Enable Authelia OIDC provider
This commit is contained in:
parent
6dbe0f7f45
commit
9d5aeeec96
@ -158,31 +158,7 @@
|
|||||||
"filename": "core/authelia.yml",
|
"filename": "core/authelia.yml",
|
||||||
"hashed_secret": "a32b08d97b1615dc27f58b6b17f67624c04e2c4f",
|
"hashed_secret": "a32b08d97b1615dc27f58b6b17f67624c04e2c4f",
|
||||||
"is_verified": false,
|
"is_verified": false,
|
||||||
"line_number": 182,
|
"line_number": 187,
|
||||||
"is_secret": false
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"type": "Secret Keyword",
|
|
||||||
"filename": "core/authelia.yml",
|
|
||||||
"hashed_secret": "d16a67474cca598880e37d64557f1264586386bd",
|
|
||||||
"is_verified": false,
|
|
||||||
"line_number": 248,
|
|
||||||
"is_secret": false
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"type": "Secret Keyword",
|
|
||||||
"filename": "core/authelia.yml",
|
|
||||||
"hashed_secret": "7e1f5e63ab2c1f926e5fb81cc004dc24af411376",
|
|
||||||
"is_verified": false,
|
|
||||||
"line_number": 249,
|
|
||||||
"is_secret": false
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"type": "Secret Keyword",
|
|
||||||
"filename": "core/authelia.yml",
|
|
||||||
"hashed_secret": "0bb90d739912b79b54b811fec298da9f59008a26",
|
|
||||||
"is_verified": false,
|
|
||||||
"line_number": 304,
|
|
||||||
"is_secret": false
|
"is_secret": false
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
@ -237,5 +213,5 @@
|
|||||||
}
|
}
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"generated_at": "2023-07-07T00:58:58Z"
|
"generated_at": "2023-07-07T07:39:31Z"
|
||||||
}
|
}
|
||||||
|
@ -242,118 +242,9 @@ notifier:
|
|||||||
startup_check_address: test@iamthefij.com
|
startup_check_address: test@iamthefij.com
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
# identity_providers:
|
identity_providers:
|
||||||
##
|
oidc:
|
||||||
## OpenID Connect (Identity Provider)
|
# hmac_secret: <file>
|
||||||
##
|
# issuer_private_key: <file>
|
||||||
## It's recommended you read the documentation before configuration of this section:
|
|
||||||
## https://www.authelia.com/c/oidc
|
|
||||||
# oidc:
|
|
||||||
## The hmac_secret is used to sign OAuth2 tokens (authorization code, access tokens and refresh tokens).
|
|
||||||
## HMAC Secret can also be set using a secret: https://www.authelia.com/c/secrets
|
|
||||||
# hmac_secret: this_is_a_secret_abc123abc123abc
|
|
||||||
|
|
||||||
## The issuer_private_key is used to sign the JWT forged by OpenID Connect.
|
clients: {{ with nomadVar "nomad/jobs/authelia" }}{{ .oidc_clients.Value }}{{ end }}
|
||||||
## Issuer Private Key can also be set using a secret: https://www.authelia.com/c/secrets
|
|
||||||
# issuer_private_key: |
|
|
||||||
# --- KEY START
|
|
||||||
# --- KEY END
|
|
||||||
|
|
||||||
## The lifespans configure the expiration for these token types.
|
|
||||||
# access_token_lifespan: 1h
|
|
||||||
# authorize_code_lifespan: 1m
|
|
||||||
# id_token_lifespan: 1h
|
|
||||||
# refresh_token_lifespan: 90m
|
|
||||||
|
|
||||||
## Enables additional debug messages.
|
|
||||||
# enable_client_debug_messages: false
|
|
||||||
|
|
||||||
## SECURITY NOTICE: It's not recommended changing this option, and highly discouraged to have it below 8 for
|
|
||||||
## security reasons.
|
|
||||||
# minimum_parameter_entropy: 8
|
|
||||||
|
|
||||||
## SECURITY NOTICE: It's not recommended changing this option, and highly discouraged to have it set to 'never'
|
|
||||||
## for security reasons.
|
|
||||||
# enforce_pkce: public_clients_only
|
|
||||||
|
|
||||||
## Cross-Origin Resource Sharing (CORS) settings.
|
|
||||||
# cors:
|
|
||||||
## List of endpoints in addition to the metadata endpoints to permit cross-origin requests on.
|
|
||||||
# endpoints:
|
|
||||||
# - authorization
|
|
||||||
# - token
|
|
||||||
# - revocation
|
|
||||||
# - introspection
|
|
||||||
# - userinfo
|
|
||||||
|
|
||||||
## List of allowed origins.
|
|
||||||
## Any origin with https is permitted unless this option is configured or the
|
|
||||||
## allowed_origins_from_client_redirect_uris option is enabled.
|
|
||||||
# allowed_origins:
|
|
||||||
# - https://example.com
|
|
||||||
|
|
||||||
## Automatically adds the origin portion of all redirect URI's on all clients to the list of allowed_origins,
|
|
||||||
## provided they have the scheme http or https and do not have the hostname of localhost.
|
|
||||||
# allowed_origins_from_client_redirect_uris: false
|
|
||||||
|
|
||||||
## Clients is a list of known clients and their configuration.
|
|
||||||
# clients:
|
|
||||||
# -
|
|
||||||
## The ID is the OpenID Connect ClientID which is used to link an application to a configuration.
|
|
||||||
# id: myapp
|
|
||||||
|
|
||||||
## The description to show to users when they end up on the consent screen. Defaults to the ID above.
|
|
||||||
# description: My Application
|
|
||||||
|
|
||||||
## The client secret is a shared secret between Authelia and the consumer of this client.
|
|
||||||
# secret: this_is_a_secret
|
|
||||||
|
|
||||||
## Sector Identifiers are occasionally used to generate pairwise subject identifiers. In most cases this is not
|
|
||||||
## necessary. Read the documentation for more information.
|
|
||||||
## The subject identifier must be the host component of a URL, which is a domain name with an optional port.
|
|
||||||
# sector_identifier: example.com
|
|
||||||
|
|
||||||
## Sets the client to public. This should typically not be set, please see the documentation for usage.
|
|
||||||
# public: false
|
|
||||||
|
|
||||||
## The policy to require for this client; one_factor or two_factor.
|
|
||||||
# authorization_policy: two_factor
|
|
||||||
|
|
||||||
## By default users cannot remember pre-configured consents. Setting this value to a period of time using a
|
|
||||||
## duration notation will enable users to remember consent for this client. The time configured is the amount
|
|
||||||
## of time the pre-configured consent is valid for granting new authorizations to the user.
|
|
||||||
# pre_configured_consent_duration:
|
|
||||||
|
|
||||||
## Audience this client is allowed to request.
|
|
||||||
# audience: []
|
|
||||||
|
|
||||||
## Scopes this client is allowed to request.
|
|
||||||
# scopes:
|
|
||||||
# - openid
|
|
||||||
# - groups
|
|
||||||
# - email
|
|
||||||
# - profile
|
|
||||||
|
|
||||||
## Redirect URI's specifies a list of valid case-sensitive callbacks for this client.
|
|
||||||
# redirect_uris:
|
|
||||||
# - https://oidc.example.com:8080/oauth2/callback
|
|
||||||
|
|
||||||
## Grant Types configures which grants this client can obtain.
|
|
||||||
## It's not recommended to define this unless you know what you're doing.
|
|
||||||
# grant_types:
|
|
||||||
# - refresh_token
|
|
||||||
# - authorization_code
|
|
||||||
|
|
||||||
## Response Types configures which responses this client can be sent.
|
|
||||||
## It's not recommended to define this unless you know what you're doing.
|
|
||||||
# response_types:
|
|
||||||
# - code
|
|
||||||
|
|
||||||
## Response Modes configures which response modes this client supports.
|
|
||||||
# response_modes:
|
|
||||||
# - form_post
|
|
||||||
# - query
|
|
||||||
# - fragment
|
|
||||||
|
|
||||||
## The algorithm used to sign userinfo endpoint responses for this client, either none or RS256.
|
|
||||||
# userinfo_signing_algorithm: none
|
|
||||||
|
21
core/main.tf
21
core/main.tf
@ -71,6 +71,9 @@ module "authelia" {
|
|||||||
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE = "$${NOMAD_SECRETS_DIR}/storage_encryption_key.txt"
|
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE = "$${NOMAD_SECRETS_DIR}/storage_encryption_key.txt"
|
||||||
AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE = "$${NOMAD_SECRETS_DIR}/mysql_password.txt"
|
AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE = "$${NOMAD_SECRETS_DIR}/mysql_password.txt"
|
||||||
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = "$${NOMAD_SECRETS_DIR}/smtp_password.txt"
|
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = "$${NOMAD_SECRETS_DIR}/smtp_password.txt"
|
||||||
|
AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE = "$${NOMAD_SECRETS_DIR}/oidc_hmac_secret.txt"
|
||||||
|
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE = "$${NOMAD_SECRETS_DIR}/oidc_issuer_private_key.txt"
|
||||||
|
# AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_CERTIFICATE_CHAIN_FILE = "$${NOMAD_SECRETS_DIR}/oidc_issuer_certificate_chain.txt"
|
||||||
}
|
}
|
||||||
|
|
||||||
use_mysql = true
|
use_mysql = true
|
||||||
@ -125,6 +128,24 @@ module "authelia" {
|
|||||||
dest = "mysql_password.txt"
|
dest = "mysql_password.txt"
|
||||||
mount = false
|
mount = false
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .oidc_hmac_secret }}{{ end }}"
|
||||||
|
dest_prefix = "$${NOMAD_SECRETS_DIR}"
|
||||||
|
dest = "oidc_hmac_secret.txt"
|
||||||
|
mount = false
|
||||||
|
},
|
||||||
|
{
|
||||||
|
data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .oidc_issuer_private_key }}{{ end }}"
|
||||||
|
dest_prefix = "$${NOMAD_SECRETS_DIR}"
|
||||||
|
dest = "oidc_issuer_private_key.txt"
|
||||||
|
mount = false
|
||||||
|
},
|
||||||
|
{
|
||||||
|
data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .oidc_issuer_certificate_chain }}{{ end }}"
|
||||||
|
dest_prefix = "$${NOMAD_SECRETS_DIR}"
|
||||||
|
dest = "oidc_issuer_certificate_chain.txt"
|
||||||
|
mount = false
|
||||||
|
},
|
||||||
{
|
{
|
||||||
data = "{{ with nomadVar \"nomad/jobs\" }}{{ .smtp_password }}{{ end }}"
|
data = "{{ with nomadVar \"nomad/jobs\" }}{{ .smtp_password }}{{ end }}"
|
||||||
dest_prefix = "$${NOMAD_SECRETS_DIR}"
|
dest_prefix = "$${NOMAD_SECRETS_DIR}"
|
||||||
|
Loading…
Reference in New Issue
Block a user