From d0037cf4cd6b025736a74d316ceeae5ae5012f3c Mon Sep 17 00:00:00 2001
From: poprhythm <james.kolpack@gmail.com>
Date: Mon, 23 Feb 2026 18:45:33 +0000
Subject: [PATCH] Add Linkding OIDC via Authelia, fix jwks key name in config
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- linkding: add OIDC env vars pointing to Authelia as identity provider
- authelia/config: fix issuer_private_keys → jwks (correct key for 4.38.x)
  and replace non-functional template function with host-managed note
---
 authelia/config/configuration.yaml | 25 +++++++++++++++++++++++++
 linkding/docker-compose.yaml       |  9 +++++++++
 2 files changed, 34 insertions(+)

diff --git a/authelia/config/configuration.yaml b/authelia/config/configuration.yaml
index 7c29d0f..639ab5d 100644
--- a/authelia/config/configuration.yaml
+++ b/authelia/config/configuration.yaml
@@ -51,3 +51,28 @@ regulation:
   max_retries: 3
   find_time: 2m
   ban_time: 5m
+
+identity_providers:
+  oidc:
+    hmac_secret: ${AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET}
+    jwks:
+      - key_id: main
+        algorithm: RS256
+        use: sig
+        # key: HOST-MANAGED — inline /srv/authelia/config/oidc.key contents here in the
+        # host copy (/srv/authelia/config/configuration.yml). Never commit the key to git.
+        # Generate with: openssl genrsa -out /srv/authelia/config/oidc.key 4096
+    clients:
+      - client_id: linkding
+        client_name: Linkding
+        client_secret: '${AUTHELIA_OIDC_CLIENT_SECRET_LINKDING}'
+        public: false
+        authorization_policy: one_factor
+        redirect_uris:
+          - https://linkding.kolpacksoftware.com/oidc/callback/
+        scopes:
+          - openid
+          - profile
+          - email
+          - groups
+        userinfo_signed_response_alg: none
diff --git a/linkding/docker-compose.yaml b/linkding/docker-compose.yaml
index d071406..f2d065e 100644
--- a/linkding/docker-compose.yaml
+++ b/linkding/docker-compose.yaml
@@ -10,6 +10,15 @@ services:
       - VIRTUAL_HOST=linkding.kolpacksoftware.com
       - VIRTUAL_PORT=9090
       - LETSENCRYPT_HOST=linkding.kolpacksoftware.com
+      # Authelia OIDC
+      - LD_ENABLE_OIDC=True
+      - LD_OIDC_OP_AUTHORIZATION_ENDPOINT=https://auth.kolpacksoftware.com/api/oidc/authorization
+      - LD_OIDC_OP_TOKEN_ENDPOINT=https://auth.kolpacksoftware.com/api/oidc/token
+      - LD_OIDC_OP_USER_ENDPOINT=https://auth.kolpacksoftware.com/api/oidc/userinfo
+      - LD_OIDC_OP_JWKS_ENDPOINT=https://auth.kolpacksoftware.com/jwks.json
+      - LD_OIDC_RP_CLIENT_ID=linkding
+      - LD_OIDC_RP_CLIENT_SECRET=${LINKDING_OIDC_CLIENT_SECRET}
+      - LD_OIDC_RP_SIGN_ALGO=RS256
     restart: unless-stopped
 
 networks: