Completely disable OIDC provider temporarily - Comment out all OIDC configuration in identity providers and clients - Remove OIDC secrets from stack to eliminate template processing issues - This should get Authelia running with basic auth only
ci/woodpecker/push/woodpecker Pipeline failed
Details
ci/woodpecker/push/woodpecker Pipeline failed
Details
This commit is contained in:
parent
f062eeb40d
commit
b3e748477d
Binary file not shown.
|
|
@ -1,19 +1,20 @@
|
|||
identity_providers:
|
||||
oidc:
|
||||
lifespans:
|
||||
access_token: 1h
|
||||
authorize_code: 1m
|
||||
id_token: 1h
|
||||
refresh_token: 90m
|
||||
enable_client_debug_messages: false
|
||||
enforce_pkce: public_clients_only
|
||||
cors:
|
||||
endpoints:
|
||||
- authorization
|
||||
- token
|
||||
- revocation
|
||||
- introspection
|
||||
- userinfo
|
||||
allowed_origins:
|
||||
- "*"
|
||||
allowed_origins_from_client_redirect_uris: false
|
||||
# TEMPORARILY DISABLED - OIDC provider causing startup issues
|
||||
# identity_providers:
|
||||
# oidc:
|
||||
# lifespans:
|
||||
# access_token: 1h
|
||||
# authorize_code: 1m
|
||||
# id_token: 1h
|
||||
# refresh_token: 90m
|
||||
# enable_client_debug_messages: false
|
||||
# enforce_pkce: public_clients_only
|
||||
# cors:
|
||||
# endpoints:
|
||||
# - authorization
|
||||
# - token
|
||||
# - revocation
|
||||
# - introspection
|
||||
# - userinfo
|
||||
# allowed_origins:
|
||||
# - "*"
|
||||
# allowed_origins_from_client_redirect_uris: false
|
||||
|
|
@ -1,60 +1,61 @@
|
|||
identity_providers:
|
||||
oidc:
|
||||
hmac_secret: {{ secret "/run/secrets/IDENTITY_PROVIDERS_OIDC_HMAC_SECRET" }}
|
||||
jwks:
|
||||
- key: {{ secret "/run/secrets/IDENTITY_PROVIDERS_OIDC_JWKS_KEY" | mindent 10 "|" | msquote }}
|
||||
|
||||
authorization_policies:
|
||||
|
||||
headscale:
|
||||
default_policy: deny
|
||||
rules:
|
||||
- policy: one_factor
|
||||
subject: group:headscale
|
||||
# To generate secrets:
|
||||
# docker exec -it authelia authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
|
||||
clients:
|
||||
|
||||
- client_id: headscale
|
||||
client_name: Headscale
|
||||
client_secret: {{ secret "/run/secrets/CLIENT_SECRET_HEADSCALE" }}
|
||||
public: false
|
||||
authorization_policy: headscale
|
||||
consent_mode: implicit
|
||||
scopes:
|
||||
- openid
|
||||
- email
|
||||
- profile
|
||||
redirect_uris:
|
||||
- https://headscale.{{ env "TRAEFIK_DOMAIN" }}/oidc/callback
|
||||
- https://headscale.{{ env "TRAEFIK_DOMAIN" }}/admin/oidc/callback # headplane on same domain as headscale
|
||||
# - https://headplane.{{ env "TRAEFIK_DOMAIN" }}/admin/oidc/callback # headplane on it's own domain
|
||||
userinfo_signed_response_alg: none
|
||||
- client_id: headadmin
|
||||
client_name: headadmin
|
||||
client_secret: {{ secret "/run/secrets/CLIENT_SECRET_HEADADMIN" }}
|
||||
public: false
|
||||
authorization_policy: one_factor
|
||||
consent_mode: implicit
|
||||
scopes:
|
||||
- openid
|
||||
- email
|
||||
- profile
|
||||
redirect_uris:
|
||||
- https://headadmin.{{ env "TRAEFIK_DOMAIN" }}/oidc_callback
|
||||
userinfo_signed_response_alg: none
|
||||
|
||||
- client_id: portainer
|
||||
client_name: Portainer
|
||||
client_secret: {{ secret "/run/secrets/CLIENT_SECRET_PORTAINER" }}
|
||||
public: false
|
||||
authorization_policy: one_factor
|
||||
consent_mode: implicit
|
||||
scopes:
|
||||
- openid
|
||||
- email
|
||||
- profile
|
||||
- groups
|
||||
redirect_uris:
|
||||
- https://portainer.{{ env "TRAEFIK_DOMAIN" }}/
|
||||
userinfo_signed_response_alg: none
|
||||
# TEMPORARILY DISABLED - OIDC clients causing template processing issues
|
||||
# identity_providers:
|
||||
# oidc:
|
||||
# hmac_secret: {{ secret "/run/secrets/IDENTITY_PROVIDERS_OIDC_HMAC_SECRET" }}
|
||||
# jwks:
|
||||
# - key: {{ secret "/run/secrets/IDENTITY_PROVIDERS_OIDC_JWKS_KEY" | mindent 10 "|" | msquote }}
|
||||
#
|
||||
# authorization_policies:
|
||||
#
|
||||
# headscale:
|
||||
# default_policy: deny
|
||||
