Fix Authelia OIDC config to use expand-env filter with ${VAR} substitution

- Switch X_AUTHELIA_CONFIG_FILTERS from template to expand-env so ${VAR}
  syntax in config files is actually substituted
- Add missing env var pass-throughs for OIDC HMAC secret and client secrets
- Update git config client_secret fields to use ${VAR} syntax (matching host)
- Update .env.example to document all required Portainer env vars

authelia/.env.example

@@ -1,15 +1,18 @@
-# Authelia secrets — generate values with:
-#   openssl rand -hex 32   (for JWT and session secrets)
-#   openssl rand -hex 16   (for storage encryption key)
+# Authelia secrets — set all of these in Portainer stack environment variables
+# Generate random values with: openssl rand -hex 32
+
+# Core secrets
 AUTHELIA_JWT_SECRET=
 AUTHELIA_SESSION_SECRET=
 AUTHELIA_STORAGE_ENCRYPTION_KEY=
 
-# OIDC HMAC secret (top-level key, env var works here)
+# OIDC HMAC secret (signs OIDC tokens)
 AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET=
 
-# OIDC client secrets are stored as PBKDF2-SHA512 hashes in secret files on the host:
-#   /srv/authelia/config/secrets/oidc_linkding
-#   /srv/authelia/config/secrets/oidc_open_webui
-# Generate a hash: docker run --rm authelia/authelia:4.38 authelia crypto hash generate pbkdf2 --variant sha512 --password <secret>
-# The plaintext goes in the client app (e.g. LINKDING_OIDC_CLIENT_SECRET in linkding stack)
+# OIDC client secrets — store as bcrypt hashes here, plaintext in each client app
+# Generate hash: docker run --rm authelia/authelia:4.38 authelia crypto hash generate bcrypt --password <plaintext>
+AUTHELIA_OIDC_CLIENT_SECRET_OPEN_WEBUI=
+AUTHELIA_OIDC_CLIENT_SECRET_LINKDING=
+
+# Note: the OIDC JWK private key is managed directly in /srv/authelia/config/configuration.yml
+# (never committed to git). See the inline comment in that file.