docs: misc consistency adjustments (#3904)

pull/3905/head
James Elliott 2022-08-26 13:26:58 +10:00 committed by GitHub
parent 35e218acfb
commit a8849f1b9e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
18 changed files with 114 additions and 123 deletions

View File

@ -418,10 +418,8 @@ know what you're doing. Potential values are `form_post`, `query`, and `fragment
The algorithm used to sign the userinfo endpoint responses. This can either be `none` or `RS256`.
| Signing Algorithm | Encoding | Content Type |
|:-----------------:|:------------:|:-----------------------------------:|
| `none` | JSON | `application/json; charset="UTF-8"` |
| `RS256` | JWT (Signed) | `application/jwt; charset="UTF-8"` |
See the [integration guide](../../integration/openid-connect/introduction.md#user-information-signing-algorithm) for
more information.
## Integration

View File

@ -58,16 +58,17 @@ The following YAML configuration is an example __Authelia__
```yaml
- id: guacamole
description: Apache Guacamole
secret: guacamole_client_secret
public: false
authorization_policy: two_factor
redirect_uris:
- https://guacamole.example.com
scopes:
- openid
- profile
- groups
- email
redirect_uris:
- https://guacamole.example.com
response_types:
- id_token
grant_types:

View File

@ -62,6 +62,9 @@ which will operate with the above example:
```yaml
- id: argocd
description: Argo CD
secret: argocd_client_secret
public: false
authorization_policy: two_factor
redirect_uris:
- https://argocd.example.com/auth/callback
scopes:
@ -69,11 +72,11 @@ which will operate with the above example:
- groups
- email
- profile
secret: argocd_client_secret
userinfo_signing_algorithm: none
- id: argocd-cli
description: Argo CD (CLI)
public: true
authorization_policy: two_factor
redirect_uris:
- http://localhost:8085/auth/callback
scopes:

View File

@ -57,15 +57,16 @@ which will operate with the above example:
```yaml
- id: bookstack
description: BookStack
secret: bookstack_client_secret
public: false
authorization_policy: two_factor
redirect_uris:
- https://bookstack.example.com/oidc/callback
scopes:
- openid
- profile
- email
redirect_uris:
- https://bookstack.example.com/oidc/callback
userinfo_signing_algorithm: none
```

View File

@ -60,16 +60,17 @@ which will operate with the above example:
```yaml
- id: cloudflare
description: Cloudflare ZeroTrust
secret: cloudflare_client_secret
public: false
authorization_policy: two_factor
redirect_uris:
- https://example-team.cloudflareaccess.com/cdn-cgi/access/callback
scopes:
- openid
- profile
- groups
- email
redirect_uris:
- https://example-team.cloudflareaccess.com/cdn-cgi/access/callback
userinfo_signing_algorithm: none
```

View File

@ -78,15 +78,16 @@ will operate with the above example:
```yaml
- id: gitea
description: Gitea
secret: gitea_client_secret
public: false
authorization_policy: two_factor
redirect_uris:
- https://gitea.example.com/user/oauth2/authelia/callback
scopes:
- openid
- email
- profile
redirect_uris:
- https://gitea.example.com/user/oauth2/authelia/callback
userinfo_signing_algorithm: none
```

View File

@ -74,16 +74,17 @@ which will operate with the above example:
```yaml
- id: gitlab
description: GitLab
secret: gitlab_client_secret
public: false
authorization_policy: two_factor
redirect_uris:
- https://gitlab.example.com/users/auth/openid_connect/callback
scopes:
- openid
- profile
- groups
- email
redirect_uris:
- https://gitlab.example.com/users/auth/openid_connect/callback
userinfo_signing_algorithm: none
```

