Enable Authelia OIDC provider

2023-07-07 00:39:44 -07:00 · 2023-07-07 00:39:44 -07:00 · 9d5aeeec96
commit 9d5aeeec96
parent 6dbe0f7f45
3 changed files with 35 additions and 147 deletions
--- a/.secrets-baseline
+++ b/.secrets-baseline
@ -158,31 +158,7 @@
        "filename": "core/authelia.yml",
        "hashed_secret": "a32b08d97b1615dc27f58b6b17f67624c04e2c4f",
        "is_verified": false,
-        "line_number": 182,
+        "line_number": 187,
        "is_secret": false
      },
      {
        "type": "Secret Keyword",
        "filename": "core/authelia.yml",
        "hashed_secret": "d16a67474cca598880e37d64557f1264586386bd",
        "is_verified": false,
        "line_number": 248,
        "is_secret": false
      },
      {
        "type": "Secret Keyword",
        "filename": "core/authelia.yml",
        "hashed_secret": "7e1f5e63ab2c1f926e5fb81cc004dc24af411376",
        "is_verified": false,
        "line_number": 249,
        "is_secret": false
      },
      {
        "type": "Secret Keyword",
        "filename": "core/authelia.yml",
        "hashed_secret": "0bb90d739912b79b54b811fec298da9f59008a26",
        "is_verified": false,
        "line_number": 304,
        "is_secret": false
      }
    ],
@ -237,5 +213,5 @@
      }
    ]
  },
-  "generated_at": "2023-07-07T00:58:58Z"
+  "generated_at": "2023-07-07T07:39:31Z"
 }
--- a/core/authelia.yml
+++ b/core/authelia.yml
@ -157,7 +157,7 @@ access_control:
      networks:
        - internal
      policy: one_factor
- 
+
    - domain: '*.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}'
      policy: two_factor
@ -242,118 +242,9 @@ notifier:
    startup_check_address: test@iamthefij.com
 {{- end }}
-# identity_providers:
+identity_providers:
-  ##
+  oidc:
-  ## OpenID Connect (Identity Provider)
+    # hmac_secret: <file>
-  ##
+    # issuer_private_key: <file>
  ## It's recommended you read the documentation before configuration of this section:
  ## https://www.authelia.com/c/oidc
  # oidc:
    ## The hmac_secret is used to sign OAuth2 tokens (authorization code, access tokens and refresh tokens).
    ## HMAC Secret can also be set using a secret: https://www.authelia.com/c/secrets
    # hmac_secret: this_is_a_secret_abc123abc123abc
-    ## The issuer_private_key is used to sign the JWT forged by OpenID Connect.
+    clients: {{ with nomadVar "nomad/jobs/authelia" }}{{ .oidc_clients.Value }}{{ end }}
