Enable Authelia OIDC provider
This commit is contained in:
parent
6dbe0f7f45
commit
9d5aeeec96
@ -158,31 +158,7 @@
|
||||
"filename": "core/authelia.yml",
|
||||
"hashed_secret": "a32b08d97b1615dc27f58b6b17f67624c04e2c4f",
|
||||
"is_verified": false,
|
||||
"line_number": 182,
|
||||
"is_secret": false
|
||||
},
|
||||
{
|
||||
"type": "Secret Keyword",
|
||||
"filename": "core/authelia.yml",
|
||||
"hashed_secret": "d16a67474cca598880e37d64557f1264586386bd",
|
||||
"is_verified": false,
|
||||
"line_number": 248,
|
||||
"is_secret": false
|
||||
},
|
||||
{
|
||||
"type": "Secret Keyword",
|
||||
"filename": "core/authelia.yml",
|
||||
"hashed_secret": "7e1f5e63ab2c1f926e5fb81cc004dc24af411376",
|
||||
"is_verified": false,
|
||||
"line_number": 249,
|
||||
"is_secret": false
|
||||
},
|
||||
{
|
||||
"type": "Secret Keyword",
|
||||
"filename": "core/authelia.yml",
|
||||
"hashed_secret": "0bb90d739912b79b54b811fec298da9f59008a26",
|
||||
"is_verified": false,
|
||||
"line_number": 304,
|
||||
"line_number": 187,
|
||||
"is_secret": false
|
||||
}
|
||||
],
|
||||
@ -237,5 +213,5 @@
|
||||
}
|
||||
]
|
||||
},
|
||||
"generated_at": "2023-07-07T00:58:58Z"
|
||||
"generated_at": "2023-07-07T07:39:31Z"
|
||||
}
|
||||
|
@ -157,7 +157,7 @@ access_control:
|
||||
networks:
|
||||
- internal
|
||||
policy: one_factor
|
||||
|
||||
|
||||
- domain: '*.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}'
|
||||
policy: two_factor
|
||||
|
||||
@ -242,118 +242,9 @@ notifier:
|
||||
startup_check_address: test@iamthefij.com
|
||||
{{- end }}
|
||||
|
||||
# identity_providers:
|
||||
##
|
||||
## OpenID Connect (Identity Provider)
|
||||
##
|
||||
## It's recommended you read the documentation before configuration of this section:
|
||||
## https://www.authelia.com/c/oidc
|
||||
# oidc:
|
||||
## The hmac_secret is used to sign OAuth2 tokens (authorization code, access tokens and refresh tokens).
|
||||
## HMAC Secret can also be set using a secret: https://www.authelia.com/c/secrets
|
||||
# hmac_secret: this_is_a_secret_abc123abc123abc
|
||||
identity_providers:
|
||||
oidc:
