homelab/docker-infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix Authelia OIDC client secrets using template secret files

Browse Source 
- Switch from unsupported \${VAR} substitution to {{ secret "..." }} template syntax
- Enable X_AUTHELIA_CONFIG_FILTERS=template in compose
- Client secrets now loaded from /config/secrets/oidc_* files on host
- Use PBKDF2-SHA512 hashes (not bcrypt, not plaintext)
This commit is contained in:
poprhythm
2026-02-26 02:04:52 +00:00
parent 0ce030275b
commit 5e91f0c68b
3 changed files with 10 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
authelia/.env.example
+7 -3
View File
@@ -5,7 +5,11 @@ AUTHELIA_JWT_SECRET=
AUTHELIA_SESSION_SECRET=
AUTHELIA_STORAGE_ENCRYPTION_KEY=
# OIDC client secrets — generate with: openssl rand -hex 32
# OIDC HMAC secret (top-level key, env var works here)
AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET=
AUTHELIA_OIDC_CLIENT_SECRET_LINKDING=
AUTHELIA_OIDC_CLIENT_SECRET_OPEN_WEBUI=
# OIDC client secrets are stored as PBKDF2-SHA512 hashes in secret files on the host:
# /srv/authelia/config/secrets/oidc_linkding
# /srv/authelia/config/secrets/oidc_open_webui
# Generate a hash: docker run --rm authelia/authelia:4.38 authelia crypto hash generate pbkdf2 --variant sha512 --password <secret>
# The plaintext goes in the client app (e.g. LINKDING_OIDC_CLIENT_SECRET in linkding stack)
authelia/config/configuration.yaml
+2 -2
View File
@@ -65,7 +65,7 @@ identity_providers:
clients:
- client_id: open-webui
client_name: Open WebUI
client_secret: '${AUTHELIA_OIDC_CLIENT_SECRET_OPEN_WEBUI}'
client_secret: '{{ secret "/config/secrets/oidc_open_webui" }}'
public: false
authorization_policy: one_factor
token_endpoint_auth_method: client_secret_post
@@ -79,7 +79,7 @@ identity_providers:
- client_id: linkding
client_name: Linkding
client_secret: '${AUTHELIA_OIDC_CLIENT_SECRET_LINKDING}'
client_secret: '{{ secret "/config/secrets/oidc_linkding" }}'
public: false
authorization_policy: one_factor
token_endpoint_auth_method: client_secret_post
authelia/docker-compose.yml
+1
View File
@@ -10,6 +10,7 @@ services:
- AUTHELIA_JWT_SECRET=${AUTHELIA_JWT_SECRET}
- AUTHELIA_SESSION_SECRET=${AUTHELIA_SESSION_SECRET}
- AUTHELIA_STORAGE_ENCRYPTION_KEY=${AUTHELIA_STORAGE_ENCRYPTION_KEY}
- X_AUTHELIA_CONFIG_FILTERS=template
networks:
- npm-network
- authelia-internal