Comment on Self-hosted SSO
keyez@lemmy.world 2 weeks agoHeres what I’m running:
authentication_backend: file: path: '/config/users_database.yml' watch: false search: email: false case_insensitive: false password: algorithm: 'sha2crypt' access_control: ## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any ## resource if there is no policy to be applied to the user. default_policy: 'deny' networks: - name: 'internal' networks: # - '10.10.0.0/16' - '192.168.1.0/24' - name: 'VPN' networks: '10.0.1.0/24' rules: ## Rules applied to everyone - domain: '*.mydomain.com' policy: 'one_factor' session: ## The secret to encrypt the session data. This is only used with Redis / Redis Sentinel. ## Secret can also be set using a secret: https://www.authelia.com/c/secrets secret: 'insecure_session_secret' ## Cookies configures the list of allowed cookie domains for sessions to be created on. ## Undefined values will default to the values below. cookies: # - ## The name of the session cookie. - name: 'authelia_session' ## The domain to protect. ## Note: the Authelia portal must also be in that domain. domain: 'mydomain.com' ## Required. The fully qualified URI of the portal to redirect users to on proxies that support redirections. ## Rules: ## - MUST use the secure scheme 'https://' ## - The above 'domain' option MUST either: ## - Match the host portion of this URI. ## - Match the suffix of the host portion when prefixed with '.'. authelia_url: 'https://auth.mydomain.com/' storage: postgres: .... identity_providers: oidc: ## Cross-Origin Resource Sharing (CORS) settings. cors: ## List of endpoints in addition to the metadata endpoints to permit cross-origin requests on. endpoints: - 'authorization' - 'token' - 'revocation' - 'introspection' # - 'pushed-authorization-request' # - 'userinfo' ## List of allowed origins. ## Any origin with https is permitted unless this option is configured or the ## allowed_origins_from_client_redirect_uris option is enabled. allowed_origins: - 'https://mydomain.com/' - 'https://grafana.mydomain.com/' - 'https://wiki.mydomain.com/' - 'https://foodz.mydomain.com/' ## Automatically adds the origin portion of all redirect URI's on all clients to the list of allowed_origins, ## provided they have the scheme http or https and do not have the hostname of localhost. allowed_origins_from_client_redirect_uris: true ## Clients is a list of known clients and their configuration. clients: - client_id: 'grafana' client_name: 'Grafana' client_secret: 'XXXXXX' public: false consent_mode: 'pre-configured' authorization_policy: 'one_factor' require_pkce: true pkce_challenge_method: 'S256' redirect_uris: - 'https://grafana.mydomain.com/login/generic_oauth' scopes: - 'openid' - 'profile' - 'groups' - 'email' userinfo_signed_response_alg: 'none' token_endpoint_auth_method: 'client_secret_basic' - client_id: 'wiki' client_name: 'Wiki' client_secret: 'XXXX' consent_mode: 'pre-configured' public: false authorization_policy: 'one_factor' require_pkce: true pkce_challenge_method: 'S256' redirect_uris: - 'https://wiki.mydomain.com/oidc/callback' scopes: - 'openid' - 'profile' - 'groups' - 'email' userinfo_signed_response_alg: 'none' token_endpoint_auth_method: 'client_secret_basic' ....
Then my users_database.yml looks like:
users: authelia: disabled: false displayname: "Test User" password: "" email: authelia@authelia.com groups: - admins - dev user001: disabled: false displayname: 'User 001' password: "$6$rounds=50000$XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" email: test@gmail.com groups: - admins - users