Setup OIDC Guide for Beginners

copy to configuration file

identity_providers:
  oidc:
    hmac_secret: 'this_is_a_secret_abc123abc123abc'
    jwks:
      - key_id: 'example'
        algorithm: 'RS256'
        use: 'sig'
        key: |
          -----BEGIN RSA PRIVATE KEY-----
          ...
          -----END RSA PRIVATE KEY-----          
        certificate_chain: |
          -----BEGIN CERTIFICATE-----
          ...
          -----END CERTIFICATE-----
          -----BEGIN CERTIFICATE-----
          ...
          -----END CERTIFICATE-----          
    enable_client_debug_messages: false
    minimum_parameter_entropy: 8
    enforce_pkce: 'public_clients_only'
    enable_pkce_plain_challenge: false
    enable_jwt_access_token_stateless_introspection: false
    discovery_signed_response_alg: 'none'
    discovery_signed_response_key_id: ''
    require_pushed_authorization_requests: false
    authorization_policies:
      policy_name:
        default_policy: 'two_factor'
        rules:
          - policy: 'deny'
            subject: 'group:services'
    lifespans:
      access_token: '1h'
      authorize_code: '1m'
      id_token: '1h'
      refresh_token: '90m'
    cors:
      endpoints:
        - 'authorization'
        - 'token'
        - 'revocation'
        - 'introspection'
      allowed_origins:
        - 'https://aeoneros.com'
      allowed_origins_from_client_redirect_uris: false

Adjust

HMAC:

The HMAC secret used to sign the JWT’s. The provided string is hashed to a SHA256 (RFC6234) byte string for the purpose of meeting the required format.

It’s strongly recommended this is a Random Alphanumeric String with 64 or more characters.

Generate the Key in Docker CLI:

docker run --rm authelia/authelia:latest authelia crypto rand --length 64 --charset alphanumeric

For Example: "rzUPr41040tMvw4tg95Ud2HdcvdDMVZPQQPpHAist386QajGftF4IlFSw0yi2gtD"

copy it to:  hmac_secret: 'this_is_a_secret_abc123abc123abc'

 

JWKs:

The list of issuer JSON Web Keys. At least one of these must be an RSA Private key and be configured with the RS256 algorithm. Can also be used to configure many types of JSON Web Keys for the issuer such as the other RSA based JSON Web Key formats and ECDSA JSON Web Key formats.

The default key for each algorithm is decided based on the order of this list. The first key for each algorithm is considered the default if a client is not configured to use a specific key id. For example if a client has id_token_signed_response_alg ES256 and id_token_signed_response_key_id is not specified then the first ES256 key in this list is used.

The following is a contextual example (see below for information regarding each option):

identity_providers:
  oidc:
    jwks:
      - key_id: 'example'
        algorithm: 'RS256'
        use: 'sig'
        key: |
          -----BEGIN RSA PRIVATE KEY-----
          ...
          -----END RSA PRIVATE KEY-----          
        certificate_chain: |
          -----BEGIN CERTIFICATE-----
          ...
          -----END CERTIFICATE-----
          -----BEGIN CERTIFICATE-----
          ...
          -----END CERTIFICATE-----          

KeyID:

Completely optional, and generally discouraged unless there is a collision between the automatically generated key id’s. If provided must be a unique string with 100 or fewer characters, with a recommendation to use a length less than 15. In addition, it must meet the following rules:

• Match the regular expression ^[a-zA-Z0-9](([a-zA-Z0-9._~-]*)([a-zA-Z0-9]))?$ which should enforce the following rules:
  • Start with an alphanumeric character.
  • End with an alphanumeric character.
  • Only contain the RFC3986 Unreserved Characters.

The default if this value is omitted is the first 7 characters of the public key SHA256 thumbprint encoded into hexadecimal, followed by a hyphen, then followed by the lowercase algorithm value.

docker run --rm authelia/authelia:latest authelia crypto rand --length 15 --charset alphanumeric

For Example: "H5xqbY6Ji0lEZTU"

Use:

The key usage. Defaults to sig which is the only available option at this time.

algorithm:

The algorithm for this key. This value typically optional as it can be automatically detected based on the type of key in some situations.

See the response object table in the integration guide for more information. The Algorithm column lists supported values, the Key column references the required key type constraints that exist for the algorithm, and the JWK Default Conditions column briefly explains the conditions under which it’s the default algorithm.

At least one RSA256 key must be provided.

key:

The Authelia docker container or CLI binary can be used to generate an RSA keypair.

docker run --rm -u "$(id -u):$(id -g)" -v "$(pwd)":/keys authelia/authelia:latest authelia crypto pair rsa generate --directory /keys

docker run --rm -u "$(id -u):$(id -g)" -v "$(pwd)":/keys authelia/authelia:latest authelia crypto pair rsa generate --directory /mnt/glustermount/data/authelia_data/config/secrets/oidc/jwks

assuming your working directory would be "/mnt/glustermount/data/authelia_data/config"

now you want your keypair to be saved at: "/mnt/glustermount/data/authelia_data/config/secrets/oidc/jwks/rsa.2048.key"

Create folders for the files:

mkdir /mnt/glustermount/data/authelia_data/config/secrets
mkdir /mnt/glustermount/data/authelia_data/config/secrets/oidc
mkdir /mnt/glustermount/data/authelia_data/config/secrets/oidc/jwks

Change directory to: "/mnt/glustermount/data/authelia_data/config/secrets/oidc/jwks" and execture the docker run command provided above to create the RSA keypair.

you now got private.pem public.pem