View File

@ -37,12 +37,13 @@ This example makes the following assumptions:
### Application
To configure [Grafana] to utilize Authelia as an [OpenID Connect] Provider, you either need to edit the config file, or specify overrides in the containers environment variables.
To configure [Grafana] to utilize Authelia as an [OpenID Connect] Provider you have two effective options:
#### Method 1: Configuration Files
1. Add the following Generic OAuth configuration to the [Grafana] configuration:
#### Configuration File
```ruby
Add the following Generic OAuth configuration to the [Grafana] configuration:
```ini
[server]
root_url = https://grafana.example.com
[auth.generic_oauth]
@ -62,24 +63,26 @@ name_attribute_path = name
use_pkce = true
```
#### Method 2: Container Environment Variables
**GF_AUTH_GENERIC_OAUTH_NAME=**`Authelia`
**GF_AUTH_GENERIC_OAUTH_ENABLED=**`true`
**GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP=**`true`
**GF_AUTH_GENERIC_OAUTH_CLIENT_ID=**`grafana`
**GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=**`grafana_client_secret`
**GF_AUTH_GENERIC_OAUTH_SCOPES=**`openid profile email groups`
**GF_AUTH_GENERIC_OAUTH_EMAIL_ATTRIBUTE_NAME=**`email`
**GF_AUTH_GENERIC_OAUTH_AUTH_URL=**`https://auth.example.com/api/oidc/authorization`
**GF_AUTH_GENERIC_OAUTH_TOKEN_URL=**`https://auth.example.com/api/oidc/token`
**GF_AUTH_GENERIC_OAUTH_API_URL=**`https://auth.example.com/api/oidc/userinfo`
**GF_AUTH_GENERIC_OAUTH_TLS_SKIP_VERIFY_INSECURE=**`true`
**GF_AUTH_GENERIC_OAUTH_EMPTY_SCOPES=**`false`
**GF_AUTH_GENERIC_OAUTH_ICON=**`signin`
**GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH=**`preferred_username`
**GF_AUTH_GENERIC_OAUTH_GROUPS_ATTRIBUTE_PATH=**`groups`
**GF_AUTH_GENERIC_OAUTH_NAME_ATTRIBUTE_PATH=**`name`
**GF_AUTH_GENERIC_OAUTH_USE_PKCE=**`true`
#### Environment Variables
Configure the following environment variables:
| Variable | Value |
|:-------------------------------------------:|:-----------------------------------------------:|
| GF_SERVER_ROOT_URL | https://grafana.example.com |
| GF_AUTH_GENERIC_OAUTH_ENABLED | true |
| GF_AUTH_GENERIC_OAUTH_NAME | Authelia |
| GF_AUTH_GENERIC_OAUTH_CLIENT_ID | grafana |
| GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET | grafana_client_secret |
| GF_AUTH_GENERIC_OAUTH_SCOPES | openid profile email groups |
| GF_AUTH_GENERIC_OAUTH_EMPTY_SCOPES | false |
| GF_AUTH_GENERIC_OAUTH_AUTH_URL | https://auth.example.com/api/oidc/authorization |
| GF_AUTH_GENERIC_OAUTH_TOKEN_URL | https://auth.example.com/api/oidc/token |
| GF_AUTH_GENERIC_OAUTH_API_URL | https://auth.example.com/api/oidc/userinfo |
| GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH | preferred_username |
| GF_AUTH_GENERIC_OAUTH_GROUPS_ATTRIBUTE_PATH | groups |
| GF_AUTH_GENERIC_OAUTH_NAME_ATTRIBUTE_PATH | name |
| GF_AUTH_GENERIC_OAUTH_USE_PKCE | true |
### Authelia
@ -89,16 +92,17 @@ which will operate with the above example:
```yaml
- id: grafana
description: Grafana
secret: grafana_client_secret
public: false
authorization_policy: two_factor
redirect_uris:
- https://grafana.example.com/login/generic_oauth
scopes:
- openid
- profile
- groups
- email
redirect_uris:
- https://grafana.example.com/login/generic_oauth
userinfo_signing_algorithm: none
```

View File

@ -65,17 +65,17 @@ which will operate with the above example:
```yaml
- id: harbor
description: Harbor
secret: harbor_client_secret
public: false
authorization_policy: two_factor
redirect_uris:
- https://harbor.example.com/c/oidc/callback
scopes:
- openid
- profile
- groups
- email
redirect_uris:
- https://vault.example.com/oidc/callback
- https://vault.example.com/ui/vault/auth/oidc/oidc/callback
userinfo_signing_algorithm: none
```

View File

@ -48,17 +48,18 @@ which will operate with the above example:
```yaml
- id: vault
description: HashiCorp Vault
secret: vault_client_secret
public: false
authorization_policy: two_factor
redirect_uris:
- https://vault.example.com/oidc/callback
- https://vault.example.com/ui/vault/auth/oidc/oidc/callback
scopes:
- openid
- profile
- groups
- email
redirect_uris:
- https://vault.example.com/oidc/callback
- https://vault.example.com/ui/vault/auth/oidc/oidc/callback
userinfo_signing_algorithm: none
```

View File

@ -108,6 +108,16 @@ Below is a list of the potential values we place in the [Claim] and their meanin
| hwk | User used a hardware key to login | Have | Browser |
| sms | User used Duo to login | Have | External |
## User Information Signing Algorithm
The following table describes the response from the [UserInfo] endpoint depending on the
[userinfo_signing_algorithm](../../configuration/identity-providers/open-id-connect.md#userinfo_signing_algorithm).
| Signing Algorithm | Encoding | Content Type |
|:-----------------:|:------------:|:-----------------------------------:|
| `none` | JSON | `application/json; charset="UTF-8"` |
