform/antipatterns/oauth-long-expiration
[OpenID Connect]: https://openid.net/connect/
[OpenID Connect 1.0]: https://openid.net/connect/
[JWT]: https://www.rfc-editor.org/rfc/rfc7519.html
[RFC6234]: https://www.rfc-editor.org/rfc/rfc6234.html
[RFC4648]: https://www.rfc-editor.org/rfc/rfc4648.html

4
docs/content/en/integration/openid-connect/apache-guacamole/index.md
View File

@ -44,7 +44,7 @@ This example makes the following assumptions:
### Application
To configure [Apache Guacamole] to utilize Authelia as an [OpenID Connect] Provider use the following configuration:
To configure [Apache Guacamole] to utilize Authelia as an [OpenID Connect 1.0] Provider use the following configuration:
```yaml
openid-client-id: guacamole
@ -89,7 +89,7 @@ The following YAML configuration is an example __Authelia__
[Authelia]: https://www.authelia.com
[Apache Guacamole]: https://guacamole.apache.org/
[OpenID Connect]: ../../openid-connect/introduction.md
[OpenID Connect 1.0]: ../../openid-connect/introduction.md

4
docs/content/en/integration/openid-connect/argocd/index.md
View File

@ -45,7 +45,7 @@ This example makes the following assumptions:
### Application
To configure [Argo CD] to utilize Authelia as an [OpenID Connect] Provider use the following configuration:
To configure [Argo CD] to utilize Authelia as an [OpenID Connect 1.0] Provider use the following configuration:
```yaml
name: Authelia
@ -101,7 +101,7 @@ which will operate with the above example:
[Authelia]: https://www.authelia.com
[Argo CD]: https://argo-cd.readthedocs.io/en/stable/
[OpenID Connect]: ../../openid-connect/introduction.md
[OpenID Connect 1.0]: ../../openid-connect/introduction.md

4
docs/content/en/integration/openid-connect/bookstack/index.md
View File

@ -50,7 +50,7 @@ the secret or URL encode the secret yourself.*
### Application
To configure [BookStack] to utilize Authelia as an [OpenID Connect] Provider:
To configure [BookStack] to utilize Authelia as an [OpenID Connect 1.0] Provider:
1. Edit your .env file
2. Set the following values:
@ -89,4 +89,4 @@ which will operate with the above example:
[Authelia]: https://www.authelia.com
[BookStack]: https://www.bookstackapp.com/
[OpenID Connect]: ../../openid-connect/introduction.md
[OpenID Connect 1.0]: ../../openid-connect/introduction.md

4
docs/content/en/integration/openid-connect/cloudflare-zerotrust/index.md
View File

@ -52,7 +52,7 @@ characters for the secret or URL encode the secret yourself.*
means that the URL's are accessible to foreign clients on the internet. There may be a way to configure this without
accessibility to foreign clients on the internet on Cloudflare's end but this is beyond the scope of this document.*
To configure [Cloudflare Zero Trust] to utilize Authelia as an [OpenID Connect] Provider:
To configure [Cloudflare Zero Trust] to utilize Authelia as an [OpenID Connect 1.0] Provider:
1. Visit the [Cloudflare Zero Trust Dashboard](https://dash.teams.cloudflare.com)
2. Visit `Settings`
@ -98,4 +98,4 @@ which will operate with the above example:
[Authelia]: https://www.authelia.com
[Cloudflare]: https://www.cloudflare.com/
[Cloudflare Zero Trust]: https://www.cloudflare.com/products/zero-trust/
[OpenID Connect]: ../../openid-connect/introduction.md
[OpenID Connect 1.0]: ../../openid-connect/introduction.md

