# OpenID Connect 1.0 # What is OIDC? ## [ ![Authelia.png](https://wiki.aeoneros.com/uploads/images/gallery/2025-01/scaled-1680-/zI77hnYjCvFDCQ3H-authelia.png) ](https://www.authelia.com/ "https://www.authelia.com/") [ ![GitHub-logo.png](https://wiki.aeoneros.com/uploads/images/gallery/2025-01/scaled-1680-/814rhr5FohzOPEav-github-logo.png) ](https://github.com/authelia/authelia "https://github.com/authelia/authelia") [ ![logo (1).png](https://wiki.aeoneros.com/uploads/images/gallery/2024-09/scaled-1680-/3zh7ZTM0tufMvk6C-logo-1.png) ](https://hub.docker.com/r/authelia/authelia "https://hub.docker.com/r/authelia/authelia") ## ## ## ## Overview

This page shows **one** example use case of [OpenID Connect (OIDC)](https://openid.net/connect/), using Traefik as a reverse proxy, [Authelia](https://www.authelia.com/) as an identity provider (OIDC Provider), and Linkwarden (the “Relying Party”). Please note that OIDC supports **many** different use cases and flow types—this walkthrough is just to demonstrate **one** approach.

--- [![How_OIDC_works.webp](https://wiki.aeoneros.com/uploads/images/gallery/2025-02/scaled-1680-/50tpl4yni8gVn6KC-how-oidc-works.webp)](https://wiki.aeoneros.com/uploads/images/gallery/2025-02/50tpl4yni8gVn6KC-how-oidc-works.webp) ## Example OIDC Flow 1. **User goes to the Relying Party (Linkwarden).** The user attempts to access Linkwarden, which is behind Traefik. Because Linkwarden requires authentication, the user must log in. 2. **User chooses to log in with the OIDC Provider (Authelia).** When the user selects a “Login with Authelia” option, Linkwarden (through Traefik) redirects the user to Authelia. 3. **User gets redirected to the OIDC Provider (Authelia).** The browser is sent to Authelia’s login page. 4. **User logs in with the OIDC Provider (Authelia).** Authelia verifies the user’s credentials (for example, via LDAP, a local user database, or some other method). 5. **OIDC Provider (Authelia) generates an ID Token (JWT).** - This ID Token contains “claims” (such as username, groups, and email) based on the **scopes** defined in Authelia’s configuration. - Authelia signs the ID Token (it is a JWT) before sending it back to Linkwarden (the Relying Party). Here’s a simple table of possible scopes and example claim data:
**Scope****Claim**
**Profile**Name
**Groups**Groupa, Groupb, Groupc
**Email**test @gmail.com
6. **Relying Party (Linkwarden) reads the ID Token to grant access.** Linkwarden looks at the returned claims within the token (only what was allowed by the configured OIDC scopes) and decides whether to allow the user in. It then notifies the user’s browser that login was successful. 7. **User is logged in.** The user is now recognized as authenticated in Linkwarden. --- ## What Are OIDC Scopes? OIDC **scopes** determine what information the Relying Party can request (and potentially receive) about the user. Typical scopes include: - **openid** Required for OIDC; indicates that the client (Relying Party) intends to use OIDC to verify user identity. - **groups** Allows access to group membership claims (e.g., Groupa, Groupb). - **email** Gives the relying service access to the user’s email address (if available). - **profile** Allows for basic profile details, such as name or preferred username. For example, if Linkwarden requests the scopes: ``` - openid - groups - email - profile ``` it may receive your group memberships, email address, and display name in the returned ID Token. --- ## What Is a JWT? A **JWT** (JSON Web Token) is the format often used to transmit information securely between parties as a JSON object: - **hmac\_Secret** = A random secret known only to Authelia (or the OIDC Provider). - **JSON Web Token** = The data payload + a signature + a header. You can inspect or verify a JWT at [jwt.io](https://jwt.io/) to ensure nobody has modified the data. - **Important**: JWTs are **not** encrypted by default. They are **signed** to ensure the content hasn’t been tampered with, but anyone who has the token can read the data inside. If encryption is needed, an additional layer (e.g., HTTPS in transit or encrypted tokens at rest) must be used. --- ## Conclusion Using OIDC with Traefik, Authelia, and Linkwarden is just one practical illustration of OpenID Connect flows. Authelia serves as the OIDC Provider, creating JWT-based ID Tokens. Linkwarden (the Relying Party) receives these signed tokens, reads the claims (like email or group memberships), and grants access. You can tailor the scopes and claims for your setup, making this flow flexible and secure for various applications. # Setup OIDC Guide for Beginners ## [ ![Authelia.png](https://wiki.aeoneros.com/uploads/images/gallery/2025-01/scaled-1680-/zI77hnYjCvFDCQ3H-authelia.png) ](https://www.authelia.com/ "https://www.authelia.com/") [ ![GitHub-logo.png](https://wiki.aeoneros.com/uploads/images/gallery/2025-01/scaled-1680-/814rhr5FohzOPEav-github-logo.png) ](https://github.com/authelia/authelia "https://github.com/authelia/authelia") [ ![logo (1).png](https://wiki.aeoneros.com/uploads/images/gallery/2024-09/scaled-1680-/3zh7ZTM0tufMvk6C-logo-1.png) ](https://hub.docker.com/r/authelia/authelia "https://hub.docker.com/r/authelia/authelia") ## ## ## ## Overview Please take a look at how OIDC works here if you haven’t already: [What is OIDC?](https://wiki.aeoneros.com/books/authelia/page/what-is-oidc) This little Wiki Article will guide you through how to get OIDC running. In this example, we will set up OIDC with the service [Linkwarden](https://wiki.aeoneros.com/books/linkwarden). --- ## Requirements Make sure you have the following set up: - **Traefik** as a Reverse Proxy to get certificates and provide access to your Website/Subdomains: [Traefik Reverse Proxy](https://wiki.aeoneros.com/books/traefik-reverse-proxy-for-docker-swarm). - **Authelia** as a Middleware/Addon for Traefik, already configured with a “Whoamisecure” test to ensure your Authelia is working before adding OIDC: [Getting Started](https://wiki.aeoneros.com/books/authelia/chapter/getting-started). --- ## Step 1 Open your Authelia configuration file and edit it (in this example, we store it on a GlusterFS mount at `/mnt/glustermount/data/authelia_data/config/configuration.yml`): ```bash nano /mnt/glustermount/data/authelia_data/config/configuration.yml ``` --- ## Step 2 Scroll to the bottom of your config file and add the following code: ```yaml identity_providers: oidc: hmac_secret: 'this_is_a_secret_abc123abc123abc' jwks: - key_id: 'F2H5xqbYsa3AssEZTU' algorithm: 'RS256' use: 'sig' key: {{ secret "/secrets/rsa_2048_private.txt" | mindent 10 "|" | msquote }} lifespans: access_token: '1 hour' authorize_code: '1 minute' id_token: '1 hour' refresh_token: '90 minutes' enable_client_debug_messages: false ``` --- ## Step 3 By adding the `identity_providers` section, you enable OIDC in Authelia. All settings in that block belong to OIDC. Please note this is only the minimum required configuration for our setup. You can find more details here: [Authelia OIDC Introduction](https://www.authelia.com/integration/openid-connect/introduction/). ### HMAC\_Secret The **HMAC Secret** is a random string known only to Authelia. Do not make this public. **The HMAC secret** is used to sign the [JWT](https://datatracker.ietf.org/doc/html/rfc7519). This string is hashed to a SHA256 ([RFC6234](https://datatracker.ietf.org/doc/html/rfc6234)) byte string. It’s **strongly recommended** you use a [random alphanumeric string](https://www.authelia.com/reference/guides/generating-secure-values/#generating-a-random-alphanumeric-string) with 64 or more characters. Generate a key in Docker CLI: ```bash docker run --rm authelia/authelia:latest authelia crypto rand --length 64 --charset alphanumeric ``` For example: `"rzUPr41040tMvw4tg95Ud2HdcvdDMVZPQQPpHAist386QajGftF4IlFSw0yi2gtD"` Copy it to: `hmac_secret: 'this_is_a_secret_abc123abc123abc'` ### JWKs The list of issuer JSON Web Keys. At least one of these must be an RSA Private key configured with the RS256 algorithm. You can configure multiple keys or algorithms. The first key for each algorithm is the default if a client isn’t configured to use a specific `key_id`. Below is a contextual example: ```yaml identity_providers: oidc: jwks: - key_id: 'example' algorithm: 'RS256' use: 'sig' key: | -----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY----- certificate_chain: | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- ```

**RFC Internet Standard:** RFC (Request for Comments) documents define internet standards, protocols, and best practices. For example, *RFC7519* outlines how JSON Web Tokens should be structured and validated, ensuring a standard approach to token-based authentication.

