homelab/docker-infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Revert OIDC client secrets to file-based approach

Browse Source 
Bcrypt hashes contain $ signs which Portainer interpolates when storing
as env vars, truncating the values. Use {{ secret "file" }} template
syntax instead — hashes live in /srv/authelia/config/secrets/ on the
host, written via Python to avoid shell interpolation.

Only $ -safe values (hex strings) remain as env vars.
This commit is contained in:
poprhythm
2026-02-26 20:03:03 +00:00
parent 39f6ca8530
commit e6d4b0a349
3 changed files with 21 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files
authelia/config/configuration.yaml
+2 -2
View File
@@ -65,7 +65,7 @@ identity_providers:
clients:
- client_id: open-webui
client_name: Open WebUI
client_secret: '{{ env "AUTHELIA_OIDC_CLIENT_SECRET_OPEN_WEBUI" }}'
client_secret: '{{ secret "/config/secrets/oidc_open_webui" }}'
public: false
authorization_policy: one_factor
token_endpoint_auth_method: client_secret_post
@@ -79,7 +79,7 @@ identity_providers:
- client_id: linkding
client_name: Linkding
client_secret: '{{ env "AUTHELIA_OIDC_CLIENT_SECRET_LINKDING" }}'
client_secret: '{{ secret "/config/secrets/oidc_linkding" }}'
public: false
authorization_policy: one_factor
token_endpoint_auth_method: client_secret_post