diff --git a/authelia/.env.example b/authelia/.env.example index 407abe8..857c3f5 100644 --- a/authelia/.env.example +++ b/authelia/.env.example @@ -1,18 +1,26 @@ # Authelia secrets — set all of these in Portainer stack environment variables # Generate random values with: openssl rand -hex 32 -# Core secrets +# Core secrets (safe as env vars — no $ signs in values) AUTHELIA_JWT_SECRET= AUTHELIA_SESSION_SECRET= AUTHELIA_STORAGE_ENCRYPTION_KEY= -# OIDC HMAC secret (signs OIDC tokens) +# OIDC HMAC secret (safe as env var — hex string, no $ signs) AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET= -# OIDC client secrets — store as bcrypt hashes here, plaintext in each client app -# Generate hash: docker run --rm authelia/authelia:4.38 authelia crypto hash generate bcrypt --password -AUTHELIA_OIDC_CLIENT_SECRET_OPEN_WEBUI= -AUTHELIA_OIDC_CLIENT_SECRET_LINKDING= - -# Note: the OIDC JWK private key is managed directly in /srv/authelia/config/configuration.yml -# (never committed to git). See the inline comment in that file. +# OIDC client secrets are NOT stored as env vars. +# Bcrypt hashes contain $ characters which Portainer/shell interpolates, truncating them. +# Instead, store hashes as files on the host: +# /srv/authelia/config/secrets/oidc_open_webui <- bcrypt hash of open-webui client secret +# /srv/authelia/config/secrets/oidc_linkding <- bcrypt hash of linkding client secret +# +# Write them with Python (not shell) to avoid $ interpolation: +# docker run --rm -v /srv/authelia/config:/config python:3-alpine python3 -c " +# open('/config/secrets/oidc_open_webui','w').write('<bcrypt-hash>') +# open('/config/secrets/oidc_linkding','w').write('<bcrypt-hash>') +# " +# Generate a bcrypt hash: +# docker run --rm authelia/authelia:4.38 authelia crypto hash generate bcrypt --password <plaintext> +# +# Note: the OIDC JWK private key is also host-managed inline in /srv/authelia/config/configuration.yml diff --git a/authelia/config/configuration.yaml b/authelia/config/configuration.yaml index 2b1757f..2b95083 100644 --- a/authelia/config/configuration.yaml +++ b/authelia/config/configuration.yaml @@ -65,7 +65,7 @@ identity_providers: clients: - client_id: open-webui client_name: Open WebUI - client_secret: '{{ env "AUTHELIA_OIDC_CLIENT_SECRET_OPEN_WEBUI" }}' + client_secret: '{{ secret "/config/secrets/oidc_open_webui" }}' public: false authorization_policy: one_factor token_endpoint_auth_method: client_secret_post @@ -79,7 +79,7 @@ identity_providers: - client_id: linkding client_name: Linkding - client_secret: '{{ env "AUTHELIA_OIDC_CLIENT_SECRET_LINKDING" }}' + client_secret: '{{ secret "/config/secrets/oidc_linkding" }}' public: false authorization_policy: one_factor token_endpoint_auth_method: client_secret_post diff --git a/authelia/docker-compose.yml b/authelia/docker-compose.yml index 93ed6e8..cb5e9d4 100644 --- a/authelia/docker-compose.yml +++ b/authelia/docker-compose.yml @@ -11,8 +11,8 @@ services: - AUTHELIA_SESSION_SECRET=${AUTHELIA_SESSION_SECRET} - AUTHELIA_STORAGE_ENCRYPTION_KEY=${AUTHELIA_STORAGE_ENCRYPTION_KEY} - AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET=${AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET} - - AUTHELIA_OIDC_CLIENT_SECRET_OPEN_WEBUI=${AUTHELIA_OIDC_CLIENT_SECRET_OPEN_WEBUI} - - AUTHELIA_OIDC_CLIENT_SECRET_LINKDING=${AUTHELIA_OIDC_CLIENT_SECRET_LINKDING} + # OIDC client secrets are NOT passed as env vars — bcrypt hashes contain $ which + # Portainer/shell interpolates. Stored as files in /srv/authelia/config/secrets/ instead. - X_AUTHELIA_CONFIG_FILTERS=template networks: - npm-network