|
|
@@ -104,7 +104,7 @@ server:
|
|
|
|
## Configure the authz endpoints.
|
|
|
|
## Configure the authz endpoints.
|
|
|
|
authz:
|
|
|
|
authz:
|
|
|
|
forward-auth:
|
|
|
|
forward-auth:
|
|
|
|
implementation: 'ForwardAuth'
|
|
|
|
implementation: "ForwardAuth"
|
|
|
|
# authn_strategies: []
|
|
|
|
# authn_strategies: []
|
|
|
|
# ext-authz:
|
|
|
|
# ext-authz:
|
|
|
|
# implementation: 'ExtAuthz'
|
|
|
|
# implementation: 'ExtAuthz'
|
|
|
@@ -121,10 +121,10 @@ server:
|
|
|
|
##
|
|
|
|
##
|
|
|
|
log:
|
|
|
|
log:
|
|
|
|
## Level of verbosity for logs: info, debug, trace.
|
|
|
|
## Level of verbosity for logs: info, debug, trace.
|
|
|
|
level: 'debug'
|
|
|
|
level: "debug"
|
|
|
|
|
|
|
|
|
|
|
|
## Format the logs are written as: json, text.
|
|
|
|
## Format the logs are written as: json, text.
|
|
|
|
format: 'json'
|
|
|
|
format: "json"
|
|
|
|
|
|
|
|
|
|
|
|
## File path where the logs will be written. If not set logs are written to stdout.
|
|
|
|
## File path where the logs will be written. If not set logs are written to stdout.
|
|
|
|
# file_path: '/config/authelia.log'
|
|
|
|
# file_path: '/config/authelia.log'
|
|
|
@@ -136,7 +136,6 @@ log:
|
|
|
|
## Telemetry Configuration
|
|
|
|
## Telemetry Configuration
|
|
|
|
##
|
|
|
|
##
|
|
|
|
telemetry:
|
|
|
|
telemetry:
|
|
|
|
|
|
|
|
|
|
|
|
##
|
|
|
|
##
|
|
|
|
## Metrics Configuration
|
|
|
|
## Metrics Configuration
|
|
|
|
##
|
|
|
|
##
|
|
|
@@ -151,7 +150,7 @@ telemetry:
|
|
|
|
## Square brackets indicate optional portions of the format. Scheme must be 'tcp', 'tcp4', 'tcp6', 'unix', or 'fd'.
|
|
|
|
## Square brackets indicate optional portions of the format. Scheme must be 'tcp', 'tcp4', 'tcp6', 'unix', or 'fd'.
|
|
|
|
## The default scheme is 'unix' if the address is an absolute path otherwise it's 'tcp'. The default port is '9959'.
|
|
|
|
## The default scheme is 'unix' if the address is an absolute path otherwise it's 'tcp'. The default port is '9959'.
|
|
|
|
## If the path is not specified it defaults to `/metrics`.
|
|
|
|
## If the path is not specified it defaults to `/metrics`.
|
|
|
|
address: 'tcp://:9959/metrics'
|
|
|
|
address: "tcp://:9959/metrics"
|
|
|
|
|
|
|
|
|
|
|
|
## Metrics Server Buffers configuration.
|
|
|
|
## Metrics Server Buffers configuration.
|
|
|
|
# buffers:
|
|
|
|
# buffers:
|
|
|
@@ -179,128 +178,128 @@ telemetry:
|
|
|
|
##
|
|
|
|
##
|
|
|
|
## Parameters used for TOTP generation.
|
|
|
|
## Parameters used for TOTP generation.
|
|
|
|
# totp:
|
|
|
|
# totp:
|
|
|
|
## Disable TOTP.
|
|
|
|
## Disable TOTP.
|
|
|
|
# disable: false
|
|
|
|
# disable: false
|
|
|
|
|
|
|
|
|
|
|
|
## The issuer name displayed in the Authenticator application of your choice.
|
|
|
|
## The issuer name displayed in the Authenticator application of your choice.
|
|
|
|
# issuer: 'authelia.com'
|
|
|
|
# issuer: 'authelia.com'
|
|
|
|
|
|
|
|
|
|
|
|
## The TOTP algorithm to use.
|
|
|
|
## The TOTP algorithm to use.
|
|
|
|
## It is CRITICAL you read the documentation before changing this option:
|
|
|
|
## It is CRITICAL you read the documentation before changing this option:
|
|
|
|
## https://www.authelia.com/c/totp#algorithm
|
|
|
|
## https://www.authelia.com/c/totp#algorithm
|
|
|
|
# algorithm: 'SHA1'
|
|
|
|
# algorithm: 'SHA1'
|
|
|
|
|
|
|
|
|
|
|
|
## The number of digits a user has to input. Must either be 6 or 8.
|
|
|
|
## The number of digits a user has to input. Must either be 6 or 8.
|
|
|
|
## Changing this option only affects newly generated TOTP configurations.
|
|
|
|
## Changing this option only affects newly generated TOTP configurations.
|
|
|
|
## It is CRITICAL you read the documentation before changing this option:
|
|
|
|
## It is CRITICAL you read the documentation before changing this option:
|
|
|
|
## https://www.authelia.com/c/totp#digits
|
|
|
|
## https://www.authelia.com/c/totp#digits
|
|
|
|
# digits: 6
|
|
|
|
# digits: 6
|
|
|
|
|
|
|
|
|
|
|
|
## The period in seconds a Time-based One-Time Password is valid for.
|
|
|
|
## The period in seconds a Time-based One-Time Password is valid for.
|
|
|
|
## Changing this option only affects newly generated TOTP configurations.
|
|
|
|
## Changing this option only affects newly generated TOTP configurations.
|
|
|
|
# period: 30
|
|
|
|
# period: 30
|
|
|
|
|
|
|
|
|
|
|
|
## The skew controls number of Time-based One-Time Passwords either side of the current one that are valid.
|
|
|
|
## The skew controls number of Time-based One-Time Passwords either side of the current one that are valid.
|
|
|
|
## Warning: before changing skew read the docs link below.
|
|
|
|
## Warning: before changing skew read the docs link below.
|
|
|
|
# skew: 1
|
|
|
|
# skew: 1
|
|
|
|
## See: https://www.authelia.com/c/totp#input-validation to read
|
|
|
|
## See: https://www.authelia.com/c/totp#input-validation to read
|
|
|
|
## the documentation.
|
|
|
|
## the documentation.
|
|
|
|
|
|
|
|
|
|
|
|
## The size of the generated shared secrets. Default is 32 and is sufficient in most use cases, minimum is 20.
|
|
|
|
## The size of the generated shared secrets. Default is 32 and is sufficient in most use cases, minimum is 20.
|
|
|
|
# secret_size: 32
|
|
|
|
# secret_size: 32
|
|
|
|
|
|
|
|
|
|
|
|
## The allowed algorithms for a user to pick from.
|
|
|
|
## The allowed algorithms for a user to pick from.
|
|
|
|
# allowed_algorithms:
|
|
|
|
# allowed_algorithms:
|
|
|
|
# - 'SHA1'
|
|
|
|
# - 'SHA1'
|
|
|
|
|
|
|
|
|
|
|
|
## The allowed digits for a user to pick from.
|
|
|
|
## The allowed digits for a user to pick from.
|
|
|
|
# allowed_digits:
|
|
|
|
# allowed_digits:
|
|
|
|
# - 6
|
|
|
|
# - 6
|
|
|
|
|
|
|
|
|
|
|
|
## The allowed periods for a user to pick from.
|
|
|
|
## The allowed periods for a user to pick from.
|
|
|
|
# allowed_periods:
|
|
|
|
# allowed_periods:
|
|
|
|
# - 30
|
|
|
|
# - 30
|
|
|
|
|
|
|
|
|
|
|
|
## Disable the reuse security policy which prevents replays of one-time password code values.
|
|
|
|
## Disable the reuse security policy which prevents replays of one-time password code values.
|
|
|
|
# disable_reuse_security_policy: false
|
|
|
|
# disable_reuse_security_policy: false
|
|
|
|
|
|
|
|
|
|
|
|
##
|
|
|
|
##
|
|
|
|
## WebAuthn Configuration
|
|
|
|
## WebAuthn Configuration
|
|
|
|
##
|
|
|
|
##
|
|
|
|
## Parameters used for WebAuthn.
|
|
|
|
## Parameters used for WebAuthn.
|
|
|
|
# webauthn:
|
|
|
|
# webauthn:
|
|
|
|
## Disable WebAuthn.
|
|
|
|
## Disable WebAuthn.
|
|
|
|
# disable: false
|
|
|
|
# disable: false
|
|
|
|
|
|
|
|
|
|
|
|
## Enables logins via a Passkey.
|
|
|
|
## Enables logins via a Passkey.
|
|
|
|
# enable_passkey_login: false
|
|
|
|
# enable_passkey_login: false
|
|
|
|
|
|
|
|
|
|
|
|
## The display name the browser should show the user for when using WebAuthn to login/register.
|
|
|
|
## The display name the browser should show the user for when using WebAuthn to login/register.
|
|
|
|
# display_name: 'Authelia'
|
|
|
|
# display_name: 'Authelia'
|
|
|
|
|
|
|
|
|
|
|
|
## Conveyance preference controls if we collect the attestation statement including the AAGUID from the device.
|
|
|
|
## Conveyance preference controls if we collect the attestation statement including the AAGUID from the device.
|
|
|
|
## Options are none, indirect, direct.
|
|
|
|
## Options are none, indirect, direct.
|
|
|
|
# attestation_conveyance_preference: 'indirect'
|
|
|
|
# attestation_conveyance_preference: 'indirect'
|
|
|
|
|
|
|
|
|
|
|
|
## The interaction timeout for WebAuthn dialogues in the duration common syntax.
|
|
|
|
## The interaction timeout for WebAuthn dialogues in the duration common syntax.
|
|
|
|
# timeout: '60 seconds'
|
|
|
|
# timeout: '60 seconds'
|
|
|
|
|
|
|
|
|
|
|
|
## Authenticator Filtering.
|
|
|
|
## Authenticator Filtering.
|
|
|
|
# filtering:
|
|
|
|
# filtering:
|
|
|
|
## Prohibits registering Authenticators that claim they can export their credentials in some way.
|
|
|
|
## Prohibits registering Authenticators that claim they can export their credentials in some way.
|
|
|
|
# prohibit_backup_eligibility: false
|
|
|
|
# prohibit_backup_eligibility: false
|
|
|
|
|
|
|
|
|
|
|
|
## Permitted AAGUID's. If configured specifically only allows the listed AAGUID's.
|
|
|
|
## Permitted AAGUID's. If configured specifically only allows the listed AAGUID's.
|
|
|
|
# permitted_aaguids: []
|
|
|
|
# permitted_aaguids: []
|
|
|
|
|
|
|
|
|
|
|
|
## Prohibited AAGUID's. If configured prohibits the use of specific AAGUID's.
|
|
|
|
## Prohibited AAGUID's. If configured prohibits the use of specific AAGUID's.
|
|
|
|
# prohibited_aaguids: []
|
|
|
|
# prohibited_aaguids: []
|
|
|
|
|
|
|
|
|
|
|
|
## Selection Criteria controls the preferences for registration.
|
|
|
|
## Selection Criteria controls the preferences for registration.
|
|
|
|
# selection_criteria:
|
|
|
|
# selection_criteria:
|
|
|
|
## The attachment preference. Either 'cross-platform' for dedicated authenticators, or 'platform' for embedded
|
|
|
|
## The attachment preference. Either 'cross-platform' for dedicated authenticators, or 'platform' for embedded
|
|
|
|
## authenticators.
|
|
|
|
## authenticators.
|
|
|
|
# attachment: 'cross-platform'
|
|
|
|
# attachment: 'cross-platform'
|
|
|
|
|
|
|
|
|
|
|
|
## The discoverability preference. Options are 'discouraged', 'preferred', and 'required'.
|
|
|
|
## The discoverability preference. Options are 'discouraged', 'preferred', and 'required'.
|
|
|
|
# discoverability: 'discouraged'
|
|
|
|
# discoverability: 'discouraged'
|
|
|
|
|
|
|
|
|
|
|
|
## User verification controls if the user must make a gesture or action to confirm they are present.
|
|
|
|
## User verification controls if the user must make a gesture or action to confirm they are present.
|
|
|
|
## Options are required, preferred, discouraged.
|
|
|
|
## Options are required, preferred, discouraged.
|
|
|
|
# user_verification: 'preferred'
|
|
|
|
# user_verification: 'preferred'
|
|
|
|
|
|
|
|
|
|
|
|
## Metadata Service validation via MDS3.
|
|
|
|
## Metadata Service validation via MDS3.
|
|
|
|
# metadata:
|
|
|
|
# metadata:
|
|
|
|
|
|
|
|
|
|
|
|
## Enable the metadata fetch behaviour.
|
|
|
|
## Enable the metadata fetch behaviour.
|
|
|
|
# enabled: false
|
|
|
|
# enabled: false
|
|
|
|
|
|
|
|
|
|
|
|
## Enable Validation of the Trust Anchor. This generally should be enabled if you're using the metadata. It
|
|
|
|
## Enable Validation of the Trust Anchor. This generally should be enabled if you're using the metadata. It
|
|
|
|
## ensures the attestation certificate presented by the authenticator is valid against the MDS3 certificate that
|
|
|
|
## ensures the attestation certificate presented by the authenticator is valid against the MDS3 certificate that
|
|
|
|
## issued the attestation certificate.
|
|
|
|
## issued the attestation certificate.
|
|
|
|
# validate_trust_anchor: true
|
|
|
|
# validate_trust_anchor: true
|
|
|
|
|
|
|
|
|
|
|
|
## Enable Validation of the Entry. This ensures that the MDS3 actually contains the metadata entry. If not enabled
|
|
|
|
## Enable Validation of the Entry. This ensures that the MDS3 actually contains the metadata entry. If not enabled
|
|
|
|
## attestation certificates which are not formally registered will be skipped. This may potentially exclude some
|
|
|
|
## attestation certificates which are not formally registered will be skipped. This may potentially exclude some
|
|
|
|
## virtual authenticators.
|
|
|
|
## virtual authenticators.
|
|
|
|
# validate_entry: true
|
|
|
|
# validate_entry: true
|
|
|
|
|
|
|
|
|
|
|
|
## Enabling this allows attestation certificates with a zero AAGUID to pass validation. This is important if you do
|
|
|
|
## Enabling this allows attestation certificates with a zero AAGUID to pass validation. This is important if you do
|
|
|
|
## use non-conformant authenticators like Apple ID.
|
|
|
|
## use non-conformant authenticators like Apple ID.
|
|
|
|
# validate_entry_permit_zero_aaguid: false
|
|
|
|
# validate_entry_permit_zero_aaguid: false
|
|
|
|
|
|
|
|
|
|
|
|
## Enable Validation of the Authenticator Status.
|
|
|
|
## Enable Validation of the Authenticator Status.
|
|
|
|
# validate_status: true
|
|
|
|
# validate_status: true
|
|
|
|
|
|
|
|
|
|
|
|
## List of statuses which are considered permitted when validating an authenticator's metadata. Generally it is
|
|
|
|
## List of statuses which are considered permitted when validating an authenticator's metadata. Generally it is
|
|
|
|
## recommended that this is not configured as any other status the authenticator's metadata has will result in an
|
|
|
|
## recommended that this is not configured as any other status the authenticator's metadata has will result in an
|
|
|
|
## error. This option is ineffectual if validate_status is false.
|
|
|
|
## error. This option is ineffectual if validate_status is false.
|
|
|
|
# validate_status_permitted: ~
|
|
|
|
# validate_status_permitted: ~
|
|
|
|
|
|
|
|
|
|
|
|
## List of statuses that should be prohibited when validating an authenticator's metadata. Generally it is
|
|
|
|
## List of statuses that should be prohibited when validating an authenticator's metadata. Generally it is
|
|
|
|
## recommended that this is not configured as there are safe defaults. This option is ineffectual if validate_status
|
|
|
|
## recommended that this is not configured as there are safe defaults. This option is ineffectual if validate_status
|
|
|
|
## is false, or validate_status_permitted has values.
|
|
|
|
## is false, or validate_status_permitted has values.
|
|
|
|
# validate_status_prohibited: ~
|
|
|
|
# validate_status_prohibited: ~
|
|
|
|
|
|
|
|
|
|
|
|
##
|
|
|
|
##
|
|
|
|
## Duo Push API Configuration
|
|
|
|
## Duo Push API Configuration
|
|
|
@@ -308,19 +307,18 @@ telemetry:
|
|
|
|
## Parameters used to contact the Duo API. Those are generated when you protect an application of type
|
|
|
|
## Parameters used to contact the Duo API. Those are generated when you protect an application of type
|
|
|
|
## "Partner Auth API" in the management panel.
|
|
|
|
## "Partner Auth API" in the management panel.
|
|
|
|
# duo_api:
|
|
|
|
# duo_api:
|
|
|
|
# disable: false
|
|
|
|
# disable: false
|
|
|
|
# hostname: 'api-123456789.example.com'
|
|
|
|
# hostname: 'api-123456789.example.com'
|
|
|
|
# integration_key: 'ABCDEF'
|
|
|
|
# integration_key: 'ABCDEF'
|
|
|
|
## Secret can also be set using a secret: https://www.authelia.com/c/secrets
|
|
|
|
## Secret can also be set using a secret: https://www.authelia.com/c/secrets
|
|
|
|
# secret_key: 'secret'
|
|
|
|
# secret_key: 'secret'
|
|
|
|
# enable_self_enrollment: false
|
|
|
|
# enable_self_enrollment: false
|
|
|
|
|
|
|
|
|
|
|
|
##
|
|
|
|
##
|
|
|
|
## Identity Validation Configuration
|
|
|
|
## Identity Validation Configuration
|
|
|
|
##
|
|
|
|
##
|
|
|
|
## This configuration tunes the identity validation flows.
|
|
|
|
## This configuration tunes the identity validation flows.
|
|
|
|
identity_validation:
|
|
|
|
identity_validation:
|
|
|
|
|
|
|
|
|
|
|
|
## Reset Password flow. Adjusts how the reset password flow operates.
|
|
|
|
## Reset Password flow. Adjusts how the reset password flow operates.
|
|
|
|
reset_password:
|
|
|
|
reset_password:
|
|
|
|
## Maximum allowed time before the JWT is generated and when the user uses it in the duration common syntax.
|
|
|
|
## Maximum allowed time before the JWT is generated and when the user uses it in the duration common syntax.
|
|
|
@@ -330,7 +328,7 @@ identity_validation:
|
|
|
|
# jwt_algorithm: 'HS256'
|
|
|
|
# jwt_algorithm: 'HS256'
|
|
|
|
|
|
|
|
|
|
|
|
## The secret key used to sign and verify the JWT.
|
|
|
|
## The secret key used to sign and verify the JWT.
|
|
|
|
jwt_secret: '{{ identity_validation__jwt_secret }}'
|
|
|
|
jwt_secret: "{{ identity_validation__jwt_secret }}"
|
|
|
|
|
|
|
|
|
|
|
|
## Elevated Session flows. Adjusts the flow which require elevated sessions for example managing credentials, adding,
|
|
|
|
## Elevated Session flows. Adjusts the flow which require elevated sessions for example managing credentials, adding,
|
|
|
|
## removing, etc.
|
|
|
|
## removing, etc.
|
|
|
@@ -357,26 +355,26 @@ identity_validation:
|
|
|
|
##
|
|
|
|
##
|
|
|
|
## This is used to validate the servers time is accurate enough to validate TOTP.
|
|
|
|
## This is used to validate the servers time is accurate enough to validate TOTP.
|
|
|
|
# ntp:
|
|
|
|
# ntp:
|
|
|
|
## The address of the NTP server to connect to in the address common syntax.
|
|
|
|
## The address of the NTP server to connect to in the address common syntax.
|
|
|
|
## Format: [<scheme>://]<hostname>[:<port>].
|
|
|
|
## Format: [<scheme>://]<hostname>[:<port>].
|
|
|
|
## Square brackets indicate optional portions of the format. Scheme must be 'udp', 'udp4', or 'udp6'.
|
|
|
|
## Square brackets indicate optional portions of the format. Scheme must be 'udp', 'udp4', or 'udp6'.
|
|
|
|
## The default scheme is 'udp'. The default port is '123'.
|
|
|
|
## The default scheme is 'udp'. The default port is '123'.
|
|
|
|
# address: 'udp://time.cloudflare.com:123'
|
|
|
|
# address: 'udp://time.cloudflare.com:123'
|
|
|
|
|
|
|
|
|
|
|
|
## NTP version.
|
|
|
|
## NTP version.
|
|
|
|
# version: 4
|
|
|
|
# version: 4
|
|
|
|
|
|
|
|
|
|
|
|
## Maximum allowed time offset between the host and the NTP server in the duration common syntax.
|
|
|
|
## Maximum allowed time offset between the host and the NTP server in the duration common syntax.
|
|
|
|
# max_desync: '3 seconds'
|
|
|
|
# max_desync: '3 seconds'
|
|
|
|
|
|
|
|
|
|
|
|
## Disables the NTP check on startup entirely. This means Authelia will not contact a remote service at all if you
|
|
|
|
## Disables the NTP check on startup entirely. This means Authelia will not contact a remote service at all if you
|
|
|
|
## set this to true, and can operate in a truly offline mode.
|
|
|
|
## set this to true, and can operate in a truly offline mode.
|
|
|
|
# disable_startup_check: false
|
|
|
|
# disable_startup_check: false
|
|
|
|
|
|
|
|
|
|
|
|
## The default of false will prevent startup only if we can contact the NTP server and the time is out of sync with
|
|
|
|
## The default of false will prevent startup only if we can contact the NTP server and the time is out of sync with
|
|
|
|
## the NTP server more than the configured max_desync. If you set this to true, an error will be logged but startup
|
|
|
|
## the NTP server more than the configured max_desync. If you set this to true, an error will be logged but startup
|
|
|
|
## will continue regardless of results.
|
|
|
|
## will continue regardless of results.
|
|
|
|
# disable_failure: false
|
|
|
|
# disable_failure: false
|
|
|
|
|
|
|
|
|
|
|
|
##
|
|
|
|
##
|
|
|
|
## Definitions
|
|
|
|
## Definitions
|
|
|
@@ -384,22 +382,22 @@ identity_validation:
|
|
|
|
## The definitions are used in other areas as reference points to reduce duplication.
|
|
|
|
## The definitions are used in other areas as reference points to reduce duplication.
|
|
|
|
##
|
|
|
|
##
|
|
|
|
# definitions:
|
|
|
|
# definitions:
|
|
|
|
## The user attribute definitions.
|
|
|
|
## The user attribute definitions.
|
|
|
|
# user_attributes:
|
|
|
|
# user_attributes:
|
|
|
|
## The name of the definition.
|
|
|
|
## The name of the definition.
|
|
|
|
# definition_name:
|
|
|
|
# definition_name:
|
|
|
|
## The common expression language expression for this definition.
|
|
|
|
## The common expression language expression for this definition.
|
|
|
|
# expression: ''
|
|
|
|
# expression: ''
|
|
|
|
|
|
|
|
|
|
|
|
## The network definitions.
|
|
|
|
## The network definitions.
|
|
|
|
# network:
|
|
|
|
# network:
|
|
|
|
## The name of the definition followed by the list of CIDR network addresses in this definition.
|
|
|
|
## The name of the definition followed by the list of CIDR network addresses in this definition.
|
|
|
|
# internal:
|
|
|
|
# internal:
|
|
|
|
# - '10.10.0.0/16'
|
|
|
|
# - '10.10.0.0/16'
|
|
|
|
# - '172.16.0.0/12'
|
|
|
|
# - '172.16.0.0/12'
|
|
|
|
# - '192.168.2.0/24'
|
|
|
|
# - '192.168.2.0/24'
|
|
|
|
# VPN:
|
|
|
|
# VPN:
|
|
|
|
# - '10.9.0.0/16'
|
|
|
|
# - '10.9.0.0/16'
|
|
|
|
|
|
|
|
|
|
|
|
##
|
|
|
|
##
|
|
|
|
## Authentication Backend Provider Configuration
|
|
|
|
## Authentication Backend Provider Configuration
|
|
|
@@ -408,7 +406,6 @@ identity_validation:
|
|
|
|
##
|
|
|
|
##
|
|
|
|
## The available providers are: `file`, `ldap`. You must use only one of these providers.
|
|
|
|
## The available providers are: `file`, `ldap`. You must use only one of these providers.
|
|
|
|
authentication_backend:
|
|
|
|
authentication_backend:
|
|
|
|
|
|
|
|
|
|
|
|
## Password Change Options.
|
|
|
|
## Password Change Options.
|
|
|
|
password_change:
|
|
|
|
password_change:
|
|
|
|
## Disable both the HTML element and the API for password change functionality.
|
|
|
|
## Disable both the HTML element and the API for password change functionality.
|
|
|
@@ -606,7 +603,7 @@ authentication_backend:
|
|
|
|
## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness
|
|
|
|
## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness
|
|
|
|
##
|
|
|
|
##
|
|
|
|
file:
|
|
|
|
file:
|
|
|
|
path: '/config/users.yml'
|
|
|
|
path: "/config/users.yml"
|
|
|
|
# watch: false
|
|
|
|
# watch: false
|
|
|
|
# search:
|
|
|
|
# search:
|
|
|
|
# email: false
|
|
|
|
# email: false
|
|
|
@@ -643,34 +640,34 @@ authentication_backend:
|
|
|
|
##
|
|
|
|
##
|
|
|
|
# password_policy:
|
|
|
|
# password_policy:
|
|
|
|
|
|
|
|
|
|
|
|
## The standard policy allows you to tune individual settings manually.
|
|
|
|
## The standard policy allows you to tune individual settings manually.
|
|
|
|
# standard:
|
|
|
|
# standard:
|
|
|
|
# enabled: false
|
|
|
|
# enabled: false
|
|
|
|
|
|
|
|
|
|
|
|
## Require a minimum length for passwords.
|
|
|
|
## Require a minimum length for passwords.
|
|
|
|
# min_length: 8
|
|
|
|
# min_length: 8
|
|
|
|
|
|
|
|
|
|
|
|
## Require a maximum length for passwords.
|
|
|
|
## Require a maximum length for passwords.
|
|
|
|
# max_length: 0
|
|
|
|
# max_length: 0
|
|
|
|
|
|
|
|
|
|
|
|
## Require uppercase characters.
|
|
|
|
## Require uppercase characters.
|
|
|
|
# require_uppercase: true
|
|
|
|
# require_uppercase: true
|
|
|
|
|
|
|
|
|
|
|
|
## Require lowercase characters.
|
|
|
|
## Require lowercase characters.
|
|
|
|
# require_lowercase: true
|
|
|
|
# require_lowercase: true
|
|
|
|
|
|
|
|
|
|
|
|
## Require numeric characters.
|
|
|
|
## Require numeric characters.
|
|
|
|
# require_number: true
|
|
|
|
# require_number: true
|
|
|
|
|
|
|
|
|
|
|
|
## Require special characters.
|
|
|
|
## Require special characters.
|
|
|
|
# require_special: true
|
|
|
|
# require_special: true
|
|
|
|
|
|
|
|
|
|
|
|
## zxcvbn is a well known and used password strength algorithm. It does not have tunable settings.
|
|
|
|
## zxcvbn is a well known and used password strength algorithm. It does not have tunable settings.
|
|
|
|
# zxcvbn:
|
|
|
|
# zxcvbn:
|
|
|
|
# enabled: false
|
|
|
|
# enabled: false
|
|
|
|
|
|
|
|
|
|
|
|
## Configures the minimum score allowed.
|
|
|
|
## Configures the minimum score allowed.
|
|
|
|
# min_score: 3
|
|
|
|
# min_score: 3
|
|
|
|
|
|
|
|
|
|
|
|
##
|
|
|
|
##
|
|
|
|
## Privacy Policy Configuration
|
|
|
|
## Privacy Policy Configuration
|
|
|
@@ -678,16 +675,16 @@ authentication_backend:
|
|
|
|
## Parameters used for displaying the privacy policy link and drawer.
|
|
|
|
## Parameters used for displaying the privacy policy link and drawer.
|
|
|
|
# privacy_policy:
|
|
|
|
# privacy_policy:
|
|
|
|
|
|
|
|
|
|
|
|
## Enables the display of the privacy policy using the policy_url.
|
|
|
|
## Enables the display of the privacy policy using the policy_url.
|
|
|
|
# enabled: false
|
|
|
|
# enabled: false
|
|
|
|
|
|
|
|
|
|
|
|
## Enables the display of the privacy policy drawer which requires users accept the privacy policy
|
|
|
|
## Enables the display of the privacy policy drawer which requires users accept the privacy policy
|
|
|
|
## on a per-browser basis.
|
|
|
|
## on a per-browser basis.
|
|
|
|
# require_user_acceptance: false
|
|
|
|
# require_user_acceptance: false
|
|
|
|
|
|
|
|
|
|
|
|
## The URL of the privacy policy document. Must be an absolute URL and must have the 'https://' scheme.
|
|
|
|
## The URL of the privacy policy document. Must be an absolute URL and must have the 'https://' scheme.
|
|
|
|
## If the privacy policy enabled option is true, this MUST be provided.
|
|
|
|
## If the privacy policy enabled option is true, this MUST be provided.
|
|
|
|
# policy_url: ''
|
|
|
|
# policy_url: ''
|
|
|
|
|
|
|
|
|
|
|
|
##
|
|
|
|
##
|
|
|
|
## Access Control Configuration
|
|
|
|
## Access Control Configuration
|
|
|
@@ -719,33 +716,33 @@ authentication_backend:
|
|
|
|
access_control:
|
|
|
|
access_control:
|
|
|
|
## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any
|
|
|
|
## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any
|
|
|
|
## resource if there is no policy to be applied to the user.
|
|
|
|
## resource if there is no policy to be applied to the user.
|
|
|
|
default_policy: 'deny'
|
|
|
|
default_policy: "deny"
|
|
|
|
|
|
|
|
|
|
|
|
rules:
|
|
|
|
rules:
|
|
|
|
## Rules applied to everyone
|
|
|
|
## Rules applied to everyone
|
|
|
|
- domain: 'status.vakhrushev.me'
|
|
|
|
- domain: "status.vakhrushev.me"
|
|
|
|
subject: 'group:admins'
|
|
|
|
subject: "group:admins"
|
|
|
|
policy: 'two_factor'
|
|
|
|
policy: "two_factor"
|
|
|
|
|
|
|
|
|
|
|
|
- domain: 'dozzle.vakhrushev.me'
|
|
|
|
- domain: "dozzle.vakhrushev.me"
|
|
|
|
subject: 'group:admins'
|
|
|
|
subject: "group:admins"
|
|
|
|
policy: 'two_factor'
|
|
|
|
policy: "two_factor"
|
|
|
|
|
|
|
|
|
|
|
|
- domain: 'goaccess.vakhrushev.me'
|
|
|
|
- domain: "goaccess.vakhrushev.me"
|
|
|
|
subject: 'group:admins'
|
|
|
|
subject: "group:admins"
|
|
|
|
policy: 'two_factor'
|
|
|
|
policy: "two_factor"
|
|
|
|
|
|
|
|
|
|
|
|
- domain: 'wanderbase.vakhrushev.me'
|
|
|
|
- domain: "wanderbase.vakhrushev.me"
|
|
|
|
subject: 'group:admins'
|
|
|
|
subject: "group:admins"
|
|
|
|
policy: 'two_factor'
|
|
|
|
policy: "two_factor"
|
|
|
|
|
|
|
|
|
|
|
|
- domain: 'remembos.vakhrushev.me'
|
|
|
|
- domain: "remembos.vakhrushev.me"
|
|
|
|
subject: 'group:admins'
|
|
|
|
subject: "group:admins"
|
|
|
|
policy: 'two_factor'
|
|
|
|
policy: "two_factor"
|
|
|
|
|
|
|
|
|
|
|
|
- domain: 'rssbridge.vakhrushev.me'
|
|
|
|
- domain: "rssbridge.vakhrushev.me"
|
|
|
|
subject: 'group:admins'
|
|
|
|
subject: "group:admins"
|
|
|
|
policy: 'one_factor'
|
|
|
|
policy: "one_factor"
|
|
|
|
|
|
|
|
|
|
|
|
## Domain Regex examples. Generally we recommend just using a standard domain.
|
|
|
|
## Domain Regex examples. Generally we recommend just using a standard domain.
|
|
|
|
# - domain_regex: '^(?P<User>\w+)\.example\.com$'
|
|
|
|
# - domain_regex: '^(?P<User>\w+)\.example\.com$'
|
|
|
@@ -826,18 +823,17 @@ access_control:
|
|
|
|
session:
|
|
|
|
session:
|
|
|
|
## The secret to encrypt the session data. This is only used with Redis / Redis Sentinel.
|
|
|
|
## The secret to encrypt the session data. This is only used with Redis / Redis Sentinel.
|
|
|
|
## Secret can also be set using a secret: https://www.authelia.com/c/secrets
|
|
|
|
## Secret can also be set using a secret: https://www.authelia.com/c/secrets
|
|
|
|
secret: '{{ session__secret }}'
|
|
|
|
secret: "{{ session__secret }}"
|
|
|
|
|
|
|
|
|
|
|
|
## Cookies configures the list of allowed cookie domains for sessions to be created on.
|
|
|
|
## Cookies configures the list of allowed cookie domains for sessions to be created on.
|
|
|
|
## Undefined values will default to the values below.
|
|
|
|
## Undefined values will default to the values below.
|
|
|
|
cookies:
|
|
|
|
cookies:
|
|
|
|
-
|
|
|
|
- ## The name of the session cookie.
|
|
|
|
## The name of the session cookie.
|
|
|
|
name: "authelia_session"
|
|
|
|
name: 'authelia_session'
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## The domain to protect.
|
|
|
|
## The domain to protect.
|
|
|
|
## Note: the Authelia portal must also be in that domain.
|
|
|
|
## Note: the Authelia portal must also be in that domain.
|
|
|
|
domain: 'vakhrushev.me'
|
|
|
|
domain: "vakhrushev.me"
|
|
|
|
|
|
|
|
|
|
|
|
## Required. The fully qualified URI of the portal to redirect users to on proxies that support redirections.
|
|
|
|
## Required. The fully qualified URI of the portal to redirect users to on proxies that support redirections.
|
|
|
|
## Rules:
|
|
|
|
## Rules:
|
|
|
@@ -845,7 +841,7 @@ session:
|
|
|
|
## - The above 'domain' option MUST either:
|
|
|
|
## - The above 'domain' option MUST either:
|
|
|
|
## - Match the host portion of this URI.
|
|
|
|
## - Match the host portion of this URI.
|
|
|
|
## - Match the suffix of the host portion when prefixed with '.'.
|
|
|
|
## - Match the suffix of the host portion when prefixed with '.'.
|
|
|
|
authelia_url: 'https://auth.vakhrushev.me'
|
|
|
|
authelia_url: "https://auth.vakhrushev.me"
|
|
|
|
|
|
|
|
|
|
|
|
## Optional. The fully qualified URI used as the redirection location if the portal is accessed directly. Not
|
|
|
|
## Optional. The fully qualified URI used as the redirection location if the portal is accessed directly. Not
|
|
|
|
## configuring this option disables the automatic redirection behaviour.
|
|
|
|
## configuring this option disables the automatic redirection behaviour.
|
|
|
@@ -904,7 +900,7 @@ session:
|
|
|
|
## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness
|
|
|
|
## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness
|
|
|
|
##
|
|
|
|
##
|
|
|
|
redis:
|
|
|
|
redis:
|
|
|
|
host: 'authelia_redis'
|
|
|
|
host: "authelia_redis"
|
|
|
|
port: 6379
|
|
|
|
port: 6379
|
|
|
|
## Use a unix socket instead
|
|
|
|
## Use a unix socket instead
|
|
|
|
# host: '/var/run/redis/redis.sock'
|
|
|
|
# host: '/var/run/redis/redis.sock'
|
|
|
@@ -1000,19 +996,19 @@ session:
|
|
|
|
## This mechanism prevents attackers from brute forcing the first factor. It bans the user if too many attempts are made
|
|
|
|
## This mechanism prevents attackers from brute forcing the first factor. It bans the user if too many attempts are made
|
|
|
|
## in a short period of time.
|
|
|
|
## in a short period of time.
|
|
|
|
# regulation:
|
|
|
|
# regulation:
|
|
|
|
## Regulation Mode.
|
|
|
|
## Regulation Mode.
|
|
|
|
# modes:
|
|
|
|
# modes:
|
|
|
|
# - 'user'
|
|
|
|
# - 'user'
|
|
|
|
|
|
|
|
|
|
|
|
## The number of failed login attempts before user is banned. Set it to 0 to disable regulation.
|
|
|
|
## The number of failed login attempts before user is banned. Set it to 0 to disable regulation.
|
|
|
|
# max_retries: 3
|
|
|
|
# max_retries: 3
|
|
|
|
|
|
|
|
|
|
|
|
## The time range during which the user can attempt login before being banned in the duration common syntax. The user
|
|
|
|
## The time range during which the user can attempt login before being banned in the duration common syntax. The user
|
|
|
|
## is banned if the authentication failed 'max_retries' times in a 'find_time' seconds window.
|
|
|
|
## is banned if the authentication failed 'max_retries' times in a 'find_time' seconds window.
|
|
|
|
# find_time: '2 minutes'
|
|
|
|
# find_time: '2 minutes'
|
|
|
|
|
|
|
|
|
|
|
|
## The length of time before a banned user can login again in the duration common syntax.
|
|
|
|
## The length of time before a banned user can login again in the duration common syntax.
|
|
|
|
# ban_time: '5 minutes'
|
|
|
|
# ban_time: '5 minutes'
|
|
|
|
|
|
|
|
|
|
|
|
##
|
|
|
|
##
|
|
|
|
## Storage Provider Configuration
|
|
|
|
## Storage Provider Configuration
|
|
|
@@ -1022,7 +1018,7 @@ storage:
|
|
|
|
## The encryption key that is used to encrypt sensitive information in the database. Must be a string with a minimum
|
|
|
|
## The encryption key that is used to encrypt sensitive information in the database. Must be a string with a minimum
|
|
|
|
## length of 20. Please see the docs if you configure this with an undesirable key and need to change it, you MUST use
|
|
|
|
## length of 20. Please see the docs if you configure this with an undesirable key and need to change it, you MUST use
|
|
|
|
## the CLI to change this in the database if you want to change it from a previously configured value.
|
|
|
|
## the CLI to change this in the database if you want to change it from a previously configured value.
|
|
|
|
encryption_key: '{{ storage__encryption_key }}'
|
|
|
|
encryption_key: "{{ storage__encryption_key }}"
|
|
|
|
|
|
|
|
|
|
|
|
##
|
|
|
|
##
|
|
|
|
## Local (Storage Provider)
|
|
|
|
## Local (Storage Provider)
|
|
|
@@ -1034,7 +1030,7 @@ storage:
|
|
|
|
##
|
|
|
|
##
|
|
|
|
local:
|
|
|
|
local:
|
|
|
|
## Path to the SQLite3 Database.
|
|
|
|
## Path to the SQLite3 Database.
|
|
|
|
path: '/data/authelia_storage.sqlite3'
|
|
|
|
path: "/data/authelia_storage.sqlite3"
|
|
|
|
|
|
|
|
|
|
|
|
##
|
|
|
|
##
|
|
|
|
## MySQL / MariaDB (Storage Provider)
|
|
|
|
## MySQL / MariaDB (Storage Provider)
|
|
|
@@ -1212,22 +1208,22 @@ notifier:
|
|
|
|
## (configure in tls section)
|
|
|
|
## (configure in tls section)
|
|
|
|
smtp:
|
|
|
|
smtp:
|
|
|
|
## The address of the SMTP server to connect to in the address common syntax.
|
|
|
|
## The address of the SMTP server to connect to in the address common syntax.
|
|
|
|
address: 'smtp://{{ postbox_host }}:{{ postbox_port }}'
|
|
|
|
address: "smtp://{{ postbox_host }}:{{ postbox_port }}"
|
|
|
|
|
|
|
|
|
|
|
|
## The connection timeout in the duration common syntax.
|
|
|
|
## The connection timeout in the duration common syntax.
|
|
|
|
# timeout: '5 seconds'
|
|
|
|
# timeout: '5 seconds'
|
|
|
|
|
|
|
|
|
|
|
|
## The username used for SMTP authentication.
|
|
|
|
## The username used for SMTP authentication.
|
|
|
|
username: '{{ postbox_user }}'
|
|
|
|
username: "{{ postbox_user }}"
|
|
|
|
|
|
|
|
|
|
|
|
## The password used for SMTP authentication.
|
|
|
|
## The password used for SMTP authentication.
|
|
|
|
## Can also be set using a secret: https://www.authelia.com/c/secrets
|
|
|
|
## Can also be set using a secret: https://www.authelia.com/c/secrets
|
|
|
|
password: '{{ postbox_pass }}'
|
|
|
|
password: "{{ postbox_pass }}"
|
|
|
|
|
|
|
|
|
|
|
|
## The sender is used to is used for the MAIL FROM command and the FROM header.
|
|
|
|
## The sender is used to is used for the MAIL FROM command and the FROM header.
|
|
|
|
## If this is not defined and the username is an email, we use the username as this value. This can either be just
|
|
|
|
## If this is not defined and the username is an email, we use the username as this value. This can either be just
|
|
|
|
## an email address or the RFC5322 'Name <email address>' format.
|
|
|
|
## an email address or the RFC5322 'Name <email address>' format.
|
|
|
|
sender: 'Authelia <authelia@vakhrushev.me>'
|
|
|
|
sender: "Authelia <authelia@vakhrushev.me>"
|
|
|
|
|
|
|
|
|
|
|
|
## HELO/EHLO Identifier. Some SMTP Servers may reject the default of localhost.
|
|
|
|
## HELO/EHLO Identifier. Some SMTP Servers may reject the default of localhost.
|
|
|
|
# identifier: 'localhost'
|
|
|
|
# identifier: 'localhost'
|
|
|
@@ -1237,7 +1233,7 @@ notifier:
|
|
|
|
|
|
|
|
|
|
|
|
## This address is used during the startup check to verify the email configuration is correct.
|
|
|
|
## This address is used during the startup check to verify the email configuration is correct.
|
|
|
|
## It's not important what it is except if your email server only allows local delivery.
|
|
|
|
## It's not important what it is except if your email server only allows local delivery.
|
|
|
|
startup_check_address: '{{ smtp__startup_check_address }}'
|
|
|
|
# startup_check_address: '{{ smtp__startup_check_address }}'
|
|
|
|
|
|
|
|
|
|
|
|
## By default we require some form of TLS. This disables this check though is not advised.
|
|
|
|
## By default we require some form of TLS. This disables this check though is not advised.
|
|
|
|
# disable_require_tls: false
|
|
|
|
# disable_require_tls: false
|
|
|
@@ -1285,7 +1281,6 @@ notifier:
|
|
|
|
## Identity Providers
|
|
|
|
## Identity Providers
|
|
|
|
##
|
|
|
|
##
|
|
|
|
identity_providers:
|
|
|
|
identity_providers:
|
|
|
|
|
|
|
|
|
|
|
|
##
|
|
|
|
##
|
|
|
|
## OpenID Connect (Identity Provider)
|
|
|
|
## OpenID Connect (Identity Provider)
|
|
|
|
##
|
|
|
|
##
|
|
|
@@ -1294,13 +1289,12 @@ identity_providers:
|
|
|
|
oidc:
|
|
|
|
oidc:
|
|
|
|
## The hmac_secret is used to sign OAuth2 tokens (authorization code, access tokens and refresh tokens).
|
|
|
|
## The hmac_secret is used to sign OAuth2 tokens (authorization code, access tokens and refresh tokens).
|
|
|
|
## HMAC Secret can also be set using a secret: https://www.authelia.com/c/secrets
|
|
|
|
## HMAC Secret can also be set using a secret: https://www.authelia.com/c/secrets
|
|
|
|
hmac_secret: '{{ oidc__hmac_secret }}'
|
|
|
|
hmac_secret: "{{ oidc__hmac_secret }}"
|
|
|
|
|
|
|
|
|
|
|
|
## The JWK's issuer option configures multiple JSON Web Keys. It's required that at least one of the JWK's
|
|
|
|
## The JWK's issuer option configures multiple JSON Web Keys. It's required that at least one of the JWK's
|
|
|
|
## configured has the RS256 algorithm. For RSA keys (RS or PS) the minimum is a 2048 bit key.
|
|
|
|
## configured has the RS256 algorithm. For RSA keys (RS or PS) the minimum is a 2048 bit key.
|
|
|
|
jwks:
|
|
|
|
jwks:
|
|
|
|
-
|
|
|
|
- ## Key ID embedded into the JWT header for key matching.
|
|
|
|
## Key ID embedded into the JWT header for key matching.
|
|
|
|
|
|
|
|
## Must be an alphanumeric string with 7 or less characters.
|
|
|
|
## Must be an alphanumeric string with 7 or less characters.
|
|
|
|
## This value is automatically generated if not provided. It's recommended to not configure this.
|
|
|
|
## This value is automatically generated if not provided. It's recommended to not configure this.
|
|
|
|
# key_id: 'example'
|
|
|
|
# key_id: 'example'
|
|
|
@@ -1352,8 +1346,8 @@ identity_providers:
|
|
|
|
authorization_policies:
|
|
|
|
authorization_policies:
|
|
|
|
outline_policy:
|
|
|
|
outline_policy:
|
|
|
|
rules:
|
|
|
|
rules:
|
|
|
|
- policy: 'one_factor'
|
|
|
|
- policy: "one_factor"
|
|
|
|
subject: 'group:outline'
|
|
|
|
subject: "group:outline"
|
|
|
|
|
|
|
|
|
|
|
|
## The lifespans configure the expiration for these token types in the duration common syntax. In addition to this
|
|
|
|
## The lifespans configure the expiration for these token types in the duration common syntax. In addition to this
|
|
|
|
## syntax the lifespans can be customized per-client.
|
|
|
|
## syntax the lifespans can be customized per-client.
|
|
|
@@ -1390,53 +1384,49 @@ identity_providers:
|
|
|
|
## It's recommended you read the documentation before configuration of a registered client.
|
|
|
|
## It's recommended you read the documentation before configuration of a registered client.
|
|
|
|
## See: https://www.authelia.com/c/oidc/registered-clients
|
|
|
|
## See: https://www.authelia.com/c/oidc/registered-clients
|
|
|
|
clients:
|
|
|
|
clients:
|
|
|
|
-
|
|
|
|
- client_name: "Miniflux"
|
|
|
|
client_name: 'Miniflux'
|
|
|
|
client_id: "{{ oidc__miniflux__client_id }}"
|
|
|
|
client_id: '{{ oidc__miniflux__client_id }}'
|
|
|
|
client_secret: "{{ oidc__miniflux__client_secret }}"
|
|
|
|
client_secret: '{{ oidc__miniflux__client_secret }}'
|
|
|
|
|
|
|
|
redirect_uris:
|
|
|
|
redirect_uris:
|
|
|
|
- 'https://miniflux.vakhrushev.me/oauth2/oidc/callback'
|
|
|
|
- "https://miniflux.vakhrushev.me/oauth2/oidc/callback"
|
|
|
|
scopes:
|
|
|
|
scopes:
|
|
|
|
- 'openid'
|
|
|
|
- "openid"
|
|
|
|
- 'profile'
|
|
|
|
- "profile"
|
|
|
|
- 'email'
|
|
|
|
- "email"
|
|
|
|
response_types:
|
|
|
|
response_types:
|
|
|
|
- 'code'
|
|
|
|
- "code"
|
|
|
|
grant_types:
|
|
|
|
grant_types:
|
|
|
|
- 'authorization_code'
|
|
|
|
- "authorization_code"
|
|
|
|
access_token_signed_response_alg: 'none'
|
|
|
|
access_token_signed_response_alg: "none"
|
|
|
|
userinfo_signed_response_alg: 'none'
|
|
|
|
userinfo_signed_response_alg: "none"
|
|
|
|
token_endpoint_auth_method: 'client_secret_basic'
|
|
|
|
token_endpoint_auth_method: "client_secret_basic"
|
|
|
|
|
|
|
|
|
|
|
|
-
|
|
|
|
- client_name: "Wakapi"
|
|
|
|
client_name: 'Wakapi'
|
|
|
|
client_id: "{{ oidc__wakapi__client_id }}"
|
|
|
|
client_id: '{{ oidc__wakapi__client_id }}'
|
|
|
|
client_secret: "{{ oidc__wakapi__client_secret }}"
|
|
|
|
client_secret: '{{ oidc__wakapi__client_secret }}'
|
|
|
|
|
|
|
|
redirect_uris:
|
|
|
|
redirect_uris:
|
|
|
|
- 'https://wakapi.vakhrushev.me/oidc/authelia/callback'
|
|
|
|
- "https://wakapi.vakhrushev.me/oidc/authelia/callback"
|
|
|
|
scopes:
|
|
|
|
scopes:
|
|
|
|
- 'openid'
|
|
|
|
- "openid"
|
|
|
|
- 'profile'
|
|
|
|
- "profile"
|
|
|
|
- 'email'
|
|
|
|
- "email"
|
|
|
|
# response_types:
|
|
|
|
# response_types:
|
|
|
|
# - 'code'
|
|
|
|
# - 'code'
|
|
|
|
# grant_types:
|
|
|
|
# grant_types:
|
|
|
|
# - 'authorization_code'
|
|
|
|
# - 'authorization_code'
|
|
|
|
# access_token_signed_response_alg: 'none'
|
|
|
|
# access_token_signed_response_alg: 'none'
|
|
|
|
# userinfo_signed_response_alg: 'none'
|
|
|
|
# userinfo_signed_response_alg: 'none'
|
|
|
|
# token_endpoint_auth_method: 'client_secret_basic'
|
|
|
|
# token_endpoint_auth_method: 'client_secret_basic'
|
|
|
|
|
|
|
|
- ## The description to show to users when they end up on the consent screen. Defaults to the ID above.
|
|
|
|
-
|
|
|
|
client_name: "Outline"
|
|
|
|
## The description to show to users when they end up on the consent screen. Defaults to the ID above.
|
|
|
|
|
|
|
|
client_name: 'Outline'
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## The Client ID is the OAuth 2.0 and OpenID Connect 1.0 Client ID which is used to link an application to a
|
|
|
|
## The Client ID is the OAuth 2.0 and OpenID Connect 1.0 Client ID which is used to link an application to a
|
|
|
|
## configuration.
|
|
|
|
## configuration.
|
|
|
|
client_id: '{{ oidc__outline__client_id }}'
|
|
|
|
client_id: "{{ oidc__outline__client_id }}"
|
|
|
|
|
|
|
|
|
|
|
|
## The client secret is a shared secret between Authelia and the consumer of this client.
|
|
|
|
## The client secret is a shared secret between Authelia and the consumer of this client.
|
|
|
|
# yamllint disable-line rule:line-length
|
|
|
|
# yamllint disable-line rule:line-length
|
|
|
|
client_secret: '{{ oidc__outline__client_secret }}'
|
|
|
|
client_secret: "{{ oidc__outline__client_secret }}"
|
|
|
|
|
|
|
|
|
|
|
|
## Sector Identifiers are occasionally used to generate pairwise subject identifiers. In most cases this is not
|
|
|
|
## Sector Identifiers are occasionally used to generate pairwise subject identifiers. In most cases this is not
|
|
|
|
## necessary. It is critical to read the documentation for more information.
|
|
|
|
## necessary. It is critical to read the documentation for more information.
|
|
|
@@ -1447,7 +1437,7 @@ identity_providers:
|
|
|
|
|
|
|
|
|
|
|
|
## Redirect URI's specifies a list of valid case-sensitive callbacks for this client.
|
|
|
|
## Redirect URI's specifies a list of valid case-sensitive callbacks for this client.
|
|
|
|
redirect_uris:
|
|
|
|
redirect_uris:
|
|
|
|
- 'https://outline.vakhrushev.me/auth/oidc.callback'
|
|
|
|
- "https://outline.vakhrushev.me/auth/oidc.callback"
|
|
|
|
|
|
|
|
|
|
|
|
## Request URI's specifies a list of valid case-sensitive TLS-secured URIs for this client for use as
|
|
|
|
## Request URI's specifies a list of valid case-sensitive TLS-secured URIs for this client for use as
|
|
|
|
## URIs to fetch Request Objects.
|
|
|
|
## URIs to fetch Request Objects.
|
|
|
@@ -1459,9 +1449,9 @@ identity_providers:
|
|
|
|
|
|
|
|
|
|
|
|
## Scopes this client is allowed to request.
|
|
|
|
## Scopes this client is allowed to request.
|
|
|
|
scopes:
|
|
|
|
scopes:
|
|
|
|
- 'openid'
|
|
|
|
- "openid"
|
|
|
|
- 'profile'
|
|
|
|
- "profile"
|
|
|
|
- 'email'
|
|
|
|
- "email"
|
|
|
|
|
|
|
|
|
|
|
|
## Grant Types configures which grants this client can obtain.
|
|
|
|
## Grant Types configures which grants this client can obtain.
|
|
|
|
## It's not recommended to define this unless you know what you're doing.
|
|
|
|
## It's not recommended to define this unless you know what you're doing.
|
|
|
@@ -1480,7 +1470,7 @@ identity_providers:
|
|
|
|
|
|
|
|
|
|
|
|
## The policy to require for this client; one_factor or two_factor. Can also be the key names for the
|
|
|
|
## The policy to require for this client; one_factor or two_factor. Can also be the key names for the
|
|
|
|
## authorization policies section.
|
|
|
|
## authorization policies section.
|
|
|
|
authorization_policy: 'outline_policy'
|
|
|
|
authorization_policy: "outline_policy"
|
|
|
|
|
|
|
|
|
|
|
|
## The custom lifespan name to use for this client. This must be configured independent of the client before
|
|
|
|
## The custom lifespan name to use for this client. This must be configured independent of the client before
|
|
|
|
## utilization. Custom lifespans are reusable similar to authorization policies.
|
|
|
|
## utilization. Custom lifespans are reusable similar to authorization policies.
|
|
|
@@ -1581,7 +1571,7 @@ identity_providers:
|
|
|
|
## The signing algorithm used for signing the User Info Request responses.
|
|
|
|
## The signing algorithm used for signing the User Info Request responses.
|
|
|
|
## Please read the documentation before adjusting this option.
|
|
|
|
## Please read the documentation before adjusting this option.
|
|
|
|
## See: https://www.authelia.com/c/oidc/registered-clients#userinfo_signed_response_alg
|
|
|
|
## See: https://www.authelia.com/c/oidc/registered-clients#userinfo_signed_response_alg
|
|
|
|
userinfo_signed_response_alg: 'none'
|
|
|
|
userinfo_signed_response_alg: "none"
|
|
|
|
|
|
|
|
|
|
|
|
## The signing key id used for signing the User Info Request responses.
|
|
|
|
## The signing key id used for signing the User Info Request responses.
|
|
|
|
## Please read the documentation before adjusting this option.
|
|
|
|
## Please read the documentation before adjusting this option.
|
|
|
@@ -1645,7 +1635,7 @@ identity_providers:
|
|
|
|
## The permitted client authentication method for the Token Endpoint for this client.
|
|
|
|
## The permitted client authentication method for the Token Endpoint for this client.
|
|
|
|
## For confidential client types this value defaults to 'client_secret_basic' and for the public client types it
|
|
|
|
## For confidential client types this value defaults to 'client_secret_basic' and for the public client types it
|
|
|
|
## defaults to 'none' per the specifications.
|
|
|
|
## defaults to 'none' per the specifications.
|
|
|
|
token_endpoint_auth_method: 'client_secret_post'
|
|
|
|
token_endpoint_auth_method: "client_secret_post"
|
|
|
|
|
|
|
|
|
|
|
|
## The permitted client authentication signing algorithm for the Token Endpoint for this client when using
|
|
|
|
## The permitted client authentication signing algorithm for the Token Endpoint for this client when using
|
|
|
|
## the 'client_secret_jwt' or 'private_key_jwt' token_endpoint_auth_method.
|
|
|
|
## the 'client_secret_jwt' or 'private_key_jwt' token_endpoint_auth_method.
|
|
|
|
av
