From 115a4fef8e6800217cae7e33f4f125d9b709ec98 Mon Sep 17 00:00:00 2001 From: auricom <27022259+auricom@users.noreply.github.com> Date: Mon, 17 Jun 2024 00:51:42 +0200 Subject: [PATCH] fix: authelia jwks --- .../authelia/app/config/configuration.yaml | 55 +++++++++++++++---- .../default/authelia/app/externalsecret.yaml | 12 +++- .../default/authelia/app/helmrelease.yaml | 2 + 3 files changed, 55 insertions(+), 14 deletions(-) diff --git a/kubernetes/apps/default/authelia/app/config/configuration.yaml b/kubernetes/apps/default/authelia/app/config/configuration.yaml index f91d44990..d209683ec 100644 --- a/kubernetes/apps/default/authelia/app/config/configuration.yaml +++ b/kubernetes/apps/default/authelia/app/config/configuration.yaml @@ -1,4 +1,6 @@ --- +# Genereate client_secret +# https://www.authelia.com/integration/openid-connect/frequently-asked-questions/#how-do-i-generate-a-client-identifier-or-client-secret authentication_backend: ldap: address: ldap://lldap.default.svc.cluster.local:5389 @@ -74,6 +76,8 @@ access_control: identity_providers: oidc: + # jwks: + # - key: {{ secret "/config/secret/OIDC_JWKS_KEY" | mindent 10 "|" | msquote }} cors: endpoints: [authorization, token, revocation, introspection] allowed_origins_from_client_redirect_uris: true @@ -96,17 +100,6 @@ identity_providers: scopes: [openid, profile, groups, email] redirect_uris: ["https://grafana.${SECRET_EXTERNAL_DOMAIN}/login/generic_oauth"] userinfo_signed_response_alg: none - - client_id: outline - client_name: Outline - client_secret: "$${OUTLINE_OAUTH_DIGEST}" - public: false - authorization_policy: two_factor - pre_configured_consent_duration: 1y - scopes: [openid, profile, email, offline_access] - response_types: code - redirect_uris: ["https://docs.${SECRET_EXTERNAL_DOMAIN}/auth/oidc.callback"] - userinfo_signed_response_alg: none - token_endpoint_auth_method: client_secret_basic - client_name: jellyfin client_id: jellyfin client_secret: "$${JELLYFIN_OAUTH_DIGEST}" @@ -119,3 +112,43 @@ identity_providers: redirect_uris: [ "https://jellyfin.${SECRET_EXTERNAL_DOMAIN}/sso/OID/redirect/authelia"] userinfo_signed_response_alg: none token_endpoint_auth_method: client_secret_post + - client_id: komga + client_name: Komga + client_secret: "$${KOMGA_OAUTH_DIGEST}" + public: false + authorization_policy: two_factor + pre_configured_consent_duration: 1y + scopes: [openid, profile, email] + redirect_uris: ['https://komga.${SECRET_EXTERNAL_DOMAIN}/login/oauth2/code/authelia'] + grant_types: authorization_code + userinfo_signed_response_alg: none + - client_id: outline + client_name: Outline + client_secret: "$${OUTLINE_OAUTH_DIGEST}" + public: false + authorization_policy: two_factor + pre_configured_consent_duration: 1y + scopes: [openid, profile, email, offline_access] + response_types: code + redirect_uris: ["https://docs.