docs: misc consistency adjustments (#3904)
parent
35e218acfb
commit
a8849f1b9e
|
@ -418,10 +418,8 @@ know what you're doing. Potential values are `form_post`, `query`, and `fragment
|
|||
|
||||
The algorithm used to sign the userinfo endpoint responses. This can either be `none` or `RS256`.
|
||||
|
||||
| Signing Algorithm | Encoding | Content Type |
|
||||
|:-----------------:|:------------:|:-----------------------------------:|
|
||||
| `none` | JSON | `application/json; charset="UTF-8"` |
|
||||
| `RS256` | JWT (Signed) | `application/jwt; charset="UTF-8"` |
|
||||
See the [integration guide](../../integration/openid-connect/introduction.md#user-information-signing-algorithm) for
|
||||
more information.
|
||||
|
||||
## Integration
|
||||
|
||||
|
|
|
@ -58,16 +58,17 @@ The following YAML configuration is an example __Authelia__
|
|||
|
||||
```yaml
|
||||
- id: guacamole
|
||||
description: Apache Guacamole
|
||||
secret: guacamole_client_secret
|
||||
public: false
|
||||
authorization_policy: two_factor
|
||||
redirect_uris:
|
||||
- https://guacamole.example.com
|
||||
scopes:
|
||||
- openid
|
||||
- profile
|
||||
- groups
|
||||
- email
|
||||
redirect_uris:
|
||||
- https://guacamole.example.com
|
||||
response_types:
|
||||
- id_token
|
||||
grant_types:
|
||||
|
|
|
@ -62,6 +62,9 @@ which will operate with the above example:
|
|||
```yaml
|
||||
- id: argocd
|
||||
description: Argo CD
|
||||
secret: argocd_client_secret
|
||||
public: false
|
||||
authorization_policy: two_factor
|
||||
redirect_uris:
|
||||
- https://argocd.example.com/auth/callback
|
||||
scopes:
|
||||
|
@ -69,11 +72,11 @@ which will operate with the above example:
|
|||
- groups
|
||||
- email
|
||||
- profile
|
||||
secret: argocd_client_secret
|
||||
userinfo_signing_algorithm: none
|
||||
- id: argocd-cli
|
||||
description: Argo CD (CLI)
|
||||
public: true
|
||||
authorization_policy: two_factor
|
||||
redirect_uris:
|
||||
- http://localhost:8085/auth/callback
|
||||
scopes:
|
||||
|
|
|
@ -57,15 +57,16 @@ which will operate with the above example:
|
|||
|
||||
```yaml
|
||||
- id: bookstack
|
||||
description: BookStack
|
||||
secret: bookstack_client_secret
|
||||
public: false
|
||||
authorization_policy: two_factor
|
||||
redirect_uris:
|
||||
- https://bookstack.example.com/oidc/callback
|
||||
scopes:
|
||||
- openid
|
||||
- profile
|
||||
- email
|
||||
redirect_uris:
|
||||
- https://bookstack.example.com/oidc/callback
|
||||
userinfo_signing_algorithm: none
|
||||
```
|
||||
|
||||
|
|
|
@ -60,16 +60,17 @@ which will operate with the above example:
|
|||
|
||||
```yaml
|
||||
- id: cloudflare
|
||||
description: Cloudflare ZeroTrust
|
||||
secret: cloudflare_client_secret
|
||||
public: false
|
||||
authorization_policy: two_factor
|
||||
redirect_uris:
|
||||
- https://example-team.cloudflareaccess.com/cdn-cgi/access/callback
|
||||
scopes:
|
||||
- openid
|
||||
- profile
|
||||
- groups
|
||||
- email
|
||||
redirect_uris:
|
||||
- https://example-team.cloudflareaccess.com/cdn-cgi/access/callback
|
||||
userinfo_signing_algorithm: none
|
||||
```
|
||||
|
||||
|
|
|
@ -78,15 +78,16 @@ will operate with the above example:
|
|||
|
||||
```yaml
|
||||
- id: gitea
|
||||
description: Gitea
|
||||
secret: gitea_client_secret
|
||||
public: false
|
||||
authorization_policy: two_factor
|
||||
redirect_uris:
|
||||
- https://gitea.example.com/user/oauth2/authelia/callback
|
||||
scopes:
|
||||
- openid
|
||||
- email
|
||||
- profile
|
||||
redirect_uris:
|
||||
- https://gitea.example.com/user/oauth2/authelia/callback
|
||||
userinfo_signing_algorithm: none
|
||||
```
|
||||
|
||||
|
|
|
@ -74,16 +74,17 @@ which will operate with the above example:
|
|||
|
||||
```yaml
|
||||
- id: gitlab
|
||||
description: GitLab
|
||||
secret: gitlab_client_secret
|
||||
public: false
|
||||
authorization_policy: two_factor
|
||||
redirect_uris:
|
||||
- https://gitlab.example.com/users/auth/openid_connect/callback
|
||||
scopes:
|
||||
- openid
|
||||
- profile
|
||||
- groups
|
||||
- email
|
||||
redirect_uris:
|
||||
- https://gitlab.example.com/users/auth/openid_connect/callback
|
||||
userinfo_signing_algorithm: none
|
||||
```
|
||||
|
||||
|
|
|
@ -37,12 +37,13 @@ This example makes the following assumptions:
|
|||
|
||||
### Application
|
||||
|
||||
To configure [Grafana] to utilize Authelia as an [OpenID Connect] Provider, you either need to edit the config file, or specify overrides in the containers environment variables.
