homelab/docker-infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Revert OIDC client secrets to file-based approach

Browse Source 
Bcrypt hashes contain $ signs which Portainer interpolates when storing
as env vars, truncating the values. Use {{ secret "file" }} template
syntax instead — hashes live in /srv/authelia/config/secrets/ on the
host, written via Python to avoid shell interpolation.

Only $ -safe values (hex strings) remain as env vars.
This commit is contained in:
poprhythm
2026-02-26 20:03:03 +00:00
parent 39f6ca8530
commit e6d4b0a349
3 changed files with 21 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files
authelia/.env.example
+17 -9
View File
@@ -1,18 +1,26 @@
# Authelia secrets — set all of these in Portainer stack environment variables
# Generate random values with: openssl rand -hex 32
# Core secrets
# Core secrets (safe as env vars — no $ signs in values)
AUTHELIA_JWT_SECRET=
AUTHELIA_SESSION_SECRET=
AUTHELIA_STORAGE_ENCRYPTION_KEY=
# OIDC HMAC secret (signs OIDC tokens)
# OIDC HMAC secret (safe as env var — hex string, no $ signs)
AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET=
# OIDC client secrets — store as bcrypt hashes here, plaintext in each client app
# Generate hash: docker run --rm authelia/authelia:4.38 authelia crypto hash generate bcrypt --password <plaintext>
AUTHELIA_OIDC_CLIENT_SECRET_OPEN_WEBUI=
AUTHELIA_OIDC_CLIENT_SECRET_LINKDING=
# Note: the OIDC JWK private key is managed directly in /srv/authelia/config/configuration.yml
# (never committed to git). See the inline comment in that file.
# OIDC client secrets are NOT stored as env vars.
# Bcrypt hashes contain $ characters which Portainer/shell interpolates, truncating them.
# Instead, store hashes as files on the host:
# /srv/authelia/config/secrets/oidc_open_webui <- bcrypt hash of open-webui client secret
# /srv/authelia/config/secrets/oidc_linkding <- bcrypt hash of linkding client secret
#
# Write them with Python (not shell) to avoid $ interpolation:
# docker run --rm -v /srv/authelia/config:/config python:3-alpine python3 -c "
# open('/config/secrets/oidc_open_webui','w').write('<bcrypt-hash>')
# open('/config/secrets/oidc_linkding','w').write('<bcrypt-hash>')
# "
# Generate a bcrypt hash:
# docker run --rm authelia/authelia:4.38 authelia crypto hash generate bcrypt --password <plaintext>
#
# Note: the OIDC JWK private key is also host-managed inline in /srv/authelia/config/configuration.yml