${SECRET_EXTERNAL_DOMAIN}/auth/oidc.callback"] + userinfo_signed_response_alg: none + token_endpoint_auth_method: client_secret_basic + - client_id: paperless + client_name: Paperless + client_secret: "$${PAPERLESS_OAUTH_DIGEST}" + public: false + authorization_policy: one_factor + pre_configured_consent_duration: 1y + scopes: [openid, profile, groups, email] + redirect_uris: ['https://paperless.${SECRET_EXTERNAL_DOMAIN}/accounts/oidc/authelia/login/callback'] + userinfo_signed_response_alg: none + - client_id: pgadmin + client_name: pgAdmin + client_secret: '$${PGADMIN_OAUTH_DIGEST}' + public: false + authorization_policy: two_factor + pre_configured_consent_duration: 1y + scopes: [openid, profile, email] + redirect_uris: ['https://pgadmin.${SECRET_EXTERNAL_DOMAIN}/oauth2/authorize'] + userinfo_signed_response_alg: none + token_endpoint_auth_method: client_secret_basic diff --git a/kubernetes/apps/default/authelia/app/externalsecret.yaml b/kubernetes/apps/default/authelia/app/externalsecret.yaml index f1d9f9e09..668ba4c99 100644 --- a/kubernetes/apps/default/authelia/app/externalsecret.yaml +++ b/kubernetes/apps/default/authelia/app/externalsecret.yaml @@ -26,9 +26,9 @@ spec: AUTHELIA_STORAGE_POSTGRES_PASSWORD: &dbPass "{{ .AUTHELIA_STORAGE_POSTGRES_PASSWORD }}" # AUTHELIA_STORAGE_POSTGRES_TLS_SERVER_NAME: *dbHost # AUTHELIA_STORAGE_POSTGRES_TLS_SKIP_VERIFY: "false" - AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY: "{{ .jwks_pem }}" - jwks_cert: "{{ .jwks_cert }}" - jwks_pem: "{{ .jwks_pem }}" + AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY: "{{ .OIDC_JWKS_KEY }}" + OIDC_JWKS_KEY: "{{ .OIDC_JWKS_KEY }}" + OIDC_JWKS_CERT: "{{ .OIDC_JWKS_CERT }}" FRESHRSS_OAUTH_CLIENT_SECRET: "{{ .FRESHRSS_OAUTH_CLIENT_SECRET }}" FRESHRSS_OAUTH_DIGEST: "{{ .FRESHRSS_OAUTH_DIGEST }}" GRAFANA_OAUTH_CLIENT_SECRET: "{{ .GRAFANA_OAUTH_CLIENT_SECRET }}" @@ -37,6 +37,12 @@ spec: OUTLINE_OAUTH_DIGEST: "{{ .OUTLINE_OAUTH_DIGEST }}" JELLYFIN_OAUTH_CLIENT_SECRET: "{{ .JELLYFIN_OAUTH_CLIENT_SECRET }}" JELLYFIN_OAUTH_DIGEST: "{{ .JELLYFIN_OAUTH_DIGEST }}" + PGADMIN_OAUTH_CLIENT_SECRET: "{{ .PGADMIN_OAUTH_CLIENT_SECRET }}" + PGADMIN_OAUTH_DIGEST: "{{ .PGADMIN_OAUTH_DIGEST }}" + PAPERLESS_OAUTH_CLIENT_SECRET: "{{ .OUTLINE_OAUTH_CLIENT_SECRET }}" + PAPERLESS_OAUTH_DIGEST: "{{ .OUTLINE_OAUTH_DIGEST }}" + KOMGA_OAUTH_CLIENT_SECRET: "{{ .OUTLINE_OAUTH_CLIENT_SECRET }}" + KOMGA_OAUTH_DIGEST: "{{ .OUTLINE_OAUTH_DIGEST }}" SECRET_PUBLIC_DOMAIN: "{{ .SECRET_PUBLIC_DOMAIN }}" # Postgres Init INIT_POSTGRES_DBNAME: *dbName diff --git a/kubernetes/apps/default/authelia/app/helmrelease.yaml b/kubernetes/apps/default/authelia/app/helmrelease.yaml index 1f90db5b4..0a8dd825d 100644 --- a/kubernetes/apps/default/authelia/app/helmrelease.yaml +++ b/kubernetes/apps/default/authelia/app/helmrelease.yaml @@ -72,6 +72,8 @@ spec: AUTHELIA_THEME: dark AUTHELIA_TOTP_ISSUER: authelia.com AUTHELIA_WEBAUTHN_DISABLE: "true" + X_AUTHELIA_CONFIG: /config/configuration.yaml + X_AUTHELIA_CONFIG_FILTERS: template envFrom: *envFrom args: [--config, /config/configuration.yaml, --config.experimental.filters, expand-env] probes: