docs: misc consistency adjustments (#3904)

docs/content/en/configuration/identity-providers/open-id-connect.md

@@ -418,10 +418,8 @@ know what you're doing. Potential values are `form_post`, `query`, and `fragment
 
 The algorithm used to sign the userinfo endpoint responses. This can either be `none` or `RS256`.
 
-| Signing Algorithm |   Encoding   |            Content Type             |
+See the [integration guide](../../integration/openid-connect/introduction.md#user-information-signing-algorithm) for
-|:-----------------:|:------------:|:-----------------------------------:|
+more information.
-|      `none`       |     JSON     | `application/json; charset="UTF-8"` |
-|      `RS256`      | JWT (Signed) | `application/jwt; charset="UTF-8"`  |
 
 ## Integration
 

docs/content/en/integration/openid-connect/apache-guacamole/index.md

@@ -58,16 +58,17 @@ The following YAML configuration is an example __Authelia__
 
 ```yaml
 - id: guacamole
+  description: Apache Guacamole
   secret: guacamole_client_secret
   public: false
   authorization_policy: two_factor
+  redirect_uris:
+    - https://guacamole.example.com
   scopes:
     - openid
     - profile
     - groups
     - email
-  redirect_uris:
-    - https://guacamole.example.com
   response_types:
     - id_token
   grant_types:

docs/content/en/integration/openid-connect/argocd/index.md

@@ -62,6 +62,9 @@ which will operate with the above example:
 ```yaml
 - id: argocd
   description: Argo CD
+  secret: argocd_client_secret
+  public: false
+  authorization_policy: two_factor
   redirect_uris:
     - https://argocd.example.com/auth/callback
   scopes:
@@ -69,11 +72,11 @@ which will operate with the above example:
     - groups
     - email
     - profile
-  secret: argocd_client_secret
   userinfo_signing_algorithm: none
 - id: argocd-cli
   description: Argo CD (CLI)
   public: true
+  authorization_policy: two_factor
   redirect_uris:
     - http://localhost:8085/auth/callback
   scopes:

docs/content/en/integration/openid-connect/bookstack/index.md

@@ -57,15 +57,16 @@ which will operate with the above example:
 
 ```yaml
 - id: bookstack
+  description: BookStack
   secret: bookstack_client_secret
   public: false
   authorization_policy: two_factor
+  redirect_uris:
+    - https://bookstack.example.com/oidc/callback
   scopes:
     - openid
     - profile
     - email
-  redirect_uris:
-    - https://bookstack.example.com/oidc/callback
   userinfo_signing_algorithm: none
 ```
 

docs/content/en/integration/openid-connect/cloudflare-zerotrust/index.md

@@ -60,16 +60,17 @@ which will operate with the above example:
 
 ```yaml
 - id: cloudflare
+  description: Cloudflare ZeroTrust
   secret: cloudflare_client_secret
   public: false
   authorization_policy: two_factor
+  redirect_uris:
+    - https://example-team.cloudflareaccess.com/cdn-cgi/access/callback
   scopes:
     - openid
     - profile
     - groups
     - email
-  redirect_uris:
-    - https://example-team.cloudflareaccess.com/cdn-cgi/access/callback
   userinfo_signing_algorithm: none
 ```
 

docs/content/en/integration/openid-connect/gitea/index.md

@@ -78,15 +78,16 @@ will operate with the above example:
 
 ```yaml
 - id: gitea
+  description: Gitea
   secret: gitea_client_secret
   public: false
   authorization_policy: two_factor
+  redirect_uris:
+    - https://gitea.example.com/user/oauth2/authelia/callback
   scopes:
     - openid
     - email
     - profile
-  redirect_uris:
-    - https://gitea.example.com/user/oauth2/authelia/callback
   userinfo_signing_algorithm: none
 ```
 

