Bcrypt hashes contain $ signs which Portainer interpolates when storing
as env vars, truncating the values. Use {{ secret "file" }} template
syntax instead — hashes live in /srv/authelia/config/secrets/ on the
host, written via Python to avoid shell interpolation.
Only $ -safe values (hex strings) remain as env vars.
expand-env double-processes substituted values so $ in bcrypt hashes
get re-expanded. Switch back to template filter with {{ env "VAR" }}
syntax which returns values as-is.
- Switch X_AUTHELIA_CONFIG_FILTERS from template to expand-env so ${VAR}
syntax in config files is actually substituted
- Add missing env var pass-throughs for OIDC HMAC secret and client secrets
- Update git config client_secret fields to use ${VAR} syntax (matching host)
- Update .env.example to document all required Portainer env vars
- Switch from unsupported \${VAR} substitution to {{ secret "..." }} template syntax
- Enable X_AUTHELIA_CONFIG_FILTERS=template in compose
- Client secrets now loaded from /config/secrets/oidc_* files on host
- Use PBKDF2-SHA512 hashes (not bcrypt, not plaintext)
- Add open-webui OIDC client to Authelia config
- Configure open-webui with OIDC env vars pointing to Authelia
- Secret managed via AUTHELIA_OIDC_CLIENT_SECRET_OPEN_WEBUI env var in Portainer
- linkding: add OIDC env vars pointing to Authelia as identity provider
- authelia/config: fix issuer_private_keys → jwks (correct key for 4.38.x)
and replace non-functional template function with host-managed note
poprhythm