|
||||
To configure [Grafana] to utilize Authelia as an [OpenID Connect] Provider you have two effective options:
|
||||
|
||||
#### Method 1: Configuration Files
|
||||
1. Add the following Generic OAuth configuration to the [Grafana] configuration:
|
||||
#### Configuration File
|
||||
|
||||
```ruby
|
||||
Add the following Generic OAuth configuration to the [Grafana] configuration:
|
||||
|
||||
```ini
|
||||
[server]
|
||||
root_url = https://grafana.example.com
|
||||
[auth.generic_oauth]
|
||||
|
@ -62,24 +63,26 @@ name_attribute_path = name
|
|||
use_pkce = true
|
||||
```
|
||||
|
||||
#### Method 2: Container Environment Variables
|
||||
**GF_AUTH_GENERIC_OAUTH_NAME=**`Authelia`
|
||||
**GF_AUTH_GENERIC_OAUTH_ENABLED=**`true`
|
||||
**GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP=**`true`
|
||||
**GF_AUTH_GENERIC_OAUTH_CLIENT_ID=**`grafana`
|
||||
**GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=**`grafana_client_secret`
|
||||
**GF_AUTH_GENERIC_OAUTH_SCOPES=**`openid profile email groups`
|
||||
**GF_AUTH_GENERIC_OAUTH_EMAIL_ATTRIBUTE_NAME=**`email`
|
||||
**GF_AUTH_GENERIC_OAUTH_AUTH_URL=**`https://auth.example.com/api/oidc/authorization`
|
||||
**GF_AUTH_GENERIC_OAUTH_TOKEN_URL=**`https://auth.example.com/api/oidc/token`
|
||||
**GF_AUTH_GENERIC_OAUTH_API_URL=**`https://auth.example.com/api/oidc/userinfo`
|
||||
**GF_AUTH_GENERIC_OAUTH_TLS_SKIP_VERIFY_INSECURE=**`true`
|
||||
**GF_AUTH_GENERIC_OAUTH_EMPTY_SCOPES=**`false`
|
||||
**GF_AUTH_GENERIC_OAUTH_ICON=**`signin`
|
||||
**GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH=**`preferred_username`
|
||||
**GF_AUTH_GENERIC_OAUTH_GROUPS_ATTRIBUTE_PATH=**`groups`
|
||||
**GF_AUTH_GENERIC_OAUTH_NAME_ATTRIBUTE_PATH=**`name`
|
||||
**GF_AUTH_GENERIC_OAUTH_USE_PKCE=**`true`
|
||||
#### Environment Variables
|
||||
|
||||
Configure the following environment variables:
|
||||
|
||||
| Variable | Value |
|
||||
|:-------------------------------------------:|:-----------------------------------------------:|
|
||||
| GF_SERVER_ROOT_URL | https://grafana.example.com |
|
||||
| GF_AUTH_GENERIC_OAUTH_ENABLED | true |
|
||||
| GF_AUTH_GENERIC_OAUTH_NAME | Authelia |
|
||||
| GF_AUTH_GENERIC_OAUTH_CLIENT_ID | grafana |
|
||||
| GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET | grafana_client_secret |
|
||||
| GF_AUTH_GENERIC_OAUTH_SCOPES | openid profile email groups |
|
||||
| GF_AUTH_GENERIC_OAUTH_EMPTY_SCOPES | false |
|
||||
| GF_AUTH_GENERIC_OAUTH_AUTH_URL | https://auth.example.com/api/oidc/authorization |
|
||||
| GF_AUTH_GENERIC_OAUTH_TOKEN_URL | https://auth.example.com/api/oidc/token |
|
||||
| GF_AUTH_GENERIC_OAUTH_API_URL | https://auth.example.com/api/oidc/userinfo |
|
||||
| GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH | preferred_username |
|
||||
| GF_AUTH_GENERIC_OAUTH_GROUPS_ATTRIBUTE_PATH | groups |
|
||||
| GF_AUTH_GENERIC_OAUTH_NAME_ATTRIBUTE_PATH | name |
|
||||
| GF_AUTH_GENERIC_OAUTH_USE_PKCE | true |
|
||||
|
||||
### Authelia
|
||||
|
||||
|
@ -89,16 +92,17 @@ which will operate with the above example:
|
|||
|
||||
```yaml
|
||||
- id: grafana
|
||||
description: Grafana
|
||||
secret: grafana_client_secret
|
||||
public: false
|
||||
authorization_policy: two_factor
|
||||
redirect_uris:
|
||||