docs/content/en/integration/openid-connect/gitlab/index.md

@@ -74,16 +74,17 @@ which will operate with the above example:
 
 ```yaml
 - id: gitlab
+  description: GitLab
   secret: gitlab_client_secret
   public: false
   authorization_policy: two_factor
+  redirect_uris:
+    - https://gitlab.example.com/users/auth/openid_connect/callback
   scopes:
     - openid
     - profile
     - groups
     - email
-  redirect_uris:
-    - https://gitlab.example.com/users/auth/openid_connect/callback
   userinfo_signing_algorithm: none
 ```
 

docs/content/en/integration/openid-connect/grafana/index.md

@@ -37,12 +37,13 @@ This example makes the following assumptions:
 
 ### Application
 
-To configure [Grafana] to utilize Authelia as an [OpenID Connect] Provider, you either need to edit the config file, or specify overrides in the containers environment variables.  
+To configure [Grafana] to utilize Authelia as an [OpenID Connect] Provider you have two effective options:
 
-#### Method 1: Configuration Files
+#### Configuration File
-1. Add the following Generic OAuth configuration to the [Grafana] configuration:
 
-```ruby
+Add the following Generic OAuth configuration to the [Grafana] configuration:
+
+```ini
 [server]
 root_url = https://grafana.example.com
 [auth.generic_oauth]
@@ -62,24 +63,26 @@ name_attribute_path = name
 use_pkce = true
 ```
 
-#### Method 2: Container Environment Variables
+#### Environment Variables
-**GF_AUTH_GENERIC_OAUTH_NAME=**`Authelia`  
+
-**GF_AUTH_GENERIC_OAUTH_ENABLED=**`true`  
+Configure the following environment variables:
-**GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP=**`true`  
+
-**GF_AUTH_GENERIC_OAUTH_CLIENT_ID=**`grafana`  
+|                  Variable                   |                      Value                      |
-**GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=**`grafana_client_secret`  
+|:-------------------------------------------:|:-----------------------------------------------:|
-**GF_AUTH_GENERIC_OAUTH_SCOPES=**`openid profile email groups`  
+|             GF_SERVER_ROOT_URL              |           https://grafana.example.com           |
-**GF_AUTH_GENERIC_OAUTH_EMAIL_ATTRIBUTE_NAME=**`email`  
+|        GF_AUTH_GENERIC_OAUTH_ENABLED        |                      true                       |
-**GF_AUTH_GENERIC_OAUTH_AUTH_URL=**`https://auth.example.com/api/oidc/authorization`  
+|         GF_AUTH_GENERIC_OAUTH_NAME          |                    Authelia                     |
-**GF_AUTH_GENERIC_OAUTH_TOKEN_URL=**`https://auth.example.com/api/oidc/token`  
+|       GF_AUTH_GENERIC_OAUTH_CLIENT_ID       |                     grafana                     |
-**GF_AUTH_GENERIC_OAUTH_API_URL=**`https://auth.example.com/api/oidc/userinfo`  
+|     GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET     |              grafana_client_secret              |
-**GF_AUTH_GENERIC_OAUTH_TLS_SKIP_VERIFY_INSECURE=**`true`  
+|        GF_AUTH_GENERIC_OAUTH_SCOPES         |           openid profile email groups           |
-**GF_AUTH_GENERIC_OAUTH_EMPTY_SCOPES=**`false`  
+|     GF_AUTH_GENERIC_OAUTH_EMPTY_SCOPES      |                      false                      |
-**GF_AUTH_GENERIC_OAUTH_ICON=**`signin`  
+|       GF_AUTH_GENERIC_OAUTH_AUTH_URL        | https://auth.example.com/api/oidc/authorization |
-**GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH=**`preferred_username`  
+|       GF_AUTH_GENERIC_OAUTH_TOKEN_URL       |     https://auth.example.com/api/oidc/token     |
-**GF_AUTH_GENERIC_OAUTH_GROUPS_ATTRIBUTE_PATH=**`groups`  
+|        GF_AUTH_GENERIC_OAUTH_API_URL        |   https://auth.example.com/api/oidc/userinfo    |
-**GF_AUTH_GENERIC_OAUTH_NAME_ATTRIBUTE_PATH=**`name`  
+| GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH  |               preferred_username                |
-**GF_AUTH_GENERIC_OAUTH_USE_PKCE=**`true`  
+| GF_AUTH_GENERIC_OAUTH_GROUPS_ATTRIBUTE_PATH |                     groups                      |
+|  GF_AUTH_GENERIC_OAUTH_NAME_ATTRIBUTE_PATH  |                      name                       |
+|       GF_AUTH_GENERIC_OAUTH_USE_PKCE        |                      true                       |
 
 ### Authelia
 
@@ -89,16 +92,17 @@ which will operate with the above example:
 
 ```yaml
 - id: grafana
+  description: Grafana
   secret: grafana_client_secret
   public: false
   authorization_policy: two_factor
+  redirect_uris:
+    - https://grafana.example.com/login/generic_oauth
   scopes:
     - openid
     - profile
     - groups
     - email
-  redirect_uris:
-    - https://grafana.example.com/login/generic_oauth
   userinfo_signing_algorithm: none
 ```
 

docs/content/en/integration/openid-connect/harbor/index.md

@@ -65,17 +65,17 @@ which will operate with the above example:
 
 ```yaml
 - id: harbor
+  description: Harbor
   secret: harbor_client_secret
   public: false
   authorization_policy: two_factor
+  redirect_uris:
+    - https://harbor.example.com/c/oidc/callback
   scopes:
     - openid
     - profile
     - groups
     - email
-  redirect_uris:
-    - https://vault.example.com/oidc/callback
-    - https://vault.example.com/ui/vault/auth/oidc/oidc/callback
   userinfo_signing_algorithm: none
 ```
 

docs/content/en/integration/openid-connect/hashicorp-vault/index.md

@@ -48,17 +48,18 @@ which will operate with the above example:
 
 ```yaml
 - id: vault
+  description: HashiCorp Vault
   secret: vault_client_secret
   public: false
   authorization_policy: two_factor
+  redirect_uris:
+    - https://vault.example.com/oidc/callback
+    - https://vault.example.com/ui/vault/auth/oidc/oidc/callback
   scopes:
     - openid
     - profile
     - groups
     - email
-  redirect_uris:
-    - https://vault.example.com/oidc/callback
-    - https://vault.example.com/ui/vault/auth/oidc/oidc/callback
   userinfo_signing_algorithm: none
 ```
 

docs/content/en/integration/openid-connect/introduction.md

@@ -108,6 +108,16 @@ Below is a list of the potential values we place in the [Claim] and their meanin
 |  hwk  |                User used a hardware key to login                 |  Have  | Browser  |
 |  sms  |                      User used Duo to login                      |  Have  | External |
 
+## User Information Signing Algorithm
+
+The following table describes the response from the [UserInfo] endpoint depending on the
+[userinfo_signing_algorithm](../../configuration/identity-providers/open-id-connect.md#userinfo_signing_algorithm).
+
+| Signing Algorithm |   Encoding   |            Content Type             |
+|:-----------------:|:------------:|:-----------------------------------:|
+|      `none`       |     JSON     | `application/json; charset="UTF-8"` |
+|      `RS256`      | JWT (Signed) | `application/jwt; charset="UTF-8"`  |
+
 ## Endpoint Implementations
 
 The following section documents the endpoints we implement and their respective paths. This information can
@@ -141,7 +151,7 @@ These endpoints implement OpenID Connect elements.
 | [JSON Web Key Sets] |       https://auth.example.com/jwks.json        |        jwks_uri        |
 |   [Authorization]   | https://auth.example.com/api/oidc/authorization | authorization_endpoint |
 |       [Token]       |     https://auth.example.com/api/oidc/token     |     token_endpoint     |
-|     [Userinfo]      |   https://auth.example.com/api/oidc/userinfo    |   userinfo_endpoint    |
+|     [UserInfo]      |   https://auth.example.com/api/oidc/userinfo    |   userinfo_endpoint    |
 |   [Introspection]   | https://auth.example.com/api/oidc/introspection | introspection_endpoint |
 |    [Revocation]     |  https://auth.example.com/api/oidc/revocation   |  revocation_endpoint   |
 
@@ -161,7 +171,7 @@ These endpoints implement OpenID Connect elements.
 
 [Authorization]: https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint
 [Token]: https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint
-[Userinfo]: https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
+[UserInfo]: https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
 [Introspection]: https://www.rfc-editor.org/rfc/rfc7662.html
 [Revocation]: https://www.rfc-editor.org/rfc/rfc7009.html
 

docs/content/en/integration/openid-connect/komga/index.md

@@ -11,8 +11,6 @@ menu:
 weight: 620
 toc: true
 community: true
-aliases:
-  - /docs/community/oidc-integrations/komga.html
 ---
 
 ## Tested Versions
@@ -32,7 +30,7 @@ This example makes the following assumptions:
 
 * __Application Root URL:__ `https://komga.example.com`
 * __Authelia Root URL:__ `https://auth.example.com`
-* __Client ID:__ `komga-auth`
+* __Client ID:__ `komga`
 * __Client Secret:__ `komga_client_secret`
 
 ## Configuration
@@ -41,89 +39,55 @@ This example makes the following assumptions:
 
 To configure [Komga] to utilize Authelia as an [OpenID Connect] Provider:
 
-1. Create an `Application.yml` according to the [configuration options](https://komga.org/installation/configuration.html)
+1. Configure the security section of the [Komga] configuration:
-2. Add a section that describes the spring boot security configuration
+```yaml
-
+komga:
-
+  ## Comment if you don't want automatic account creation.
-```spring:
+  oauth2-account-creation: true
+spring:
   security:
     oauth2:
       client:
         registration:
           authelia:
-            client-id: `komga-auth`
+            client-id: `komga`
             client-secret: `komga_client_secret`
             client-name: Authelia
-            scope: openid, email
+            scope: openid,profile,email
             authorization-grant-type: authorization_code
             redirect-uri: "{baseScheme}://{baseHost}{basePort}{basePath}/login/oauth2/code/authelia"
         provider:
           authelia:
-            issuer-uri: `https:\\auth.example.com`
+            issuer-uri: https://auth.example.com
-            user-name-attribute: email
+            user-name-attribute: preferred_username
 ````
 
-### Optional configuration
-
-You can enable some useful additional debug logging to `application.yml` by adding the `logging.level.org.springframework.security attribute`:
-
-```
-logging:
-  file.name: /config/logs/komga.log
-  level:
-    org:
-      springframework:
-        security: info   #when changed to 'TRACE' adds additional spring security logging on top of komga logging.
-      gotson:
-        komga: info
-```
-
-Automatic creation of accounts (in Komga) by logging in with Authelia can be enabled with:
-
-```
-komga:
-  oauth2-account-creation: true
-```
-
-In certain cases it might be necessary to add:
-
-```
-server:
-  use-forward-headers: true
-```
-
-
 ### Authelia
 
 The following YAML configuration is an example __Authelia__
-[client configuration](../../../configuration/identity-providers/open-id-connect.md#clients) for use with [Portainer]
+[client configuration](../../../configuration/identity-providers/open-id-connect.md#clients) for use with [Komga]
 which will operate with the above example:
 
 ```yaml
-      -
+- id: komga
-        id: komga-auth
+  description: Komga
-        description: Komga Comics OpenID
+  secret: komga_client_secret
-        secret: `komga_client_secret`
   public: false
   authorization_policy: two_factor
-        audience: []
-        scopes:
-          - openid
-          - email
   redirect_uris:
     - https://komga.example.com/login/oauth2/code/authelia
-
+  scopes:
+    - openid
+    - preferred_username
+    - email
   grant_types:
     - authorization_code
-
   userinfo_signing_algorithm: none
 ```
 