|
||||
# hmac_secret: <file>
|
||||
# issuer_private_key: <file>
|
||||
|
||||
## The issuer_private_key is used to sign the JWT forged by OpenID Connect.
|
||||
## Issuer Private Key can also be set using a secret: https://www.authelia.com/c/secrets
|
||||
# issuer_private_key: |
|
||||
# --- KEY START
|
||||
# --- KEY END
|
||||
|
||||
## The lifespans configure the expiration for these token types.
|
||||
# access_token_lifespan: 1h
|
||||
# authorize_code_lifespan: 1m
|
||||
# id_token_lifespan: 1h
|
||||
# refresh_token_lifespan: 90m
|
||||
|
||||
## Enables additional debug messages.
|
||||
# enable_client_debug_messages: false
|
||||
|
||||
## SECURITY NOTICE: It's not recommended changing this option, and highly discouraged to have it below 8 for
|
||||
## security reasons.
|
||||
# minimum_parameter_entropy: 8
|
||||
|
||||
## SECURITY NOTICE: It's not recommended changing this option, and highly discouraged to have it set to 'never'
|
||||
## for security reasons.
|
||||
# enforce_pkce: public_clients_only
|
||||
|
||||
## Cross-Origin Resource Sharing (CORS) settings.
|
||||
# cors:
|
||||
## List of endpoints in addition to the metadata endpoints to permit cross-origin requests on.
|
||||
# endpoints:
|
||||
# - authorization
|
||||
# - token
|
||||
# - revocation
|
||||
# - introspection
|
||||
# - userinfo
|
||||
|
||||
## List of allowed origins.
|
||||
## Any origin with https is permitted unless this option is configured or the
|
||||
## allowed_origins_from_client_redirect_uris option is enabled.
|
||||
# allowed_origins:
|
||||
# - https://example.com
|
||||
|
||||
## Automatically adds the origin portion of all redirect URI's on all clients to the list of allowed_origins,
|
||||
## provided they have the scheme http or https and do not have the hostname of localhost.
|
||||
# allowed_origins_from_client_redirect_uris: false
|
||||
|
||||
## Clients is a list of known clients and their configuration.
|
||||
# clients:
|
||||
# -
|
||||
## The ID is the OpenID Connect ClientID which is used to link an application to a configuration.
|
||||
# id: myapp
|
||||
|
||||
## The description to show to users when they end up on the consent screen. Defaults to the ID above.
|
||||
# description: My Application
|
||||
|
||||
## The client secret is a shared secret between Authelia and the consumer of this client.
|
||||
# secret: this_is_a_secret
|
||||
|
||||
## Sector Identifiers are occasionally used to generate pairwise subject identifiers. In most cases this is not
|
||||
## necessary. Read the documentation for more information.
|
||||
## The subject identifier must be the host component of a URL, which is a domain name with an optional port.
|
||||
# sector_identifier: example.com
|
||||
|
||||
## Sets the client to public. This should typically not be set, please see the documentation for usage.
|
||||
# public: false
|
||||
|
||||
## The policy to require for this client; one_factor or two_factor.
|
||||
# authorization_policy: two_factor
|
||||
|
||||
## By default users cannot remember pre-configured consents. Setting this value to a period of time using a
|
||||
## duration notation will enable users to remember consent for this client. The time configured is the amount
|
||||
## of time the pre-configured consent is valid for granting new authorizations to the user.
|
||||
# pre_configured_consent_duration:
|
||||
|
||||
## Audience this client is allowed to request.
|
||||
# audience: []
|
||||
|
||||
## Scopes this client is allowed to request.
|
||||
# scopes:
|
||||
# - openid
|
||||
# - groups
|
||||
# - email
|
||||
# - profile
|
||||
|
||||
## Redirect URI's specifies a list of valid case-sensitive callbacks for this client.
|
||||
# redirect_uris:
|
||||
# - https://oidc.example.com:8080/oauth2/callback
|
||||
|
||||
## Grant Types configures which grants this client can obtain.
|
||||
## It's not recommended to define this unless you know what you're doing.
|
||||
# grant_types:
|
||||
# - refresh_token
|
||||
# - authorization_code
|
||||
|
||||
## Response Types configures which responses this client can be sent.
|
||||
## It's not recommended to define this unless you know what you're doing.
|
||||
# response_types:
|
||||
# - code
|
||||
|
||||
## Response Modes configures which response modes this client supports.
|
||||
# response_modes:
|
||||
# - form_post
|
||||
# - query
|
||||
# - fragment
|
||||
|
||||
## The algorithm used to sign userinfo endpoint responses for this client, either none or RS256.
|
||||
# userinfo_signing_algorithm: none
|
||||
clients: {{ with nomadVar "nomad/jobs/authelia" }}{{ .oidc_clients.Value }}{{ end }}
|
||||
|
33
core/main.tf
33
core/main.tf
@ -65,12 +65,15 @@ module "authelia" {
|
||||
service_port = 9091
|
||||
# metrics_port = 9959
|
||||
env = {
|
||||
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = "$${NOMAD_SECRETS_DIR}/ldap_password.txt"
|
||||
AUTHELIA_JWT_SECRET_FILE = "$${NOMAD_SECRETS_DIR}/jwt_secret.txt"
|
||||
AUTHELIA_SESSION_SECRET_FILE = "$${NOMAD_SECRETS_DIR}/session_secret.txt"
|
||||
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE = "$${NOMAD_SECRETS_DIR}/storage_encryption_key.txt"
|
||||
AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE = "$${NOMAD_SECRETS_DIR}/mysql_password.txt"
|
||||
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = "$${NOMAD_SECRETS_DIR}/smtp_password.txt"
|
||||
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = "$${NOMAD_SECRETS_DIR}/ldap_password.txt"
|
||||
AUTHELIA_JWT_SECRET_FILE = "$${NOMAD_SECRETS_DIR}/jwt_secret.txt"
|
||||
AUTHELIA_SESSION_SECRET_FILE = "$${NOMAD_SECRETS_DIR}/session_secret.txt"
|
||||
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE = "$${NOMAD_SECRETS_DIR}/storage_encryption_key.txt"
|
||||
AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE = "$${NOMAD_SECRETS_DIR}/mysql_password.txt"
|
||||
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = "$${NOMAD_SECRETS_DIR}/smtp_password.txt"
|
||||
AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE = "$${NOMAD_SECRETS_DIR}/oidc_hmac_secret.txt"
|
||||
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE = "$${NOMAD_SECRETS_DIR}/oidc_issuer_private_key.txt"
|
||||
# AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_CERTIFICATE_CHAIN_FILE = "$${NOMAD_SECRETS_DIR}/oidc_issuer_certificate_chain.txt"
|
||||
}
|
||||
|
||||
use_mysql = true
|
||||
@ -125,6 +128,24 @@ module "authelia" {
|
||||
dest = "mysql_password.txt"
|
||||
mount = false
|
||||
},
|
||||
{
|
||||
data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .oidc_hmac_secret }}{{ end }}"
|
||||
dest_prefix = "$${NOMAD_SECRETS_DIR}"
|
||||
dest = "oidc_hmac_secret.txt"
|
||||
mount = false
|
||||
},
|
||||
{
|
||||
data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .oidc_issuer_private_key }}{{ end }}"
|
||||
dest_prefix = "$${NOMAD_SECRETS_DIR}"
|
||||
dest = "oidc_issuer_private_key.txt"
|
||||
mount = false
|
||||
},
|
||||
{
|
||||
data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .oidc_issuer_certificate_chain }}{{ end }}"
|
||||
dest_prefix = "$${NOMAD_SECRETS_DIR}"
|
||||
dest = "oidc_issuer_certificate_chain.txt"
|
||||
mount = false
|
||||
},
|
||||
{
|
||||
data = "{{ with nomadVar \"nomad/jobs\" }}{{ .smtp_password }}{{ end }}"
|
||||
dest_prefix = "$${NOMAD_SECRETS_DIR}"
|
||||
|
Loading…
Reference in New Issue
Block a user