From 907d214b5c0ff43d2b891ccf7628c8ed85c99e0b Mon Sep 17 00:00:00 2001 From: poprhythm Date: Thu, 26 Feb 2026 19:57:55 +0000 Subject: [PATCH] Fix Authelia OIDC config to use expand-env filter with ${VAR} substitution - Switch X_AUTHELIA_CONFIG_FILTERS from template to expand-env so ${VAR} syntax in config files is actually substituted - Add missing env var pass-throughs for OIDC HMAC secret and client secrets - Update git config client_secret fields to use ${VAR} syntax (matching host) - Update .env.example to document all required Portainer env vars --- authelia/.env.example | 21 ++++++++++++--------- authelia/config/configuration.yaml | 4 ++-- authelia/docker-compose.yml | 6 +++++- 3 files changed, 19 insertions(+), 12 deletions(-) diff --git a/authelia/.env.example b/authelia/.env.example index a0d3507..407abe8 100644 --- a/authelia/.env.example +++ b/authelia/.env.example @@ -1,15 +1,18 @@ -# Authelia secrets — generate values with: -# openssl rand -hex 32 (for JWT and session secrets) -# openssl rand -hex 16 (for storage encryption key) +# Authelia secrets — set all of these in Portainer stack environment variables +# Generate random values with: openssl rand -hex 32 + +# Core secrets AUTHELIA_JWT_SECRET= AUTHELIA_SESSION_SECRET= AUTHELIA_STORAGE_ENCRYPTION_KEY= -# OIDC HMAC secret (top-level key, env var works here) +# OIDC HMAC secret (signs OIDC tokens) AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET= -# OIDC client secrets are stored as PBKDF2-SHA512 hashes in secret files on the host: -# /srv/authelia/config/secrets/oidc_linkding -# /srv/authelia/config/secrets/oidc_open_webui -# Generate a hash: docker run --rm authelia/authelia:4.38 authelia crypto hash generate pbkdf2 --variant sha512 --password -# The plaintext goes in the client app (e.g. LINKDING_OIDC_CLIENT_SECRET in linkding stack) +# OIDC client secrets — store as bcrypt hashes here, plaintext in each client app +# Generate hash: docker run --rm authelia/authelia:4.38 authelia crypto hash generate bcrypt --password +AUTHELIA_OIDC_CLIENT_SECRET_OPEN_WEBUI= +AUTHELIA_OIDC_CLIENT_SECRET_LINKDING= + +# Note: the OIDC JWK private key is managed directly in /srv/authelia/config/configuration.yml +# (never committed to git). See the inline comment in that file. diff --git a/authelia/config/configuration.yaml b/authelia/config/configuration.yaml index 2b95083..e4dc424 100644 --- a/authelia/config/configuration.yaml +++ b/authelia/config/configuration.yaml @@ -65,7 +65,7 @@ identity_providers: clients: - client_id: open-webui client_name: Open WebUI - client_secret: '{{ secret "/config/secrets/oidc_open_webui" }}' + client_secret: '${AUTHELIA_OIDC_CLIENT_SECRET_OPEN_WEBUI}' public: false authorization_policy: one_factor token_endpoint_auth_method: client_secret_post @@ -79,7 +79,7 @@ identity_providers: - client_id: linkding client_name: Linkding - client_secret: '{{ secret "/config/secrets/oidc_linkding" }}' + client_secret: '${AUTHELIA_OIDC_CLIENT_SECRET_LINKDING}' public: false authorization_policy: one_factor token_endpoint_auth_method: client_secret_post diff --git a/authelia/docker-compose.yml b/authelia/docker-compose.yml index 03466e9..5bc2cec 100644 --- a/authelia/docker-compose.yml +++ b/authelia/docker-compose.yml @@ -10,7 +10,11 @@ services: - AUTHELIA_JWT_SECRET=${AUTHELIA_JWT_SECRET} - AUTHELIA_SESSION_SECRET=${AUTHELIA_SESSION_SECRET} - AUTHELIA_STORAGE_ENCRYPTION_KEY=${AUTHELIA_STORAGE_ENCRYPTION_KEY} - - X_AUTHELIA_CONFIG_FILTERS=template + - AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET=${AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET} + - AUTHELIA_OIDC_CLIENT_SECRET_OPEN_WEBUI=${AUTHELIA_OIDC_CLIENT_SECRET_OPEN_WEBUI} + - AUTHELIA_OIDC_CLIENT_SECRET_LINKDING=${AUTHELIA_OIDC_CLIENT_SECRET_LINKDING} + # expand-env substitutes ${VAR} in config files; use template filter only if Go template syntax needed + - X_AUTHELIA_CONFIG_FILTERS=expand-env networks: - npm-network - authelia-internal