From 696398a8635b4c3b94c1bd5cc2f8280b1a271d2d Mon Sep 17 00:00:00 2001
From: poprhythm <james.kolpack@gmail.com>
Date: Thu, 26 Feb 2026 20:49:19 +0000
Subject: [PATCH] Document OIDC JWK key handling in git config

path:// scheme not supported for key field in Authelia 4.38.
Host copy inlines the PEM as a YAML block scalar written via Python.
---
 authelia/config/configuration.yaml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/authelia/config/configuration.yaml b/authelia/config/configuration.yaml
index 2b95083..a2c2c48 100644
--- a/authelia/config/configuration.yaml
+++ b/authelia/config/configuration.yaml
@@ -59,9 +59,10 @@ identity_providers:
       - key_id: main
         algorithm: RS256
         use: sig
-        # key: HOST-MANAGED — inline /srv/authelia/config/oidc.key contents here in the
-        # host copy (/srv/authelia/config/configuration.yml). Never commit the key to git.
-        # Generate with: openssl genrsa -out /srv/authelia/config/oidc.key 4096
+        # key is host-managed — never commit to git
+        # Host copy inlines the PEM content as a YAML block scalar (key: |)
+        # using Python to avoid shell $ interpolation of the PEM content.
+        # Generate with: openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out /srv/authelia/config/oidc.key
     clients:
       - client_id: open-webui
         client_name: Open WebUI