- https://grafana.example.com/login/generic_oauth
|
||||
scopes:
|
||||
- openid
|
||||
- profile
|
||||
- groups
|
||||
- email
|
||||
redirect_uris:
|
||||
- https://grafana.example.com/login/generic_oauth
|
||||
userinfo_signing_algorithm: none
|
||||
```
|
||||
|
||||
|
|
|
@ -65,17 +65,17 @@ which will operate with the above example:
|
|||
|
||||
```yaml
|
||||
- id: harbor
|
||||
description: Harbor
|
||||
secret: harbor_client_secret
|
||||
public: false
|
||||
authorization_policy: two_factor
|
||||
redirect_uris:
|
||||
- https://harbor.example.com/c/oidc/callback
|
||||
scopes:
|
||||
- openid
|
||||
- profile
|
||||
- groups
|
||||
- email
|
||||
redirect_uris:
|
||||
- https://vault.example.com/oidc/callback
|
||||
- https://vault.example.com/ui/vault/auth/oidc/oidc/callback
|
||||
userinfo_signing_algorithm: none
|
||||
```
|
||||
|
||||
|
|
|
@ -48,17 +48,18 @@ which will operate with the above example:
|
|||
|
||||
```yaml
|
||||
- id: vault
|
||||
description: HashiCorp Vault
|
||||
secret: vault_client_secret
|
||||
public: false
|
||||
authorization_policy: two_factor
|
||||
redirect_uris:
|
||||
- https://vault.example.com/oidc/callback
|
||||
- https://vault.example.com/ui/vault/auth/oidc/oidc/callback
|
||||
scopes:
|
||||
- openid
|
||||
- profile
|
||||
- groups
|
||||
- email
|
||||
redirect_uris:
|
||||
- https://vault.example.com/oidc/callback
|
||||
- https://vault.example.com/ui/vault/auth/oidc/oidc/callback
|
||||
userinfo_signing_algorithm: none
|
||||
```
|
||||
|
||||
|
|
|
@ -108,6 +108,16 @@ Below is a list of the potential values we place in the [Claim] and their meanin
|
|||
| hwk | User used a hardware key to login | Have | Browser |
|
||||
| sms | User used Duo to login | Have | External |
|
||||
|
||||
## User Information Signing Algorithm
|
||||
|
||||
The following table describes the response from the [UserInfo] endpoint depending on the
|
||||
[userinfo_signing_algorithm](../../configuration/identity-providers/open-id-connect.md#userinfo_signing_algorithm).
|
||||
|
||||
| Signing Algorithm | Encoding | Content Type |
|
||||
|:-----------------:|:------------:|:-----------------------------------:|
|
||||
| `none` | JSON | `application/json; charset="UTF-8"` |
|
||||
| `RS256` | JWT (Signed) | `application/jwt; charset="UTF-8"` |
|
||||
|
||||
## Endpoint Implementations
|
||||
|
||||
The following section documents the endpoints we implement and their respective paths. This information can
|
||||
|
@ -141,7 +151,7 @@ These endpoints implement OpenID Connect elements.
|
|||
| [JSON Web Key Sets] | https://auth.example.com/jwks.json | jwks_uri |
|
||||
| [Authorization] | https://auth.example.com/api/oidc/authorization | authorization_endpoint |
|
||||
| [Token] | https://auth.example.com/api/oidc/token | token_endpoint |
|
||||
| [Userinfo] | https://auth.example.com/api/oidc/userinfo | userinfo_endpoint |
|
||||
| [UserInfo] | https://auth.example.com/api/oidc/userinfo | userinfo_endpoint |
|
||||
| [Introspection] | https://auth.example.com/api/oidc/introspection | introspection_endpoint |
|
||||
| [Revocation] | https://auth.example.com/api/oidc/revocation | revocation_endpoint |
|
||||
|
||||
|
@ -161,7 +171,7 @@ These endpoints implement OpenID Connect elements.
|
|||
|
||||
[Authorization]: https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint
|
||||
[Token]: https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint
|
||||
[Userinfo]: https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
|
||||
[UserInfo]: https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
|
||||
[Introspection]: https://www.rfc-editor.org/rfc/rfc7662.html
|
||||
[Revocation]: https://www.rfc-editor.org/rfc/rfc7009.html
|
||||
|
||||
|
|
|
@ -11,8 +11,6 @@ menu:
|
|||
weight: 620
|
||||
toc: true
|
||||
community: true
|
||||
aliases:
|
||||
- /docs/community/oidc-integrations/komga.html
|
||||
---
|
||||
|
||||
## Tested Versions
|
||||
|
@ -32,7 +30,7 @@ This example makes the following assumptions:
|
|||
|
||||
* __Application Root URL:__ `https://komga.example.com`
|
||||
* __Authelia Root URL:__ `https://auth.example.com`
|
||||
* __Client ID:__ `komga-auth`
|
||||
* __Client ID:__ `komga`
|
||||
* __Client Secret:__ `komga_client_secret`
|
||||
|
||||
## Configuration
|
||||
|
@ -41,89 +39,55 @@ This example makes the following assumptions:
|
|||
|
||||
To configure [Komga] to utilize Authelia as an [OpenID Connect] Provider:
|
||||
|
||||
1. Create an `Application.yml` according to the [configuration options](https://komga.org/installation/configuration.html)
|
||||
2. Add a section that describes the spring boot security configuration
|
||||
|
||||
|
||||
```spring:
|
||||
1. Configure the security section of the [Komga] configuration:
|
||||
```yaml
|
||||
komga:
|
||||
## Comment if you don't want automatic account creation.
|
||||
oauth2-account-creation: true
|
||||
spring:
|
||||
security:
|
||||
oauth2:
|
||||
client:
|
||||
registration:
|
||||
authelia:
|
||||
client-id: `komga-auth`
|
||||
client-id: `komga`
|
||||
client-secret: `komga_client_secret`
|
||||
client-name: Authelia
|
||||
scope: openid, email
|
||||
scope: openid,profile,email
|
||||
authorization-grant-type: authorization_code
|
||||
redirect-uri: "{baseScheme}://{baseHost}{basePort}{basePath}/login/oauth2/code/authelia"
|
||||
provider:
|
||||
authelia:
|
||||
issuer-uri: `https:\\auth.example.com`
|
||||
user-name-attribute: email
|
||||
issuer-uri: https://auth.example.com
|
||||
user-name-attribute: preferred_username
|
||||
````
|
||||
|
||||
### Optional configuration
|
||||
|
||||
You can enable some useful additional debug logging to `application.yml` by adding the `logging.level.org.springframework.security attribute`:
|
||||
|
||||
```
|
||||
logging:
|
||||
file.name: /config/logs/komga.log
|
||||
level:
|
||||
org:
|
||||
springframework:
|
||||
security: info #when changed to 'TRACE' adds additional spring security logging on top of komga logging.
|
||||
gotson:
|
||||
komga: info
|
||||
```
|
||||
|
||||
Automatic creation of accounts (in Komga) by logging in with Authelia can be enabled with:
|
||||
|
||||
```
|
||||
komga:
|
||||
oauth2-account-creation: true
|
||||
```
|
||||
|
||||
In certain cases it might be necessary to add:
|
||||
|
||||
```
|
||||
server:
|
||||
use-forward-headers: true
|
||||
```
|
||||
|
||||
|
||||
### Authelia
|
||||
|
||||
The following YAML configuration is an example __Authelia__
|
||||
[client configuration](../../../configuration/identity-providers/open-id-connect.md#clients) for use with [Portainer]
|
||||
[client configuration](../../../configuration/identity-providers/open-id-connect.md#clients) for use with [Komga]
|
||||
which will operate with the above example:
|
||||
|
||||
```yaml
|
||||
-
|
||||
id: komga-auth
|
||||
description: Komga Comics OpenID
|
||||
secret: `komga_client_secret`
|
||||
- id: komga
|
||||
description: Komga
|
||||
secret: komga_client_secret
|
||||
public: false
|
||||
authorization_policy: two_factor
|
||||
audience: []
|
||||
scopes:
|
||||
- openid
|
||||
- email
|
||||
redirect_uris:
|
||||
- https://komga.example.com/login/oauth2/code/authelia
|
||||
|
||||
scopes:
|
||||
- openid
|
||||
- preferred_username
|
||||
- email
|
||||
grant_types:
|
||||
- authorization_code
|
||||
|
||||
userinfo_signing_algorithm: none
|
||||
```
|
||||
|
||||
Note: make sure that the `userinfo_signing_algorithm` is set to `none`, or Komga will throw an `application\jwt` error.
