Fix Authelia OIDC config to use expand-env filter with ${VAR} substitution

- Switch X_AUTHELIA_CONFIG_FILTERS from template to expand-env so ${VAR} syntax in config files is actually substituted - Add missing env var pass-throughs for OIDC HMAC secret and client secrets - Update git config client_secret fields to use ${VAR} syntax (matching host) - Update .env.example to document all required Portainer env vars
2026-02-26 19:57:55 +00:00
parent 6e62d9ba2f
commit 907d214b5c
3 changed files with 19 additions and 12 deletions
@@ -1,15 +1,18 @@
-# Authelia secrets — generate values with:
-#   openssl rand -hex 32   (for JWT and session secrets)
-#   openssl rand -hex 16   (for storage encryption key)
+# Authelia secrets — set all of these in Portainer stack environment variables
+# Generate random values with: openssl rand -hex 32
+
+# Core secrets
 AUTHELIA_JWT_SECRET=
 AUTHELIA_SESSION_SECRET=
 AUTHELIA_STORAGE_ENCRYPTION_KEY=

-# OIDC HMAC secret (top-level key, env var works here)
+# OIDC HMAC secret (signs OIDC tokens)
 AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET=

-# OIDC client secrets are stored as PBKDF2-SHA512 hashes in secret files on the host:
-#   /srv/authelia/config/secrets/oidc_linkding
-#   /srv/authelia/config/secrets/oidc_open_webui
-# Generate a hash: docker run --rm authelia/authelia:4.38 authelia crypto hash generate pbkdf2 --variant sha512 --password <secret>
-# The plaintext goes in the client app (e.g. LINKDING_OIDC_CLIENT_SECRET in linkding stack)
+# OIDC client secrets — store as bcrypt hashes here, plaintext in each client app
+# Generate hash: docker run --rm authelia/authelia:4.38 authelia crypto hash generate bcrypt --password <plaintext>
+AUTHELIA_OIDC_CLIENT_SECRET_OPEN_WEBUI=
+AUTHELIA_OIDC_CLIENT_SECRET_LINKDING=
+
+# Note: the OIDC JWK private key is managed directly in /srv/authelia/config/configuration.yml
+# (never committed to git). See the inline comment in that file.
@@ -65,7 +65,7 @@ identity_providers:
    clients:
      - client_id: open-webui
        client_name: Open WebUI
-        client_secret: '{{ secret "/config/secrets/oidc_open_webui" }}'
+        client_secret: '${AUTHELIA_OIDC_CLIENT_SECRET_OPEN_WEBUI}'
        public: false
        authorization_policy: one_factor
        token_endpoint_auth_method: client_secret_post
@@ -79,7 +79,7 @@ identity_providers:

      - client_id: linkding
        client_name: Linkding
-        client_secret: '{{ secret "/config/secrets/oidc_linkding" }}'
+        client_secret: '${AUTHELIA_OIDC_CLIENT_SECRET_LINKDING}'
        public: false
        authorization_policy: one_factor
        token_endpoint_auth_method: client_secret_post
@@ -10,7 +10,11 @@ services:
      - AUTHELIA_JWT_SECRET=${AUTHELIA_JWT_SECRET}
      - AUTHELIA_SESSION_SECRET=${AUTHELIA_SESSION_SECRET}
      - AUTHELIA_STORAGE_ENCRYPTION_KEY=${AUTHELIA_STORAGE_ENCRYPTION_KEY}
-      - X_AUTHELIA_CONFIG_FILTERS=template
+      - AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET=${AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET}
+      - AUTHELIA_OIDC_CLIENT_SECRET_OPEN_WEBUI=${AUTHELIA_OIDC_CLIENT_SECRET_OPEN_WEBUI}
+      - AUTHELIA_OIDC_CLIENT_SECRET_LINKDING=${AUTHELIA_OIDC_CLIENT_SECRET_LINKDING}
+      # expand-env substitutes ${VAR} in config files; use template filter only if Go template syntax needed
+      - X_AUTHELIA_CONFIG_FILTERS=expand-env
    networks:
      - npm-network
      - authelia-internal