6
docs/content/en/integration/openid-connect/gitea/index.md
View File

@ -44,7 +44,7 @@ This example makes the following assumptions:
### Application
To configure [Gitea] to utilize Authelia as an [OpenID Connect] Provider:
To configure [Gitea] to utilize Authelia as an [OpenID Connect 1.0] Provider:
1. Expand User Options
2. Visit Site Administration
@ -59,7 +59,7 @@ To configure [Gitea] to utilize Authelia as an [OpenID Connect] Provider:
{{< figure src="gitea.png" alt="Gitea" width="300" >}}
To configure [Gitea] to perform automatic user creation for the `auth.example.com` domain via [OpenID Connect]:
To configure [Gitea] to perform automatic user creation for the `auth.example.com` domain via [OpenID Connect 1.0]:
1. Edit the following values in the [Gitea] `app.ini`:
```ini
@ -105,4 +105,4 @@ will operate with the above example:
- [Authelia]: https://www.authelia.com
[Gitea]: https://gitea.io/
[OpenID Connect]: ../../openid-connect/introduction.md
[OpenID Connect 1.0]: ../../openid-connect/introduction.md

6
docs/content/en/integration/openid-connect/gitlab/index.md
View File

@ -44,9 +44,9 @@ This example makes the following assumptions:
### Application
To configure [GitLab] to utilize Authelia as an [OpenID Connect] Provider:
To configure [GitLab] to utilize Authelia as an [OpenID Connect 1.0] Provider:
1. Add the Omnibus [OpenID Connect] OmniAuth configuration to `gitlab.rb`:
1. Add the Omnibus [OpenID Connect 1.0] OmniAuth configuration to `gitlab.rb`:
```ruby
gitlab_rails['omniauth_providers'] = [
@ -101,4 +101,4 @@ which will operate with the above example:
[Authelia]: https://www.authelia.com
[GitLab]: https://about.gitlab.com/
[OpenID Connect]: ../../openid-connect/introduction.md
[OpenID Connect 1.0]: ../../openid-connect/introduction.md

4
docs/content/en/integration/openid-connect/grafana/index.md
View File

@ -44,7 +44,7 @@ This example makes the following assumptions:
### Application
To configure [Grafana] to utilize Authelia as an [OpenID Connect] Provider you have two effective options:
To configure [Grafana] to utilize Authelia as an [OpenID Connect 1.0] Provider you have two effective options:
#### Configuration File
@ -119,4 +119,4 @@ which will operate with the above example:
[Authelia]: https://www.authelia.com
[Grafana]: https://grafana.com/
[OpenID Connect]: ../../openid-connect/introduction.md
[OpenID Connect 1.0]: ../../openid-connect/introduction.md

4
docs/content/en/integration/openid-connect/harbor/index.md
View File

@ -44,7 +44,7 @@ This example makes the following assumptions:
### Application
To configure [Harbor] to utilize Authelia as an [OpenID Connect] Provider:
To configure [Harbor] to utilize Authelia as an [OpenID Connect 1.0] Provider:
1. Visit Administration
2. Visit Configuration
@ -92,4 +92,4 @@ which will operate with the above example:
[Authelia]: https://www.authelia.com
[Harbor]: https://goharbor.io/
[OpenID Connect]: ../../openid-connect/introduction.md
[OpenID Connect 1.0]: ../../openid-connect/introduction.md

4
docs/content/en/integration/openid-connect/hashicorp-vault/index.md
View File

@ -44,7 +44,7 @@ This example makes the following assumptions:
### Application
To configure [HashiCorp Vault] to utilize Authelia as an [OpenID Connect] Provider please see the links in the
To configure [HashiCorp Vault] to utilize Authelia as an [OpenID Connect 1.0] Provider please see the links in the
[see also](#see-also) section.
### Authelia
@ -77,4 +77,4 @@ which will operate with the above example:
[Authelia]: https://www.authelia.com
[HashiCorp Vault]: https://www.vaultproject.io/
[OpenID Connect]: ../../openid-connect/introduction.md
[OpenID Connect 1.0]: ../../openid-connect/introduction.md

15
docs/content/en/integration/openid-connect/introduction.md
View File

@ -14,21 +14,22 @@ aliases:
- /docs/community/oidc-integrations.html
---
Authelia supports [OpenID Connect] as part of an open beta. This section details implementation specifics that can be
used for integrating Authelia with relying parties, as well as specific documentation for some relying parties.
Authelia can act as an [OpenID Connect 1.0] Provider as part of an open beta. This section details implementation
specifics that can be used for integrating Authelia with an [OpenID Connect 1.0] Relying Party, as well as specific
documentation for some [OpenID Connect 1.0] Relying Party implementations.
See the [configuration documentation](../../configuration/identity-providers/open-id-connect.md) for information on how
to configure [OpenID Connect].
to configure the Authelia [OpenID Connect 1.0] Provider.
## Scope Definitions
### openid
This is the default scope for [OpenID Connect]. This field is forced on every client by the configuration validation
This is the default scope for [OpenID Connect 1.0]. This field is forced on every client by the configuration validation
that Authelia does.
*__Important Note:__ The subject identifiers or `sub` [Claim] has been changed to a [RFC4122] UUID V4 to identify the
individual user as per the [Subject Identifier Types] section of the [OpenID Connect] specification. Please use the
individual user as per the [Subject Identifier Types] section of the [OpenID Connect 1.0] specification. Please use the
`preferred_username` [Claim] instead.*
| [Claim] | JWT Type | Authelia Attribute | Description |
@ -91,7 +92,7 @@ This scope includes the profile information the authentication backend reports a
Authelia currently supports adding the `amr` [Claim] to the [ID Token] utilizing the [RFC8176] Authentication Method
Reference values.
The values this [Claim] has are not strictly defined by the [OpenID Connect] specification. As such, some backends may
The values this [Claim] has are not strictly defined by the [OpenID Connect 1.0] specification. As such, some backends may
expect a specification other than [RFC8176] for this purpose. If you have such an application and wish for us to support
it then you're encouraged to create a [feature request](https://www.authelia.com/l/fr).
@ -162,7 +163,7 @@ These endpoints implement OpenID Connect elements.
[Claims]: https://openid.net/specs/openid-connect-core-1_0.html#Claims
[Claim]: https://openid.net/specs/openid-connect-core-1_0.html#Claims
[OpenID Connect]: https://openid.net/connect/
[OpenID Connect 1.0]: https://openid.net/connect/
[OpenID Connect Discovery]: https://openid.net/specs/openid-connect-discovery-1_0.html
[OAuth 2.0 Authorization Server Metadata]: https://www.rfc-editor.org/rfc/rfc8414.html

4
docs/content/en/integration/openid-connect/komga/index.md
View File

@ -44,7 +44,7 @@ This example makes the following assumptions:
### Application
To configure [Komga] to utilize Authelia as an [OpenID Connect] Provider:
To configure [Komga] to utilize Authelia as an [OpenID Connect 1.0] Provider:
1. Configure the security section of the [Komga] configuration:
```yaml
@ -99,4 +99,4 @@ which will operate with the above example:
[Authelia]: https://www.authelia.com
[Komga]: https://www.komga.org
[OpenID Connect]: ../../openid-connect/introduction.md
[OpenID Connect 1.0]: ../../openid-connect/introduction.md

4
docs/content/en/integration/openid-connect/nextcloud/index.md
View File

@ -44,7 +44,7 @@ This example makes the following assumptions:
### Application
To configure [Nextcloud] to utilize Authelia as an [OpenID Connect] Provider:
To configure [Nextcloud] to utilize Authelia as an [OpenID Connect 1.0] Provider:
1. Install the [Nextcloud OpenID Connect Login app]
2. Add the following to the [Nextcloud] `config.php` configuration:
@ -115,4 +115,4 @@ which will operate with the above example:
[Authelia]: https://www.authelia.com
[Nextcloud]: https://nextcloud.com/
[Nextcloud OpenID Connect Login app]: https://apps.nextcloud.com/apps/oidc_login
[OpenID Connect]: ../../openid-connect/introduction.md
[OpenID Connect 1.0]: ../../openid-connect/introduction.md

4
docs/content/en/integration/openid-connect/outline/index.md
View File

@ -47,7 +47,7 @@ in an error as [Outline] will attempt to use a refresh token that is never issue
### Application
To configure [Outline] to utilize Authelia as an [OpenID Connect] Provider:
To configure [Outline] to utilize Authelia as an [OpenID Connect 1.0] Provider:
1. Configure the following environment options:
```text
@ -92,4 +92,4 @@ which will operate with the above example:
[Authelia]: https://www.authelia.com
[Outline]: https://www.getoutline.com/
[OpenID Connect]: ../../openid-connect/introduction.md
[OpenID Connect 1.0]: ../../openid-connect/introduction.md

4
docs/content/en/integration/openid-connect/portainer/index.md
View File

@ -46,7 +46,7 @@ This example makes the following assumptions:
### Application
To configure [Portainer] to utilize Authelia as an [OpenID Connect] Provider:
To configure [Portainer] to utilize Authelia as an [OpenID Connect 1.0] Provider:
1. Visit Settings
2. Visit Authentication
@ -93,4 +93,4 @@ which will operate with the above example:
[Authelia]: https://www.authelia.com
[Portainer]: https://www.portainer.io/
[OpenID Connect]: ../../openid-connect/introduction.md
[OpenID Connect 1.0]: ../../openid-connect/introduction.md

4
docs/content/en/integration/openid-connect/proxmox/index.md
View File

@ -50,7 +50,7 @@ This example makes the following assumptions:
### Application
To configure [Proxmox] to utilize Authelia as an [OpenID Connect] Provider:
To configure [Proxmox] to utilize Authelia as an [OpenID Connect 1.0] Provider:
1. Visit Datacenter
2. Visit Permission
@ -94,4 +94,4 @@ which will operate with the above example:
[Authelia]: https://www.authelia.com
[Proxmox]: https://www.proxmox.com/
[OpenID Connect]: ../../openid-connect/introduction.md
[OpenID Connect 1.0]: ../../openid-connect/introduction.md

4
docs/content/en/integration/openid-connect/seafile/index.md
View File

@ -44,7 +44,7 @@ This example makes the following assumptions:
### Application
To configure [Seafile] to utilize Authelia as an [OpenID Connect] Provider:
To configure [Seafile] to utilize Authelia as an [OpenID Connect 1.0] Provider:
1. [Seafile] may require some dependencies such as `requests_oauthlib` to be manually installed.
See the [Seafile] documentation in the [see also](#see-also) section for more information.
@ -100,4 +100,4 @@ which will operate with the above example:
[Authelia]: https://www.authelia.com
[Seafile]: https://www.seafile.com/
[OpenID Connect]: ../../openid-connect/introduction.md
[OpenID Connect 1.0]: ../../openid-connect/introduction.md

4
docs/content/en/integration/openid-connect/synapse/index.md
View File

@ -44,7 +44,7 @@ This example makes the following assumptions:
### Application
To configure [Synapse] to utilize Authelia as an [OpenID Connect] Provider:
To configure [Synapse] to utilize Authelia as an [OpenID Connect 1.0] Provider:
1. Edit your [Synapse] `homeserver.yaml` configuration file and add configure the following:
@ -94,4 +94,4 @@ which will operate with the above example:
[Authelia]: https://www.authelia.com
[Synapse]: https://github.com/matrix-org/synapse
[OpenID Connect]: ../../openid-connect/introduction.md
[OpenID Connect 1.0]: ../../openid-connect/introduction.md

6
docs/content/en/integration/openid-connect/synology-dsm/index.md
View File

@ -33,7 +33,7 @@ community: true
### Specific Notes
*__Important Note:__ [Synology DSM] does not support automatically creating users via [OpenID Connect]. It is therefore
*__Important Note:__ [Synology DSM] does not support automatically creating users via [OpenID Connect 1.0]. It is therefore
recommended that you ensure Authelia and [Synology DSM] share a LDAP server.*
### Assumptions
@ -49,7 +49,7 @@ This example makes the following assumptions:
### Application
To configure [Synology DSM] to utilize Authelia as an [OpenID Connect] Provider:
To configure [Synology DSM] to utilize Authelia as an [OpenID Connect 1.0] Provider:
1. Go to DSM.
2. Go to `Control Panel`.
@ -97,4 +97,4 @@ which will operate with the above example:
[Authelia]: https://www.authelia.com
[Synology DSM]: https://www.synology.com/en-global/dsm
[OpenID Connect]: ../../openid-connect/introduction.md
[OpenID Connect 1.0]: ../../openid-connect/introduction.md