    ## Issuer Private Key can also be set using a secret: https://www.authelia.com/c/secrets
    # issuer_private_key: |
    #   --- KEY START
    #   --- KEY END
    ## The lifespans configure the expiration for these token types.
    # access_token_lifespan: 1h
    # authorize_code_lifespan: 1m
    # id_token_lifespan: 1h
    # refresh_token_lifespan: 90m
    ## Enables additional debug messages.
    # enable_client_debug_messages: false
    ## SECURITY NOTICE: It's not recommended changing this option, and highly discouraged to have it below 8 for
    ## security reasons.
    # minimum_parameter_entropy: 8
    ## SECURITY NOTICE: It's not recommended changing this option, and highly discouraged to have it set to 'never'
    ## for security reasons.
    # enforce_pkce: public_clients_only
    ## Cross-Origin Resource Sharing (CORS) settings.
    # cors:
      ## List of endpoints in addition to the metadata endpoints to permit cross-origin requests on.
      # endpoints:
      #    - authorization
      #    - token
      #    - revocation
      #    - introspection
      #    - userinfo
      ## List of allowed origins.
      ## Any origin with https is permitted unless this option is configured or the
      ## allowed_origins_from_client_redirect_uris option is enabled.
      # allowed_origins:
      #   - https://example.com
      ## Automatically adds the origin portion of all redirect URI's on all clients to the list of allowed_origins,
      ## provided they have the scheme http or https and do not have the hostname of localhost.
      # allowed_origins_from_client_redirect_uris: false
    ## Clients is a list of known clients and their configuration.
    # clients:
      # -
        ## The ID is the OpenID Connect ClientID which is used to link an application to a configuration.
        # id: myapp
        ## The description to show to users when they end up on the consent screen. Defaults to the ID above.
        # description: My Application
        ## The client secret is a shared secret between Authelia and the consumer of this client.
        # secret: this_is_a_secret
        ## Sector Identifiers are occasionally used to generate pairwise subject identifiers. In most cases this is not
        ## necessary. Read the documentation for more information.
        ## The subject identifier must be the host component of a URL, which is a domain name with an optional port.
        # sector_identifier: example.com
        ## Sets the client to public. This should typically not be set, please see the documentation for usage.
        # public: false
        ## The policy to require for this client; one_factor or two_factor.
        # authorization_policy: two_factor
        ## By default users cannot remember pre-configured consents. Setting this value to a period of time using a
        ## duration notation will enable users to remember consent for this client. The time configured is the amount
        ## of time the pre-configured consent is valid for granting new authorizations to the user.
        # pre_configured_consent_duration:
        ## Audience this client is allowed to request.
        # audience: []
        ## Scopes this client is allowed to request.
        # scopes:
          # - openid
          # - groups
          # - email
          # - profile
        ## Redirect URI's specifies a list of valid case-sensitive callbacks for this client.
        # redirect_uris:
        # - https://oidc.example.com:8080/oauth2/callback
        ## Grant Types configures which grants this client can obtain.
        ## It's not recommended to define this unless you know what you're doing.
        # grant_types:
          # - refresh_token
          # - authorization_code
        ## Response Types configures which responses this client can be sent.
        ## It's not recommended to define this unless you know what you're doing.
        # response_types:
          # - code
        ## Response Modes configures which response modes this client supports.
        # response_modes:
          # - form_post
          # - query
          # - fragment
        ## The algorithm used to sign userinfo endpoint responses for this client, either none or RS256.
        # userinfo_signing_algorithm: none
--- a/core/main.tf
+++ b/core/main.tf
@ -65,12 +65,15 @@ module "authelia" {
  service_port = 9091
  # metrics_port = 9959
  env = {
-    AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = "$${NOMAD_SECRETS_DIR}/ldap_password.txt"
+    AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE       = "$${NOMAD_SECRETS_DIR}/ldap_password.txt"
-    AUTHELIA_JWT_SECRET_FILE                           = "$${NOMAD_SECRETS_DIR}/jwt_secret.txt"
+    AUTHELIA_JWT_SECRET_FILE                                 = "$${NOMAD_SECRETS_DIR}/jwt_secret.txt"
-    AUTHELIA_SESSION_SECRET_FILE                       = "$${NOMAD_SECRETS_DIR}/session_secret.txt"
+    AUTHELIA_SESSION_SECRET_FILE                             = "$${NOMAD_SECRETS_DIR}/session_secret.txt"
-    AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE               = "$${NOMAD_SECRETS_DIR}/storage_encryption_key.txt"
+    AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE                     = "$${NOMAD_SECRETS_DIR}/storage_encryption_key.txt"
-    AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE               = "$${NOMAD_SECRETS_DIR}/mysql_password.txt"
+    AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE                     = "$${NOMAD_SECRETS_DIR}/mysql_password.txt"
-    AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE               = "$${NOMAD_SECRETS_DIR}/smtp_password.txt"
+    AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE                     = "$${NOMAD_SECRETS_DIR}/smtp_password.txt"
    AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE        = "$${NOMAD_SECRETS_DIR}/oidc_hmac_secret.txt"
    AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE = "$${NOMAD_SECRETS_DIR}/oidc_issuer_private_key.txt"
    # AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_CERTIFICATE_CHAIN_FILE  = "$${NOMAD_SECRETS_DIR}/oidc_issuer_certificate_chain.txt"
  }
  use_mysql = true
@ -125,6 +128,24 @@ module "authelia" {
      dest        = "mysql_password.txt"
      mount       = false
    },
    {
      data        = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .oidc_hmac_secret }}{{ end }}"
      dest_prefix = "$${NOMAD_SECRETS_DIR}"
      dest        = "oidc_hmac_secret.txt"
      mount       = false
    },
    {
      data        = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .oidc_issuer_private_key }}{{ end }}"
      dest_prefix = "$${NOMAD_SECRETS_DIR}"
      dest        = "oidc_issuer_private_key.txt"
      mount       = false
    },
    {
      data        = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .oidc_issuer_certificate_chain }}{{ end }}"
      dest_prefix = "$${NOMAD_SECRETS_DIR}"
      dest        = "oidc_issuer_certificate_chain.txt"
      mount       = false
    },
    {
      data        = "{{ with nomadVar \"nomad/jobs\" }}{{ .smtp_password }}{{ end }}"
      dest_prefix = "$${NOMAD_SECRETS_DIR}"