#### KeyID This is completely optional unless there’s a collision between automatically generated key IDs. If provided, it must be a unique string with fewer than 100 characters, matching the regular expression `^[a-zA-Z0-9](([a-zA-Z0-9._~-]*)([a-zA-Z0-9]))?$`. The default if this value is omitted is the first 7 characters of the public key SHA256 thumbprint in hex, followed by a hyphen, then the lowercase algorithm value. ```bash docker run --rm authelia/authelia:latest authelia crypto rand --length 15 --charset alphanumeric ``` For example: `"F2H5xqbYsa3AssEZTU"` --- #### Use The key usage. Defaults to `sig`, which is currently the only available option. --- #### Algorithm The algorithm for this key. Typically optional, as it can be automatically detected based on the type of key. At least one `RS256` key must be provided. --- #### Key You can generate an RSA keypair using the **Authelia** Docker container: ```bash docker run --rm -u "$(id -u):$(id -g)" -v "$(pwd)":/keys authelia/authelia:latest authelia crypto pair rsa generate --directory /keys ``` Assuming your working directory is `/mnt/glustermount/data/authelia_data/`, you’ll end up with `private.pem` and `public.pem`. Then, place `private.pem` somewhere like: `/mnt/glustermount/data/authelia_data/secrets/rsa_2048_private.txt` Create folders if necessary: ```bash mkdir /mnt/glustermount/data/authelia_data/config/secrets ``` Open `private.pem`, copy the content: ``` -----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY----- ``` And paste it into a new file: ```bash nano /mnt/glustermount/data/authelia_data/config/secrets/rsa_2048_private.txt ``` Save with CTRL+O and exit with CTRL+X.

If you use different Paths like mentioned in [Step 2](https://wiki.aeoneros.com/link/171#bkmrk-step-2), please adjust the Configs.

--- ## Step 4 Add Clients/Services to OIDC. Here is an example on how to add Linkwarden: [Setup OIDC for Linkwarden](https://wiki.aeoneros.com/books/authelia/page/setup-oidc-for-linkwarden). --- ## Conclusion With the above configuration, Authelia can function as an OIDC provider, signing JWT tokens for your clients or services (like Linkwarden). Make sure to correctly configure your OIDC clients with the same settings (client IDs, secrets, scopes) to ensure smooth authentication. Once you’ve confirmed it’s working with a test service, you can reuse these steps for additional applications that support OIDC. # Add OIDC-Integration for Linkwarden ## [ ![Authelia.png](https://wiki.aeoneros.com/uploads/images/gallery/2025-01/scaled-1680-/zI77hnYjCvFDCQ3H-authelia.png) ](https://wiki.aeoneros.com/uploads/images/gallery/2025-01/zI77hnYjCvFDCQ3H-authelia.png "https://www.authelia.com/") [ ![GitHub-logo.png](https://wiki.aeoneros.com/uploads/images/gallery/2025-01/scaled-1680-/814rhr5FohzOPEav-github-logo.png) ](https://wiki.aeoneros.com/uploads/images/gallery/2025-01/814rhr5FohzOPEav-github-logo.png "https://github.com/authelia/authelia") [ ![logo (1).png](https://wiki.aeoneros.com/uploads/images/gallery/2024-09/scaled-1680-/3zh7ZTM0tufMvk6C-logo-1.png) ](https://wiki.aeoneros.com/uploads/images/gallery/2024-09/3zh7ZTM0tufMvk6C-logo-1.png "https://hub.docker.com/r/authelia/authelia") ## ## ## ## Overview This page will show you how to add Linkwarden as a client (integration) for Authelia using OpenID Connect (OIDC). We’ll walk through configuring the `clients` section in Authelia’s `configuration.yml`, updating your access control rules, and finally setting up Linkwarden with the correct environment variables. --- ## Step 1: Authelia Configuration for the New Client In the OIDC setup guide, you’ve already configured the basic OIDC parameters (hmac\_secret, jwks, etc.). Now, we need to add the `clients` block to your OIDC configuration to allow Linkwarden to authenticate via Authelia. Open your Authelia configuration file: ```bash nano /mnt/glustermount/data/authelia_data/config/configuration.yml ``` Within the `identity_providers` > `oidc` section, add or edit the clients block as follows: ```yaml identity_providers: oidc: hmac_secret: 'this_is_a_secret_abc123abc123abc' jwks: - key_id: 'F2H5xqbYsa3AssEZTU' algorithm: 'RS256' use: 'sig' key: {{ secret "/secrets/rsa_2048_private.txt" | mindent 10 "|" | msquote }} lifespans: access_token: '1 hour' authorize_code: '1 minute' id_token: '1 hour' refresh_token: '90 minutes' enable_client_debug_messages: false clients: - client_id: 'linkwarden' client_name: 'Linkwarden' client_secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' #insecure_secret public: false authorization_policy: 'two_factor' redirect_uris: - 'https://linkwarden.YOURDOMAIN.com/api/v1/auth/callback/authelia' scopes: - 'openid' - 'groups' - 'email' - 'profile' userinfo_signed_response_alg: 'none' token_endpoint_auth_method: 'client_secret_basic' ``` ### Step 1.1: `client_id` This references the unique identifier for the client (RFC: [RFC3986, Section 2.3](https://datatracker.ietf.org/doc/html/rfc3986#section-2.3)). In this example, it’s set to `linkwarden`. You could instead use a random string to avoid collisions or for security best practices. Tools like [it-tools token generator](https://it-tools.tech/token-generator) can be used to generate a random client ID. ### Step 1.2: `client_name` This is a human-readable name for your application. Here, we’re calling it `Linkwarden`. You can name it anything that will help you identify this application in the future. ### Step 1.3: `client_secret` This is the secret used by the client to authenticate to Authelia (RFC: [RFC3986, Section 2.3](https://datatracker.ietf.org/doc/html/rfc3986#section-2.3)). In the example above, we’re using a hashed secret labeled `insecure_secret` for testing. You can generate a more secure secret by running: ```bash docker exec -it authelia authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 ``` When using Docker-Swarm Change the Containername by adding your Stackname infront or using the ContainerID: ``` docker exec -it traefik_authelia authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 docker exec -it 337adb14377e authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 ``` Example output: ``` Random Password: Xh.nVAMt3P5m~fUTBj4issbKc38Xx5E47nUN7YvTzSntJv0DK2_EKdURzZFYhhs4LE4oKf~c Digest: $pbkdf2-sha512$310000$fK3lAD7WgJ147IBgnUdC9g$F1QMc0kpTwVIUNldTaAGG8uD0EoQRxham7nN8HUXHVhNNUh2ubPu/wgo.YxXYC5ewNL.j3WPqnFLCB/mwfWSgA ``` You’d then place the `Digest` portion into the `client_secret` field in Authelia and use the corresponding “Random Password” value (or the “insecure\_secret” equivalent) in the Linkwarden environment variable. ### Step 1.4: `redirect_uris` and `authorization_policy` Make sure the redirect URI matches `https://linkwarden.YOURDOMAIN.com/api/v1/auth/callback/authelia` (or whichever endpoint Linkwarden expects). Adjust your `authorization_policy` (such as `one_factor` or `two_factor`) depending on your security needs. --- ## ## Step 2: Add Domain to Authelia Access Control Next, you’ll want to allow access for `linkwarden.YOURDOMAIN.com` in your Authelia rules. Typically, this is done in the `access_control` section: ```yaml access_control: default_policy: 'deny' rules: - domain: 'whoami-secure.YOURDOMAIN.com' policy: 'two_factor' - domain: 'links.YOURDOMAIN.com' policy: 'two_factor' ``` Replace `links.YOURDOMAIN.com` or add another rule for the domain or subdomain where Linkwarden resides (`linkwarden.YOURDOMAIN.com`). --- ## Step 3: Add OIDC Settings to Linkwarden If using a Docker Compose setup, you can add the following environment variables in your `docker-compose.yaml` (or the equivalent setup in Portainer): ```yaml services: linkwarden: image: ghcr.io/linkwarden/linkwarden:v2.9.3 environment: # SSO - Authelia - NEXT_PUBLIC_AUTHELIA_ENABLED=true - AUTHELIA_WELLKNOWN_URL=https://auth.YOURDOMAIN.com/.well-known/openid-configuration - AUTHELIA_CLIENT_ID=${AUTHELIA_CLIENT_ID} - AUTHELIA_CLIENT_SECRET=${AUTHELIA_CLIENT_SECRET} # SSO - Accounts - DISABLE_NEW_SSO_USERS=false ``` **Important:** Make sure `DISABLE_NEW_SSO_USERS` is set to `false` or new users will be blocked from logging in via SSO. ### Environment Variables Table
Environment VariableDefaultDescription
NEXT\_PUBLIC\_AUTHELIA\_ENABLED-If set to true, Authelia will be enabled and you'll need to define the variables below.
AUTHELIA\_WELLKNOWN\_URL-https://{{authelia.domain.com}}/.well-known/openid-configuration
AUTHELIA\_CLIENT\_ID-Client ID
AUTHELIA\_CLIENT\_SECRET-Client Secret. (Random Password from command below)
`AUTHELIA_WELLKNOWN_URL`: This is an OIDC discovery URL that describes what Authelia supports (endpoints, claims, etc.) `AUTHELIA_CLIENT_ID` (RFC [RFC3986, Section 2.3](https://datatracker.ietf.org/doc/html/rfc3986#section-2.3)): Again, best practice is a random unique string. `AUTHELIA_CLIENT_SECRET` (RFC [RFC3986, Section 2.3](https://datatracker.ietf.org/doc/html/rfc3986#section-2.3)): Generated secret value (either from the example above or your own generator). --- ## Step 4: Restart Linkwarden After updating the environment variables in your Docker Compose or Portainer configuration, restart Linkwarden to apply the changes: ```bash docker-compose up -d ``` Or the equivalent command depending on your environment. Once Linkwarden is back online, you can head to its login page and try logging in with Authelia. --- ## Step 5: Troubleshooting If something goes wrong: - Check your Authelia logs to ensure the client is configured correctly. - Verify your redirect URI in both Authelia’s `redirect_uris` and Linkwarden’s OIDC settings. - Make sure your `authorization_policy` is not blocking you (e.g., requiring two-factor when you haven’t set it up). - Confirm `DISABLE_NEW_SSO_USERS=false` if you want new accounts to be created in Linkwarden via SSO. --- ## Conclusion By adding Linkwarden as an OIDC client in Authelia and configuring the environment variables in Linkwarden, you can centralize authentication and enable secure, convenient login. Be sure to use secure secrets, update your access control lists carefully, and confirm everything is functioning by testing the login flow. Once everything is tested and stable, you’re ready to enjoy single sign-on with Authelia for Linkwarden.