# rules:
|
||||
# - policy: one_factor
|
||||
# subject: group:headscale
|
||||
# # To generate secrets:
|
||||
# # docker exec -it authelia authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
|
||||
# clients:
|
||||
#
|
||||
# - client_id: headscale
|
||||
# client_name: Headscale
|
||||
# client_secret: {{ secret "/run/secrets/CLIENT_SECRET_HEADSCALE" }}
|
||||
# public: false
|
||||
# authorization_policy: headscale
|
||||
# consent_mode: implicit
|
||||
# scopes:
|
||||
# - openid
|
||||
# - email
|
||||
# - profile
|
||||
# redirect_uris:
|
||||
# - https://headscale.{{ env "TRAEFIK_DOMAIN" }}/oidc/callback
|
||||
# - https://headscale.{{ env "TRAEFIK_DOMAIN" }}/admin/oidc/callback # headplane on same domain as headscale
|
||||
# # - https://headplane.{{ env "TRAEFIK_DOMAIN" }}/admin/oidc/callback # headplane on it's own domain
|
||||
# userinfo_signed_response_alg: none
|
||||
# - client_id: headadmin
|
||||
# client_name: headadmin
|
||||
# client_secret: {{ secret "/run/secrets/CLIENT_SECRET_HEADADMIN" }}
|
||||
# public: false
|
||||
# authorization_policy: one_factor
|
||||
# consent_mode: implicit
|
||||
# scopes:
|
||||
# - openid
|
||||
# - email
|
||||
# - profile
|
||||
# redirect_uris:
|
||||
# - https://headadmin.{{ env "TRAEFIK_DOMAIN" }}/oidc_callback
|
||||
# userinfo_signed_response_alg: none
|
||||
#
|
||||
# - client_id: portainer
|
||||
# client_name: Portainer
|
||||
# client_secret: {{ secret "/run/secrets/CLIENT_SECRET_PORTAINER" }}
|
||||
# public: false
|
||||
# authorization_policy: one_factor
|
||||
# consent_mode: implicit
|
||||
# scopes:
|
||||
# - openid
|
||||
# - email
|
||||
# - profile
|
||||
# - groups
|
||||
# redirect_uris:
|
||||
# - https://portainer.{{ env "TRAEFIK_DOMAIN" }}/
|
||||
# userinfo_signed_response_alg: none
|
||||
|
|
@ -10,24 +10,26 @@ secrets:
|
|||
external: true
|
||||
IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET:
|
||||
external: true
|
||||
IDENTITY_PROVIDERS_OIDC_HMAC_SECRET:
|
||||
external: true
|
||||
IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY:
|
||||
external: true
|
||||
IDENTITY_PROVIDERS_OIDC_JWKS_KEY:
|
||||
external: true
|
||||
# TEMPORARILY DISABLED - OIDC provider disabled
|
||||
# IDENTITY_PROVIDERS_OIDC_HMAC_SECRET:
|
||||
# external: true
|
||||
# IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY:
|
||||
# external: true
|
||||
# IDENTITY_PROVIDERS_OIDC_JWKS_KEY:
|
||||
# external: true
|
||||
NOTIFIER_SMTP_PASSWORD:
|
||||
external: true
|
||||
SESSION_SECRET:
|
||||
external: true
|
||||
STORAGE_ENCRYPTION_KEY:
|
||||
external: true
|
||||
CLIENT_SECRET_HEADSCALE:
|
||||
external: true
|
||||
CLIENT_SECRET_HEADADMIN:
|
||||
external: true
|
||||
CLIENT_SECRET_PORTAINER:
|
||||
external: true
|
||||
# TEMPORARILY DISABLED - OAuth clients disabled
|
||||
# CLIENT_SECRET_HEADSCALE:
|
||||
# external: true
|
||||
# CLIENT_SECRET_HEADADMIN:
|
||||
# external: true
|
||||
# CLIENT_SECRET_PORTAINER:
|
||||
# external: true
|
||||
# TEMPORARILY DISABLED - Gitea OAuth (not ready yet)
|
||||
# CLIENT_SECRET_GITEA:
|
||||
# external: true
|
||||
|
|
@ -63,15 +65,15 @@ services:
|
|||
secrets:
|
||||
- AUTHENTICATION_BACKEND_LDAP_PASSWORD
|
||||
- IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET
|
||||
- IDENTITY_PROVIDERS_OIDC_HMAC_SECRET
|
||||
- IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY
|
||||
- IDENTITY_PROVIDERS_OIDC_JWKS_KEY
|
||||
# - IDENTITY_PROVIDERS_OIDC_HMAC_SECRET
|
||||
# - IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY
|
||||
# - IDENTITY_PROVIDERS_OIDC_JWKS_KEY
|
||||
- NOTIFIER_SMTP_PASSWORD
|
||||
- SESSION_SECRET
|
||||
- STORAGE_ENCRYPTION_KEY
|
||||
- CLIENT_SECRET_HEADSCALE
|
||||
- CLIENT_SECRET_HEADADMIN
|
||||
- CLIENT_SECRET_PORTAINER
|
||||
# - CLIENT_SECRET_HEADSCALE
|
||||
# - CLIENT_SECRET_HEADADMIN
|
||||
# - CLIENT_SECRET_PORTAINER
|
||||
environment: *authelia-env
|
||||
dns:
|
||||
- 1.1.1.1 # Cloudflare
|
||||
|
|
|
|||
Loading…
Reference in New Issue