| `RS256` | JWT (Signed) | `application/jwt; charset="UTF-8"` |
## Endpoint Implementations
The following section documents the endpoints we implement and their respective paths. This information can
@ -141,7 +151,7 @@ These endpoints implement OpenID Connect elements.
| [JSON Web Key Sets] | https://auth.example.com/jwks.json | jwks_uri |
| [Authorization] | https://auth.example.com/api/oidc/authorization | authorization_endpoint |
| [Token] | https://auth.example.com/api/oidc/token | token_endpoint |
| [Userinfo] | https://auth.example.com/api/oidc/userinfo | userinfo_endpoint |
| [UserInfo] | https://auth.example.com/api/oidc/userinfo | userinfo_endpoint |
| [Introspection] | https://auth.example.com/api/oidc/introspection | introspection_endpoint |
| [Revocation] | https://auth.example.com/api/oidc/revocation | revocation_endpoint |
@ -161,7 +171,7 @@ These endpoints implement OpenID Connect elements.
[Authorization]: https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint
[Token]: https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint
[Userinfo]: https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
[UserInfo]: https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
[Introspection]: https://www.rfc-editor.org/rfc/rfc7662.html
[Revocation]: https://www.rfc-editor.org/rfc/rfc7009.html

View File

@ -11,15 +11,13 @@ menu:
weight: 620
toc: true
community: true
aliases:
- /docs/community/oidc-integrations/komga.html
---
## Tested Versions
* [Authelia]
* [v4.36.4](https://github.com/authelia/authelia/releases/tag/v4.36.4)
* [Komga]
* [Komga]
* [v0.157.1](https://github.com/gotson/komga/releases/tag/v0.157.1)
## Before You Begin
@ -32,7 +30,7 @@ This example makes the following assumptions:
* __Application Root URL:__ `https://komga.example.com`
* __Authelia Root URL:__ `https://auth.example.com`
* __Client ID:__ `komga-auth`
* __Client ID:__ `komga`
* __Client Secret:__ `komga_client_secret`
## Configuration
@ -41,89 +39,55 @@ This example makes the following assumptions:
To configure [Komga] to utilize Authelia as an [OpenID Connect] Provider:
1. Create an `Application.yml` according to the [configuration options](https://komga.org/installation/configuration.html)
2. Add a section that describes the spring boot security configuration
```spring:
1. Configure the security section of the [Komga] configuration:
```yaml
komga:
## Comment if you don't want automatic account creation.
oauth2-account-creation: true
spring:
security:
oauth2:
client:
registration:
authelia:
client-id: `komga-auth`
client-id: `komga`
client-secret: `komga_client_secret`
client-name: Authelia
scope: openid, email
scope: openid,profile,email
authorization-grant-type: authorization_code
redirect-uri: "{baseScheme}://{baseHost}{basePort}{basePath}/login/oauth2/code/authelia"
provider:
authelia:
issuer-uri: `https:\\auth.example.com`
user-name-attribute: email
issuer-uri: https://auth.example.com
user-name-attribute: preferred_username
````
### Optional configuration
You can enable some useful additional debug logging to `application.yml` by adding the `logging.level.org.springframework.security attribute`:
```
logging:
file.name: /config/logs/komga.log
level:
org:
springframework:
security: info #when changed to 'TRACE' adds additional spring security logging on top of komga logging.
gotson:
komga: info
```
Automatic creation of accounts (in Komga) by logging in with Authelia can be enabled with:
```
komga:
oauth2-account-creation: true
```
In certain cases it might be necessary to add:
```
server:
use-forward-headers: true
```
### Authelia
The following YAML configuration is an example __Authelia__
[client configuration](../../../configuration/identity-providers/open-id-connect.md#clients) for use with [Portainer]
[client configuration](../../../configuration/identity-providers/open-id-connect.md#clients) for use with [Komga]
which will operate with the above example:
```yaml
-
id: komga-auth
description: Komga Comics OpenID
secret: `komga_client_secret`
public: false
authorization_policy: two_factor
audience: []
scopes:
- openid
- email
redirect_uris:
- https://komga.example.com/login/oauth2/code/authelia
grant_types:
- authorization_code
userinfo_signing_algorithm: none
- id: komga
description: Komga
secret: komga_client_secret
public: false
authorization_policy: two_factor
redirect_uris:
- https://komga.example.com/login/oauth2/code/authelia
scopes:
- openid
- preferred_username
- email
grant_types:
- authorization_code
userinfo_signing_algorithm: none
```
Note: make sure that the `userinfo_signing_algorithm` is set to `none`, or Komga will throw an `application\jwt` error.
## See Also
* [Komga Configuration options Documentation](https://komga.org/installation/configuration.html)
* [Komga Social login Documentation](https://komga.org/installation/oauth2.html)
[Authelia]: https://www.authelia.com

View File

@ -86,15 +86,16 @@ which will operate with the above example:
```yaml
- id: nextcloud
description: NextCloud
secret: nextcloud_client_secret
public: false
authorization_policy: two_factor
redirect_uris:
- https://nextcloud.example.com/apps/oidc_login/oidc
scopes:
- openid
- profile
- groups
redirect_uris:
- https://nextcloud.example.com/apps/oidc_login/oidc
userinfo_signing_algorithm: none
```

View File

@ -62,15 +62,16 @@ which will operate with the above example:
```yaml
- id: outline
description: Outline
secret: outline_client_secret
public: false
authorization_policy: two_factor
redirect_uris:
- https://outline.example.com/auth/oidc.callback
scopes:
- openid
- profile
- email
redirect_uris:
- https://outline.example.com/auth/oidc.callback
userinfo_signing_algorithm: none
```

View File

@ -66,16 +66,17 @@ which will operate with the above example:
```yaml
- id: portainer
description: Portainer
secret: portainer_client_secret
public: false
authorization_policy: two_factor
redirect_uris:
- https://portainer.example.com
scopes:
- openid
- profile
- groups
- email
redirect_uris:
- https://portainer.example.com
userinfo_signing_algorithm: none
```

View File

@ -64,15 +64,16 @@ which will operate with the above example:
```yaml
- id: proxmox
description: Proxmox
secret: proxmox_client_secret
public: false
authorization_policy: two_factor
redirect_uris:
- https://proxmox.example.com
scopes:
- openid
- profile
- email
redirect_uris:
- https://proxmox.example.com
userinfo_signing_algorithm: none
```

View File

@ -72,15 +72,16 @@ which will operate with the above example:
```yaml
- id: seafile
description: Seafile
secret: seafile_client_secret
public: false
authorization_policy: two_factor
redirect_uris:
- https://seafile.example.com/oauth/callback/
scopes:
- openid
- profile
- email
redirect_uris:
- https://seafile.example.com/oauth/callback/
userinfo_signing_algorithm: none
```

View File

@ -68,15 +68,16 @@ which will operate with the above example:
```yaml
- id: synapse
description: Synapse
secret: synapse_client_secret
public: false
authorization_policy: two_factor
redirect_uris:
- https://synapse.example.com/_synapse/client/oidc/callback
scopes:
- openid
- profile
- email
redirect_uris:
- https://synapse.example.com/_synapse/client/oidc/callback
userinfo_signing_algorithm: none
```