ATLAS/docker/authelia/config/configuration.oidc.clients.yml

# TEMPORARILY DISABLED - OIDC clients causing template processing issues
# identity_providers:
#   oidc:
#     hmac_secret: {{ secret "/run/secrets/IDENTITY_PROVIDERS_OIDC_HMAC_SECRET" }}
#     jwks:
#       - key: {{ secret "/run/secrets/IDENTITY_PROVIDERS_OIDC_JWKS_KEY" | mindent 10 "|" | msquote }}
# 
#     authorization_policies:
# 
#       headscale:
#         default_policy: deny
#         rules:
#           - policy: one_factor
#             subject: group:headscale
# # To generate secrets: 
# # docker exec -it authelia authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
#     clients:
# 
#       - client_id: headscale
#         client_name: Headscale
#         client_secret: {{ secret "/run/secrets/CLIENT_SECRET_HEADSCALE" }}
#         public: false
#         authorization_policy: headscale
#         consent_mode: implicit
#         scopes:
#           - openid
#           - email
#           - profile
#         redirect_uris:
#           - https://headscale.{{ env "TRAEFIK_DOMAIN" }}/oidc/callback
#           - https://headscale.{{ env "TRAEFIK_DOMAIN" }}/admin/oidc/callback # headplane on same domain as headscale
#           # - https://headplane.{{ env "TRAEFIK_DOMAIN" }}/admin/oidc/callback # headplane on it's own domain
#         userinfo_signed_response_alg: none
#       - client_id: headadmin
#         client_name: headadmin
#         client_secret: {{ secret "/run/secrets/CLIENT_SECRET_HEADADMIN" }}
#         public: false
#         authorization_policy: one_factor
#         consent_mode: implicit
#         scopes:
#           - openid
#           - email
#           - profile
#         redirect_uris:
#           - https://headadmin.{{ env "TRAEFIK_DOMAIN" }}/oidc_callback
#         userinfo_signed_response_alg: none
# 
#       - client_id: portainer
#         client_name: Portainer
#         client_secret: {{ secret "/run/secrets/CLIENT_SECRET_PORTAINER" }}
#         public: false
#         authorization_policy: one_factor
#         consent_mode: implicit
#         scopes:
#           - openid
#           - email
#           - profile
#           - groups
#         redirect_uris:
#           - https://portainer.{{ env "TRAEFIK_DOMAIN" }}/
#         userinfo_signed_response_alg: none