fix: authelia jwks

kubernetes/apps/default/authelia/app/config/configuration.yaml

@@ -1,4 +1,6 @@
 ---
+# Genereate client_secret
+# https://www.authelia.com/integration/openid-connect/frequently-asked-questions/#how-do-i-generate-a-client-identifier-or-client-secret
 authentication_backend:
   ldap:
     address: ldap://lldap.default.svc.cluster.local:5389
@@ -74,6 +76,8 @@ access_control:
 
 identity_providers:
   oidc:
+    # jwks:
+    #   - key: {{ secret "/config/secret/OIDC_JWKS_KEY" | mindent 10 "|" | msquote }}
     cors:
       endpoints: [authorization, token, revocation, introspection]
       allowed_origins_from_client_redirect_uris: true
@@ -96,17 +100,6 @@ identity_providers:
         scopes: [openid, profile, groups, email]
         redirect_uris: ["https://grafana.${SECRET_EXTERNAL_DOMAIN}/login/generic_oauth"]
         userinfo_signed_response_alg: none
-      - client_id: outline
-        client_name: Outline
-        client_secret: "$${OUTLINE_OAUTH_DIGEST}"
-        public: false
-        authorization_policy: two_factor
-        pre_configured_consent_duration: 1y
-        scopes: [openid, profile, email, offline_access]
-        response_types: code
-        redirect_uris: ["https://docs.${SECRET_EXTERNAL_DOMAIN}/auth/oidc.callback"]
-        userinfo_signed_response_alg: none
-        token_endpoint_auth_method: client_secret_basic
       - client_name: jellyfin
         client_id: jellyfin
         client_secret: "$${JELLYFIN_OAUTH_DIGEST}"
@@ -119,3 +112,43 @@ identity_providers:
         redirect_uris: [ "https://jellyfin.${SECRET_EXTERNAL_DOMAIN}/sso/OID/redirect/authelia"]
         userinfo_signed_response_alg: none
         token_endpoint_auth_method: client_secret_post
+      - client_id: komga
+        client_name: Komga
+        client_secret: "$${KOMGA_OAUTH_DIGEST}"
+        public: false
+        authorization_policy: two_factor
+        pre_configured_consent_duration: 1y
+        scopes: [openid, profile, email]
+        redirect_uris: ['https://komga.${SECRET_EXTERNAL_DOMAIN}/login/oauth2/code/authelia']
+        grant_types: authorization_code
+        userinfo_signed_response_alg: none
+      - client_id: outline
+        client_name: Outline
+        client_secret: "$${OUTLINE_OAUTH_DIGEST}"
+        public: false
+        authorization_policy: two_factor
+        pre_configured_consent_duration: 1y
+        scopes: [openid, profile, email, offline_access]
+        response_types: code
+        redirect_uris: ["https://docs.${SECRET_EXTERNAL_DOMAIN}/auth/oidc.callback"]
+        userinfo_signed_response_alg: none
+        token_endpoint_auth_method: client_secret_basic
+      - client_id: paperless
+        client_name: Paperless
+        client_secret: "$${PAPERLESS_OAUTH_DIGEST}"
+        public: false
+        authorization_policy: one_factor
+        pre_configured_consent_duration: 1y
+        scopes: [openid, profile, groups, email]
+        redirect_uris: ['https://paperless.${SECRET_EXTERNAL_DOMAIN}/accounts/oidc/authelia/login/callback']
+        userinfo_signed_response_alg: none
+      - client_id: pgadmin
+        client_name: pgAdmin
+        client_secret: '$${PGADMIN_OAUTH_DIGEST}'
+        public: false
+        authorization_policy: two_factor
+        pre_configured_consent_duration: 1y
+        scopes: [openid, profile, email]
+        redirect_uris: ['https://pgadmin.${SECRET_EXTERNAL_DOMAIN}/oauth2/authorize']
+        userinfo_signed_response_alg: none
+        token_endpoint_auth_method: client_secret_basic

kubernetes/apps/default/authelia/app/externalsecret.yaml

@@ -26,9 +26,9 @@ spec:
         AUTHELIA_STORAGE_POSTGRES_PASSWORD: &dbPass "{{ .AUTHELIA_STORAGE_POSTGRES_PASSWORD }}"
         # AUTHELIA_STORAGE_POSTGRES_TLS_SERVER_NAME: *dbHost
         # AUTHELIA_STORAGE_POSTGRES_TLS_SKIP_VERIFY: "false"
-        AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY: "{{ .jwks_pem }}"
+        AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY: "{{ .OIDC_JWKS_KEY }}"
-        jwks_cert: "{{ .jwks_cert }}"
+        OIDC_JWKS_KEY: "{{ .OIDC_JWKS_KEY }}"
-        jwks_pem: "{{ .jwks_pem }}"
+        OIDC_JWKS_CERT: "{{ .OIDC_JWKS_CERT }}"
         FRESHRSS_OAUTH_CLIENT_SECRET: "{{ .FRESHRSS_OAUTH_CLIENT_SECRET }}"
         FRESHRSS_OAUTH_DIGEST: "{{ .FRESHRSS_OAUTH_DIGEST }}"
         GRAFANA_OAUTH_CLIENT_SECRET: "{{ .GRAFANA_OAUTH_CLIENT_SECRET }}"
@@ -37,6 +37,12 @@ spec:
         OUTLINE_OAUTH_DIGEST: "{{ .OUTLINE_OAUTH_DIGEST }}"
         JELLYFIN_OAUTH_CLIENT_SECRET: "{{ .JELLYFIN_OAUTH_CLIENT_SECRET }}"
         JELLYFIN_OAUTH_DIGEST: "{{ .JELLYFIN_OAUTH_DIGEST }}"
+        PGADMIN_OAUTH_CLIENT_SECRET: "{{ .PGADMIN_OAUTH_CLIENT_SECRET }}"
+        PGADMIN_OAUTH_DIGEST: "{{ .PGADMIN_OAUTH_DIGEST }}"
+        PAPERLESS_OAUTH_CLIENT_SECRET: "{{ .OUTLINE_OAUTH_CLIENT_SECRET }}"
+        PAPERLESS_OAUTH_DIGEST: "{{ .OUTLINE_OAUTH_DIGEST }}"
+        KOMGA_OAUTH_CLIENT_SECRET: "{{ .OUTLINE_OAUTH_CLIENT_SECRET }}"
+        KOMGA_OAUTH_DIGEST: "{{ .OUTLINE_OAUTH_DIGEST }}"
         SECRET_PUBLIC_DOMAIN: "{{ .SECRET_PUBLIC_DOMAIN }}"
         # Postgres Init
         INIT_POSTGRES_DBNAME: *dbName

kubernetes/apps/default/authelia/app/helmrelease.yaml

@@ -72,6 +72,8 @@ spec:
               AUTHELIA_THEME: dark
               AUTHELIA_TOTP_ISSUER: authelia.com
               AUTHELIA_WEBAUTHN_DISABLE: "true"
+              X_AUTHELIA_CONFIG: /config/configuration.yaml
+              X_AUTHELIA_CONFIG_FILTERS: template
             envFrom: *envFrom
             args: [--config, /config/configuration.yaml, --config.experimental.filters, expand-env]
             probes: