Skip to main content
Star us on GitHub Star

Authelia

Authelia logo

This section illustrates where the expected values are found within the Authelia config. For a more detailed guide on enabling Authelia with OpenZiti, see below. Use these values to configure an external JWT signer. For Authelia, there is currently no dashboard. All settings are derived from the Authelia configuration file.

Authelia-specific
  • The audience and client id fields must be the same. If you get an error when authenticating it's possible these two fields are not the same.
  • Authelia does not support using Access tokens. You must configure the ext-jwt-signer with the ID token type.
FieldWhere to Find the Value in the Authelia ConfigurationExample
IssuerThe address of the Authelia serverhttps://authelia.doc.demo.openziti.org:9100
Client IDSpecified in the Authelia configuration.yml. The client_id of the oidc clientopenziti
AudienceSpecified in the Authelia configuration.yml. The audience of the oidc clientopenziti
External Auth URLThe same value as the Issuerhttps://authelia.doc.demo.openziti.org:9100
JWKS EndpointUse the jwks_uri field from the './well-known/openid-configuration' endpointhttps://authelia.doc.demo.openziti.org:9100/jwks.json
Claims PropertyOften email, but can also be sub or any other claim contained in the JWTemail
Scopesopenid is always included. Often 'email' but 'profile' or any standard or custom scopeemail offline_access

Enable OIDC Within Authelia

Authelia supports acting as an identity provider. The Authelia documentation for providers contains an example identity_providers.oidc configuration section and describes how to configure Authelia.

Generate a Key/Cert

Authelia also provides helper functionality to generate a cert/key in your configuration. For example, a command can be issued using a temporary Authelia container to generate a cert and key. That cert and key can then be used with Authelia. Adapt the command shown below for your Authelia deployment and emit the cert and key into a location your Authelia server will be able to access the files. For example, this may be your secrets directory as shown:

Use Docker to Generate Cert/Key
docker run --rm \
-v "/path/to/the/authelia/secrets:/output" \
authelia/authelia \
authelia crypto certificate rsa generate \
--common-name authelia.example.com \
--bits 2048 \
--file.private-key rsa.2048.key \
--file.certificate rsa.2048.cert \
--directory /output

Generate an HMAC Secret

Leverage openssl and generate a random set of 32 characters to serve as the HMAC secret for the OIDC configuration.

openssl rand -hex 32 > /path/to/the/authelia/secrets/identity_providers.hmac

Add the OIDC Configuration

Using the cert and key generated above and the HMAC secret, configure Authelia as an identity provider.

An Example Configuration

Below is a very simple example configuration that would work with Authelia and OpenZiti. The following config also leverages the Authelia templating functionality and expects the following and environment variable named DOMAIN is set with the Authelia domain. A directory exists named /authelia/secrets where the following secrets are kept:

  • the key and certificate to use for TLS
  • a storage.encryption_key file
  • an identity_validation.jwt_secret file
  • an identity_providers.hmac (from the example command above)
  • rsa.2048.key and rsa.2048.cert files (from the example command above)
server:
address: "tcp://0.0.0.0:443"
tls:
certificate: "/authelia/secrets/certificate_chain.pem"
key: "/authelia/secrets/private.key"

authentication_backend:
file:
path: /config/users_database.yml

access_control:
default_policy: one_factor

session:
cookies:
- domain: "{{ env DOMAIN }}"
authelia_url: "https://{{ env DOMAIN }}"

storage:
local:
path: /config/db
encryption_key: {{ secret "/authelia/secrets/storage.encryption_key" | msquote }}

notifier:
filesystem:
filename: /config/notification.log

identity_validation:
reset_password:
jwt_secret: {{ secret "/authelia/secrets/identity_validation.jwt_secret" | msquote }}

identity_providers:
oidc:
hmac_secret: {{ secret "/authelia/secrets/identity_providers.hmac" | msquote }}
jwks:
- key_id: 'authelia'
algorithm: 'RS256'
use: 'sig'
key: {{ secret "/authelia/secrets/rsa.2048.key" | mindent 10 "|" | msquote }}
certificate_chain: {{ secret "/authelia/secrets/rsa.2048.cert" | mindent 10 "|" | msquote }}
enable_client_debug_messages: false
require_pushed_authorization_requests: false
lifespans:
access_token: '1h'
authorize_code: '1m'
id_token: '1h'
refresh_token: '90m'
cors:
endpoints:
- 'authorization'
- 'token'
- 'revocation'
- 'introspection'
clients:
- client_id: openziti
client_name: "OpenZiti Auth"
audience: "openziti"
public: true
authorization_policy: one_factor
consent_mode: pre-configured
response_types:
- "code"
scopes:
- openid
- groups
- email
- profile
- offline_access
redirect_uris:
- http://localhost:20314/auth/callback
- https://*.browzer.example.com
grant_types:
- refresh_token
- authorization_code

Common Problems

If you do not set the client id and the audience to the same value, you may encounter an error such as:

invalid_request: The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Requested audience 'openziti_client_id' has not been whitelisted by the OAuth 2.0 Client.