fix: authelia jwks

2025-09-17 18:24:14 +02:00 · 2024-06-17 00:51:42 +02:00
parent 2545b72b99
commit 115a4fef8e
3 changed files with 55 additions and 14 deletions
--- a/kubernetes/apps/default/authelia/app/config/configuration.yaml
+++ b/kubernetes/apps/default/authelia/app/config/configuration.yaml
@@ -1,4 +1,6 @@
 ---
+# Genereate client_secret
+# https://www.authelia.com/integration/openid-connect/frequently-asked-questions/#how-do-i-generate-a-client-identifier-or-client-secret
 authentication_backend:
  ldap:
    address: ldap://lldap.default.svc.cluster.local:5389
@@ -74,6 +76,8 @@ access_control:

 identity_providers:
  oidc:
+    # jwks:
+    #   - key: {{ secret "/config/secret/OIDC_JWKS_KEY" | mindent 10 "|" | msquote }}
    cors:
      endpoints: [authorization, token, revocation, introspection]
      allowed_origins_from_client_redirect_uris: true
@@ -96,17 +100,6 @@ identity_providers:
        scopes: [openid, profile, groups, email]
        redirect_uris: ["https://grafana.${SECRET_EXTERNAL_DOMAIN}/login/generic_oauth"]
        userinfo_signed_response_alg: none
-      - client_id: outline
-        client_name: Outline
-        client_secret: "$${OUTLINE_OAUTH_DIGEST}"
-        public: false
-        authorization_policy: two_factor
-        pre_configured_consent_duration: 1y
-        scopes: [openid, profile, email, offline_access]
-        response_types: code
-        redirect_uris: ["https://docs.${SECRET_EXTERNAL_DOMAIN}/auth/oidc.callback"]
-        userinfo_signed_response_alg: none
-        token_endpoint_auth_method: client_secret_basic
      - client_name: jellyfin
        client_id: jellyfin
        client_secret: "$${JELLYFIN_OAUTH_DIGEST}"
@@ -119,3 +112,43 @@ identity_providers:
        redirect_uris: [ "https://jellyfin.${SECRET_EXTERNAL_DOMAIN}/sso/OID/redirect/authelia"]
        userinfo_signed_response_alg: none
        token_endpoint_auth_method: client_secret_post
+      - client_id: komga
+        client_name: Komga
+        client_secret: "$${KOMGA_OAUTH_DIGEST}"
+        public: false
+        authorization_policy: two_factor
+        pre_configured_consent_duration: 1y
+        scopes: [openid, profile, email]
+        redirect_uris: ['https://komga.${SECRET_EXTERNAL_DOMAIN}/login/oauth2/code/authelia']
+        grant_types: authorization_code
+        userinfo_signed_response_alg: none
+      - client_id: outline
+        client_name: Outline
+        client_secret: "$${OUTLINE_OAUTH_DIGEST}"
+        public: false
+        authorization_policy: two_factor
+        pre_configured_consent_duration: 1y
+        scopes: [openid, profile, email, offline_access]
+        response_types: code
+        redirect_uris: ["https://docs.${SECRET_EXTERNAL_DOMAIN}/auth/oidc.callback"]
+        userinfo_signed_response_alg: none
+        token_endpoint_auth_method: client_secret_basic
+      - client_id: paperless
+        client_name: Paperless
+        client_secret: "$${PAPERLESS_OAUTH_DIGEST}"
+        public: false
+        authorization_policy: one_factor
+        pre_configured_consent_duration: 1y
+        scopes: [openid, profile, groups, email]
+        redirect_uris: ['https://paperless.${SECRET_EXTERNAL_DOMAIN}/accounts/oidc/authelia/login/callback']
+        userinfo_signed_response_alg: none
+      - client_id: pgadmin
+        client_name: pgAdmin
+        client_secret: '$${PGADMIN_OAUTH_DIGEST}'
+        public: false
+        authorization_policy: two_factor
+        pre_configured_consent_duration: 1y
+        scopes: [openid, profile, email]
+        redirect_uris: ['https://pgadmin.${SECRET_EXTERNAL_DOMAIN}/oauth2/authorize']
+        userinfo_signed_response_alg: none
+        token_endpoint_auth_method: client_secret_basic
--- a/kubernetes/apps/default/authelia/app/externalsecret.yaml
+++ b/kubernetes/apps/default/authelia/app/externalsecret.yaml
@@ -26,9 +26,9 @@ spec:
        AUTHELIA_STORAGE_POSTGRES_PASSWORD: &dbPass "{{ .AUTHELIA_STORAGE_POSTGRES_PASSWORD }}"
        # AUTHELIA_STORAGE_POSTGRES_TLS_SERVER_NAME: *dbHost
        # AUTHELIA_STORAGE_POSTGRES_TLS_SKIP_VERIFY: "false"
-        AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY: "{{ .jwks_pem }}"
-        jwks_cert: "{{ .jwks_cert }}"
-        jwks_pem: "{{ .jwks_pem }}"
+        AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY: "{{ .OIDC_JWKS_KEY }}"
+        OIDC_JWKS_KEY: "{{ .OIDC_JWKS_KEY }}"
+        OIDC_JWKS_CERT: "{{ .OIDC_JWKS_CERT }}"
        FRESHRSS_OAUTH_CLIENT_SECRET: "{{ .FRESHRSS_OAUTH_CLIENT_SECRET }}"
        FRESHRSS_OAUTH_DIGEST: "{{ .FRESHRSS_OAUTH_DIGEST }}"
        GRAFANA_OAUTH_CLIENT_SECRET: "{{ .GRAFANA_OAUTH_CLIENT_SECRET }}"
@@ -37,6 +37,12 @@ spec:
        OUTLINE_OAUTH_DIGEST: "{{ .OUTLINE_OAUTH_DIGEST }}"
        JELLYFIN_OAUTH_CLIENT_SECRET: "{{ .JELLYFIN_OAUTH_CLIENT_SECRET }}"
        JELLYFIN_OAUTH_DIGEST: "{{ .JELLYFIN_OAUTH_DIGEST }}"
+        PGADMIN_OAUTH_CLIENT_SECRET: "{{ .PGADMIN_OAUTH_CLIENT_SECRET }}"
+        PGADMIN_OAUTH_DIGEST: "{{ .PGADMIN_OAUTH_DIGEST }}"
+        PAPERLESS_OAUTH_CLIENT_SECRET: "{{ .OUTLINE_OAUTH_CLIENT_SECRET }}"
+        PAPERLESS_OAUTH_DIGEST: "{{ .OUTLINE_OAUTH_DIGEST }}"
+        KOMGA_OAUTH_CLIENT_SECRET: "{{ .OUTLINE_OAUTH_CLIENT_SECRET }}"
+        KOMGA_OAUTH_DIGEST: "{{ .OUTLINE_OAUTH_DIGEST }}"
        SECRET_PUBLIC_DOMAIN: "{{ .SECRET_PUBLIC_DOMAIN }}"
        # Postgres Init
        INIT_POSTGRES_DBNAME: *dbName
--- a/kubernetes/apps/default/authelia/app/helmrelease.yaml
+++ b/kubernetes/apps/default/authelia/app/helmrelease.yaml
@@ -72,6 +72,8 @@ spec:
              AUTHELIA_THEME: dark
              AUTHELIA_TOTP_ISSUER: authelia.com
              AUTHELIA_WEBAUTHN_DISABLE: "true"
+              X_AUTHELIA_CONFIG: /config/configuration.yaml
+              X_AUTHELIA_CONFIG_FILTERS: template
            envFrom: *envFrom
            args: [--config, /config/configuration.yaml, --config.experimental.filters, expand-env]
            probes: