server: address: 0.0.0.0:9091 log: level: info totp: issuer: kolpacksoftware.com webauthn: disable: true authentication_backend: file: path: /config/users_database.yaml password: algorithm: argon2id access_control: default_policy: deny rules: - domain: auth.kolpacksoftware.com policy: bypass - domain: ultralytics.kolpacksoftware.com policy: one_factor - domain: "*.kolpacksoftware.com" policy: one_factor subject: "group:admins" session: cookies: - domain: kolpacksoftware.com authelia_url: https://auth.kolpacksoftware.com default_redirection_url: https://kolpacksoftware.com name: authelia_session expiration: 1h inactivity: 5m redis: host: authelia-redis port: 6379 storage: local: path: /config/db.sqlite3 notifier: filesystem: filename: /config/notifications.txt regulation: max_retries: 3 find_time: 2m ban_time: 5m identity_providers: oidc: hmac_secret: ${AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET} cors: endpoints: - authorization - token - revocation - introspection - userinfo allowed_origins_from_client_redirect_uris: true jwks: - key_id: main algorithm: RS256 use: sig # key is host-managed — never commit to git # Host copy inlines the PEM content as a YAML block scalar (key: |) # using Python to avoid shell $ interpolation of the PEM content. # Generate with: openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out /srv/authelia/config/oidc.key clients: - client_id: open-webui client_name: Open WebUI client_secret: '{{ secret "/config/secrets/oidc_open_webui" }}' public: false authorization_policy: one_factor token_endpoint_auth_method: client_secret_basic redirect_uris: - https://open-webui.kolpacksoftware.com/oauth/oidc/callback scopes: - openid - profile - email userinfo_signed_response_alg: none - client_id: immich client_name: Immich client_secret: '{{ secret "/config/secrets/oidc_immich" }}' public: false authorization_policy: one_factor token_endpoint_auth_method: client_secret_post redirect_uris: - https://immich.kolpacksoftware.com/auth/login - app.immich:///oauth-callback scopes: - openid - profile - email userinfo_signed_response_alg: none - client_id: linkding client_name: Linkding client_secret: '{{ secret "/config/secrets/oidc_linkding" }}' public: false authorization_policy: one_factor token_endpoint_auth_method: client_secret_post redirect_uris: - https://linkding.kolpacksoftware.com/oidc/callback/ scopes: - openid - profile - email - groups userinfo_signed_response_alg: none - client_id: ocis client_name: ownCloud Infinite Scale public: true require_pkce: true pkce_challenge_method: S256 authorization_policy: one_factor redirect_uris: - https://cloud.kolpacksoftware.com/ - https://cloud.kolpacksoftware.com/oidc-callback.html - https://cloud.kolpacksoftware.com/oidc-silent-redirect.html - https://cloud.kolpacksoftware.com/apps/openidconnect/redirect scopes: - openid - profile - email - groups - offline_access userinfo_signed_response_alg: none - client_id: mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1 client_name: ownCloud iOS client_secret: '{{ secret "/config/secrets/oidc_ocis_ios" }}' public: false require_pkce: true pkce_challenge_method: S256 token_endpoint_auth_method: client_secret_basic authorization_policy: one_factor response_types: - code grant_types: - authorization_code - refresh_token redirect_uris: - oc://ios.owncloud.com scopes: - openid - profile - email - offline_access userinfo_signed_response_alg: none - client_id: xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69 client_name: ownCloud Desktop client_secret: '{{ secret "/config/secrets/oidc_ocis_desktop" }}' public: false require_pkce: true pkce_challenge_method: S256 token_endpoint_auth_method: client_secret_basic authorization_policy: one_factor response_types: - code grant_types: - authorization_code - refresh_token redirect_uris: - http://127.0.0.1 scopes: - openid - profile - email - offline_access userinfo_signed_response_alg: none