oauth2_authelia.adoc 3.3 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879
  1. = OAuth2 - Authelia
  2. Notes contributed by a member of the OliveTin community - many thanks Phampyk!
  3. [source,yaml]
  4. .Authelia code
  5. ----
  6. identity_providers:
  7. oidc:
  8. hmac_secret: "xxxxxx"
  9. jwks:
  10. - key_id: "primary"
  11. algorithm: "RS256"
  12. use: "sig"
  13. key: |
  14. -----BEGIN PRIVATE KEY-----
  15. xxxxxxxxxxxxxxxxxxxxxxxxxx
  16. -----END PRIVATE KEY-----
  17. clients:
  18. - client_id: "olivetin"
  19. client_name: "OliveTin"
  20. client_secret: "xxxxxxxxxxxxxxxxx"
  21. redirect_uris:
  22. - "https://olivetin.hostname.com/oauth/callback"
  23. scopes:
  24. - openid
  25. - profile
  26. consent_mode: implicit
  27. ----
  28. * hmac_secret generated with `openssl rand -hex 64 or can be authelia crypto rand --length 64 --charset alphanumeric` link:https://www.authelia.com/reference/guides/generating-secure-values/#generating-a-random-alphanumeric-string[Source]
  29. * Private key generated with `openssl genrsa -out oidc.key 2048 and openssl rsa -in oidc.key -pubout -out oidc.pub` but only used the oidc.key here
  30. * client_id olivetin is for the example, as per authelia docs the recomendation is a random string generated with `authelia authelia crypto rand --length 72 --charset rfc3986` link:https://www.authelia.com/integration/openid-connect/frequently-asked-questions/#client-id--identifier[Source]
  31. * consent_mode I had to set this one up as implicit or every time I loged in it was an extra step where you had to authorize OliveTin to access profile and openid. link:https://www.authelia.com/configuration/identity-providers/openid-connect/clients/#consent_mode[Source]
  32. * client_secret is recommended in the docs to be generated with `authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986` and it gives you the password (Random password on the example) and the hash (Digest on the example). Olivetin needs the password and Authelia the hash link:https://www.authelia.com/integration/openid-connect/frequently-asked-questions/#client-secret[Source]
  33. ----
  34. Random Password: JxMbHrQgmykaVm2n0p_5q6P_YoZG_YdRWvHxHbVJ5Alv.Ni3OJPVPHEJ6Tfw_AklrwayFl39
  35. Digest: $pbkdf2-sha512$310000$yQogpMZvkHoAmOBGiIHVJQ$hxKuvar6Q6pOlkdzQBMWq1i5WjXcBA3rvuXxeylvLeTuKI/hLVeZsM43R5TWejZ6gBp/OH8yy1hWytiohLQh5w
  36. ----
  37. == OliveTin config
  38. [source,yaml]
  39. ----
  40. authRequireGuestsToLogin: true
  41. authOAuth2RedirectURL: https://olivetin.hostname.com/oauth/callback
  42. authOAuth2Providers:
  43. authelia:
  44. name: authelia
  45. title: Authelia
  46. clientID: olivetin #same as authelia
  47. clientSecret: xxxxxxx #same as authelia but not hashed
  48. authURL: https://authelia.hostname.com/api/oidc/authorization
  49. tokenURL: https://authelia.hostname.com/api/oidc/token
  50. whoamiUrl: https://authelia.hostname.com/api/oidc/userinfo
  51. scopes:
  52. - openid
  53. - profile
  54. usernameField: preferred_username
  55. icon: <iconify-icon icon="simple-icons:authelia"></iconify-icon>
  56. accessControlLists:
  57. - name: john #same as authelia
  58. matchUserNames:
  59. - john
  60. permissions:
  61. view: true
  62. exec: true
  63. logs: true
  64. addToEveryAction: true
  65. ----
  66. == Next steps
  67. Once you have OAuth2 working, you will probably want to configure access control lists in OliveTin. This is described in the xref:security/acl.adoc[Access Control Lists] documentation page.