Nixius
/
authelia
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Completely disable OIDC provider temporarily - Comment out all OIDC configuration in identity providers and clients - Remove OIDC secrets from stack to eliminate template processing issues - This should get Authelia running with basic auth only
ci/woodpecker/push/woodpecker Pipeline failed Details

This commit is contained in:
colin 2025-06-11 16:13:51 -04:00
parent f062eeb40d
commit b3e748477d
4 changed files with 101 additions and 97 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
authelia-config.tar.gz Normal file
View File

Binary file not shown.

39
docker/authelia/config/configuration.identity.providers.yml
View File

@ -1,19 +1,20 @@
identity_providers: # TEMPORARILY DISABLED - OIDC provider causing startup issues
oidc: # identity_providers:
lifespans: # oidc:
access_token: 1h # lifespans:
authorize_code: 1m # access_token: 1h
id_token: 1h # authorize_code: 1m
refresh_token: 90m # id_token: 1h
enable_client_debug_messages: false # refresh_token: 90m
enforce_pkce: public_clients_only # enable_client_debug_messages: false
cors: # enforce_pkce: public_clients_only
endpoints: # cors:
- authorization # endpoints:
- token # - authorization
- revocation # - token
- introspection # - revocation
- userinfo # - introspection
allowed_origins: # - userinfo
- "*" # allowed_origins:
allowed_origins_from_client_redirect_uris: false # - "*"
# allowed_origins_from_client_redirect_uris: false

121
docker/authelia/config/configuration.oidc.clients.yml
View File

@ -1,60 +1,61 @@
identity_providers: # TEMPORARILY DISABLED - OIDC clients causing template processing issues
oidc: # identity_providers:
hmac_secret: {{ secret "/run/secrets/IDENTITY_PROVIDERS_OIDC_HMAC_SECRET" }} # oidc:
jwks: # hmac_secret: {{ secret "/run/secrets/IDENTITY_PROVIDERS_OIDC_HMAC_SECRET" }}
- key: {{ secret "/run/secrets/IDENTITY_PROVIDERS_OIDC_JWKS_KEY" | mindent 10 "|" | msquote }} # jwks:
# - key: {{ secret "/run/secrets/IDENTITY_PROVIDERS_OIDC_JWKS_KEY" | mindent 10 "|" | msquote }}
authorization_policies: #
# authorization_policies:
headscale: #
default_policy: deny # headscale:
rules: # default_policy: deny
- policy: one_factor # rules:
subject: group:headscale # - policy: one_factor
# To generate secrets: # subject: group:headscale
# docker exec -it authelia authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 # # To generate secrets:
clients: # # docker exec -it authelia authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
# clients:
- client_id: headscale #
client_name: Headscale # - client_id: headscale
client_secret: {{ secret "/run/secrets/CLIENT_SECRET_HEADSCALE" }} # client_name: Headscale
public: false # client_secret: {{ secret "/run/secrets/CLIENT_SECRET_HEADSCALE" }}
authorization_policy: headscale # public: false
consent_mode: implicit # authorization_policy: headscale
scopes: # consent_mode: implicit
- openid # scopes:
- email # - openid
- profile # - email
redirect_uris: # - profile
- https://headscale.{{ env "TRAEFIK_DOMAIN" }}/oidc/callback # redirect_uris:
- https://headscale.{{ env "TRAEFIK_DOMAIN" }}/admin/oidc/callback # headplane on same domain as headscale # - https://headscale.{{ env "TRAEFIK_DOMAIN" }}/oidc/callback
# - https://headplane.{{ env "TRAEFIK_DOMAIN" }}/admin/oidc/callback # headplane on it's own domain # - https://headscale.{{ env "TRAEFIK_DOMAIN" }}/admin/oidc/callback # headplane on same domain as headscale
userinfo_signed_response_alg: none # # - https://headplane.{{ env "TRAEFIK_DOMAIN" }}/admin/oidc/callback # headplane on it's own domain
- client_id: headadmin # userinfo_signed_response_alg: none
client_name: headadmin # - client_id: headadmin
client_secret: {{ secret "/run/secrets/CLIENT_SECRET_HEADADMIN" }} # client_name: headadmin
public: false # client_secret: {{ secret "/run/secrets/CLIENT_SECRET_HEADADMIN" }}
authorization_policy: one_factor # public: false
consent_mode: implicit # authorization_policy: one_factor
scopes: # consent_mode: implicit
- openid # scopes:
- email # - openid
- profile # - email
redirect_uris: # - profile
- https://headadmin.{{ env "TRAEFIK_DOMAIN" }}/oidc_callback # redirect_uris:
userinfo_signed_response_alg: none # - https://headadmin.{{ env "TRAEFIK_DOMAIN" }}/oidc_callback
# userinfo_signed_response_alg: none
- client_id: portainer #
client_name: Portainer # - client_id: portainer
client_secret: {{ secret "/run/secrets/CLIENT_SECRET_PORTAINER" }} # client_name: Portainer
public: false # client_secret: {{ secret "/run/secrets/CLIENT_SECRET_PORTAINER" }}
authorization_policy: one_factor # public: false
consent_mode: implicit # authorization_policy: one_factor
scopes: # consent_mode: implicit
- openid # scopes:
- email # - openid
- profile # - email
- groups # - profile
redirect_uris: # - groups
- https://portainer.{{ env "TRAEFIK_DOMAIN" }}/ # redirect_uris:
userinfo_signed_response_alg: none # - https://portainer.{{ env "TRAEFIK_DOMAIN" }}/
# userinfo_signed_response_alg: none

38
stack.production.yml
View File

@ -10,24 +10,26 @@ secrets:
external: true external: true
IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET: IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET:
external: true external: true
IDENTITY_PROVIDERS_OIDC_HMAC_SECRET: # TEMPORARILY DISABLED - OIDC provider disabled
external: true # IDENTITY_PROVIDERS_OIDC_HMAC_SECRET:
IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY: # external: true
external: true # IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY:
IDENTITY_PROVIDERS_OIDC_JWKS_KEY: # external: true
external: true # IDENTITY_PROVIDERS_OIDC_JWKS_KEY:
# external: true
NOTIFIER_SMTP_PASSWORD: NOTIFIER_SMTP_PASSWORD:
external: true external: true
SESSION_SECRET: SESSION_SECRET:
external: true external: true
STORAGE_ENCRYPTION_KEY: STORAGE_ENCRYPTION_KEY:
external: true external: true
CLIENT_SECRET_HEADSCALE: # TEMPORARILY DISABLED - OAuth clients disabled
external: true # CLIENT_SECRET_HEADSCALE:
CLIENT_SECRET_HEADADMIN: # external: true
external: true # CLIENT_SECRET_HEADADMIN:
CLIENT_SECRET_PORTAINER: # external: true
external: true # CLIENT_SECRET_PORTAINER:
# external: true
# TEMPORARILY DISABLED - Gitea OAuth (not ready yet) # TEMPORARILY DISABLED - Gitea OAuth (not ready yet)
# CLIENT_SECRET_GITEA: # CLIENT_SECRET_GITEA:
# external: true # external: true
@ -63,15 +65,15 @@ services:
secrets: secrets:
- AUTHENTICATION_BACKEND_LDAP_PASSWORD - AUTHENTICATION_BACKEND_LDAP_PASSWORD
- IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET - IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET
- IDENTITY_PROVIDERS_OIDC_HMAC_SECRET # - IDENTITY_PROVIDERS_OIDC_HMAC_SECRET
- IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY # - IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY
- IDENTITY_PROVIDERS_OIDC_JWKS_KEY # - IDENTITY_PROVIDERS_OIDC_JWKS_KEY
- NOTIFIER_SMTP_PASSWORD - NOTIFIER_SMTP_PASSWORD
- SESSION_SECRET - SESSION_SECRET
- STORAGE_ENCRYPTION_KEY - STORAGE_ENCRYPTION_KEY
- CLIENT_SECRET_HEADSCALE # - CLIENT_SECRET_HEADSCALE
- CLIENT_SECRET_HEADADMIN # - CLIENT_SECRET_HEADADMIN
- CLIENT_SECRET_PORTAINER # - CLIENT_SECRET_PORTAINER
environment: *authelia-env environment: *authelia-env
dns: dns:
- 1.1.1.1 # Cloudflare - 1.1.1.1 # Cloudflare