Revert OIDC client secrets to file-based approach

Bcrypt hashes contain $ signs which Portainer interpolates when storing
as env vars, truncating the values. Use {{ secret "file" }} template
syntax instead — hashes live in /srv/authelia/config/secrets/ on the
host, written via Python to avoid shell interpolation.

Only $ -safe values (hex strings) remain as env vars.

authelia/.env.example

@@ -1,18 +1,26 @@
 # Authelia secrets — set all of these in Portainer stack environment variables
 # Generate random values with: openssl rand -hex 32
 
-# Core secrets
+# Core secrets (safe as env vars — no $ signs in values)
 AUTHELIA_JWT_SECRET=
 AUTHELIA_SESSION_SECRET=
 AUTHELIA_STORAGE_ENCRYPTION_KEY=
 
-# OIDC HMAC secret (signs OIDC tokens)
+# OIDC HMAC secret (safe as env var — hex string, no $ signs)
 AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET=
 
-# OIDC client secrets — store as bcrypt hashes here, plaintext in each client app
-# Generate hash: docker run --rm authelia/authelia:4.38 authelia crypto hash generate bcrypt --password <plaintext>
-AUTHELIA_OIDC_CLIENT_SECRET_OPEN_WEBUI=
-AUTHELIA_OIDC_CLIENT_SECRET_LINKDING=
-
-# Note: the OIDC JWK private key is managed directly in /srv/authelia/config/configuration.yml
-# (never committed to git). See the inline comment in that file.
+# OIDC client secrets are NOT stored as env vars.
+# Bcrypt hashes contain $ characters which Portainer/shell interpolates, truncating them.
+# Instead, store hashes as files on the host:
+#   /srv/authelia/config/secrets/oidc_open_webui   <- bcrypt hash of open-webui client secret
+#   /srv/authelia/config/secrets/oidc_linkding     <- bcrypt hash of linkding client secret
+#
+# Write them with Python (not shell) to avoid $ interpolation:
+#   docker run --rm -v /srv/authelia/config:/config python:3-alpine python3 -c "
+#     open('/config/secrets/oidc_open_webui','w').write('<bcrypt-hash>')
+#     open('/config/secrets/oidc_linkding','w').write('<bcrypt-hash>')
+#   "
+# Generate a bcrypt hash:
+#   docker run --rm authelia/authelia:4.38 authelia crypto hash generate bcrypt --password <plaintext>
+#
+# Note: the OIDC JWK private key is also host-managed inline in /srv/authelia/config/configuration.yml

authelia/config/configuration.yaml

@@ -65,7 +65,7 @@ identity_providers:
     clients:
       - client_id: open-webui
         client_name: Open WebUI
-        client_secret: '{{ env "AUTHELIA_OIDC_CLIENT_SECRET_OPEN_WEBUI" }}'
+        client_secret: '{{ secret "/config/secrets/oidc_open_webui" }}'
         public: false
         authorization_policy: one_factor
         token_endpoint_auth_method: client_secret_post
@@ -79,7 +79,7 @@ identity_providers:
 
       - client_id: linkding
         client_name: Linkding
-        client_secret: '{{ env "AUTHELIA_OIDC_CLIENT_SECRET_LINKDING" }}'
+        client_secret: '{{ secret "/config/secrets/oidc_linkding" }}'
         public: false
         authorization_policy: one_factor
         token_endpoint_auth_method: client_secret_post

authelia/docker-compose.yml

@@ -11,8 +11,8 @@ services:
       - AUTHELIA_SESSION_SECRET=${AUTHELIA_SESSION_SECRET}
       - AUTHELIA_STORAGE_ENCRYPTION_KEY=${AUTHELIA_STORAGE_ENCRYPTION_KEY}
       - AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET=${AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET}
-      - AUTHELIA_OIDC_CLIENT_SECRET_OPEN_WEBUI=${AUTHELIA_OIDC_CLIENT_SECRET_OPEN_WEBUI}
-      - AUTHELIA_OIDC_CLIENT_SECRET_LINKDING=${AUTHELIA_OIDC_CLIENT_SECRET_LINKDING}
+      # OIDC client secrets are NOT passed as env vars — bcrypt hashes contain $ which
+      # Portainer/shell interpolates. Stored as files in /srv/authelia/config/secrets/ instead.
       - X_AUTHELIA_CONFIG_FILTERS=template
     networks:
       - npm-network