-Note: make sure that the `userinfo_signing_algorithm` is set to `none`, or Komga will throw an `application\jwt` error.
-
-
 ## See Also
 
+* [Komga Configuration options Documentation](https://komga.org/installation/configuration.html)
 * [Komga Social login Documentation](https://komga.org/installation/oauth2.html)
 
 [Authelia]: https://www.authelia.com

docs/content/en/integration/openid-connect/nextcloud/index.md

@@ -86,15 +86,16 @@ which will operate with the above example:
 
 ```yaml
 - id: nextcloud
+  description: NextCloud
   secret: nextcloud_client_secret
   public: false
   authorization_policy: two_factor
+  redirect_uris:
+    - https://nextcloud.example.com/apps/oidc_login/oidc
   scopes:
     - openid
     - profile
     - groups
-  redirect_uris:
-    - https://nextcloud.example.com/apps/oidc_login/oidc
   userinfo_signing_algorithm: none
 ```
 

docs/content/en/integration/openid-connect/outline/index.md

@@ -62,15 +62,16 @@ which will operate with the above example:
 
 ```yaml
 - id: outline
+  description: Outline
   secret: outline_client_secret
   public: false
   authorization_policy: two_factor
+  redirect_uris:
+    - https://outline.example.com/auth/oidc.callback
   scopes:
     - openid
     - profile
     - email
-  redirect_uris:
-    - https://outline.example.com/auth/oidc.callback
   userinfo_signing_algorithm: none
 ```
 

docs/content/en/integration/openid-connect/portainer/index.md

@@ -66,16 +66,17 @@ which will operate with the above example:
 
 ```yaml
 - id: portainer
+  description: Portainer
   secret: portainer_client_secret
   public: false
   authorization_policy: two_factor
+  redirect_uris:
+    - https://portainer.example.com
   scopes:
     - openid
     - profile
     - groups
     - email
-  redirect_uris:
-    - https://portainer.example.com
   userinfo_signing_algorithm: none
 ```
 

docs/content/en/integration/openid-connect/proxmox/index.md

@@ -64,15 +64,16 @@ which will operate with the above example:
 
 ```yaml
 - id: proxmox
+  description: Proxmox
   secret: proxmox_client_secret
   public: false
   authorization_policy: two_factor
+  redirect_uris:
+    - https://proxmox.example.com
   scopes:
     - openid
     - profile
     - email
-  redirect_uris:
-    - https://proxmox.example.com
   userinfo_signing_algorithm: none
 ```
 

docs/content/en/integration/openid-connect/seafile/index.md

@@ -72,15 +72,16 @@ which will operate with the above example:
 
 ```yaml
 - id: seafile
+  description: Seafile
   secret: seafile_client_secret
   public: false
   authorization_policy: two_factor
+  redirect_uris:
+    - https://seafile.example.com/oauth/callback/
   scopes:
     - openid
     - profile
     - email
-  redirect_uris:
-    - https://seafile.example.com/oauth/callback/
   userinfo_signing_algorithm: none
 ```
 

docs/content/en/integration/openid-connect/synapse/index.md

@@ -68,15 +68,16 @@ which will operate with the above example:
 
 ```yaml
 - id: synapse
+  description: Synapse
   secret: synapse_client_secret
   public: false
   authorization_policy: two_factor
+  redirect_uris:
+    - https://synapse.example.com/_synapse/client/oidc/callback
   scopes:
     - openid
     - profile
     - email
-  redirect_uris:
-    - https://synapse.example.com/_synapse/client/oidc/callback
   userinfo_signing_algorithm: none
 ```