|
||||
|
||||
|
||||
## See Also
|
||||
|
||||
* [Komga Configuration options Documentation](https://komga.org/installation/configuration.html)
|
||||
* [Komga Social login Documentation](https://komga.org/installation/oauth2.html)
|
||||
|
||||
[Authelia]: https://www.authelia.com
|
||||
|
|
|
@ -86,15 +86,16 @@ which will operate with the above example:
|
|||
|
||||
```yaml
|
||||
- id: nextcloud
|
||||
description: NextCloud
|
||||
secret: nextcloud_client_secret
|
||||
public: false
|
||||
authorization_policy: two_factor
|
||||
redirect_uris:
|
||||
- https://nextcloud.example.com/apps/oidc_login/oidc
|
||||
scopes:
|
||||
- openid
|
||||
- profile
|
||||
- groups
|
||||
redirect_uris:
|
||||
- https://nextcloud.example.com/apps/oidc_login/oidc
|
||||
userinfo_signing_algorithm: none
|
||||
```
|
||||
|
||||
|
|
|
@ -62,15 +62,16 @@ which will operate with the above example:
|
|||
|
||||
```yaml
|
||||
- id: outline
|
||||
description: Outline
|
||||
secret: outline_client_secret
|
||||
public: false
|
||||
authorization_policy: two_factor
|
||||
redirect_uris:
|
||||
- https://outline.example.com/auth/oidc.callback
|
||||
scopes:
|
||||
- openid
|
||||
- profile
|
||||
- email
|
||||
redirect_uris:
|
||||
- https://outline.example.com/auth/oidc.callback
|
||||
userinfo_signing_algorithm: none
|
||||
```
|
||||
|
||||
|
|
|
@ -66,16 +66,17 @@ which will operate with the above example:
|
|||
|
||||
```yaml
|
||||
- id: portainer
|
||||
description: Portainer
|
||||
secret: portainer_client_secret
|
||||
public: false
|
||||
authorization_policy: two_factor
|
||||
redirect_uris:
|
||||
- https://portainer.example.com
|
||||
scopes:
|
||||
- openid
|
||||
- profile
|
||||
- groups
|
||||
- email
|
||||
redirect_uris:
|
||||
- https://portainer.example.com
|
||||
userinfo_signing_algorithm: none
|
||||
```
|
||||
|
||||
|
|
|
@ -64,15 +64,16 @@ which will operate with the above example:
|
|||
|
||||
```yaml
|
||||
- id: proxmox
|
||||
description: Proxmox
|
||||
secret: proxmox_client_secret
|
||||
public: false
|
||||
authorization_policy: two_factor
|
||||
redirect_uris:
|
||||
- https://proxmox.example.com
|
||||
scopes:
|
||||
- openid
|
||||
- profile
|
||||
- email
|
||||
redirect_uris:
|
||||
- https://proxmox.example.com
|
||||
userinfo_signing_algorithm: none
|
||||
```
|
||||
|
||||
|
|
|
@ -72,15 +72,16 @@ which will operate with the above example:
|
|||
|
||||
```yaml
|
||||
- id: seafile
|
||||
description: Seafile
|
||||
secret: seafile_client_secret
|
||||
public: false
|
||||
authorization_policy: two_factor
|
||||
redirect_uris:
|
||||
- https://seafile.example.com/oauth/callback/
|
||||
scopes:
|
||||
- openid
|
||||
- profile
|
||||
- email
|
||||
redirect_uris:
|
||||
- https://seafile.example.com/oauth/callback/
|
||||
userinfo_signing_algorithm: none
|
||||
```
|
||||
|
||||
|
|
|
@ -68,15 +68,16 @@ which will operate with the above example:
|
|||
|
||||
```yaml
|
||||
- id: synapse
|
||||
description: Synapse
|
||||
secret: synapse_client_secret
|
||||
public: false
|
||||
authorization_policy: two_factor
|
||||
redirect_uris:
|
||||
- https://synapse.example.com/_synapse/client/oidc/callback
|
||||
scopes:
|
||||
- openid
|
||||
- profile
|
||||
- email
|
||||
redirect_uris:
|
||||
- https://synapse.example.com/_synapse/client/oidc/callback
|
||||
userinfo_signing_algorithm: none
|
||||
```
|
||||
|
||||
|
|
Loading…
Reference in New Issue