Add authelia OIDC test setup

2025-09-12 12:09:39 +02:00 · 2025-08-23 13:50:17 +02:00
parent e45e63bfb1
commit 77c45c63f3
6 changed files with 273 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -196,3 +196,7 @@ typings/
 /chromium-profile
 # direnv
 /.direnv
 # Test setups
 /scripts/unsecure-test-setups/authelia-oidc/authelia/db.sqlite3
 /scripts/unsecure-test-setups/authelia-oidc/traefik/certs
--- a/scripts/unsecure-test-setups/authelia-oidc/authelia/configuration.yml
+++ b/scripts/unsecure-test-setups/authelia-oidc/authelia/configuration.yml
@@ -0,0 +1,131 @@
 ---
 ###############################################################
 #                   Authelia configuration                    #
 ###############################################################
 server:
  address: 'tcp://:9091'
 log:
  level: 'debug'
 totp:
  issuer: 'authelia.com'
 identity_validation:
  reset_password:
    jwt_secret: 'a_very_important_secret'
 authentication_backend:
  file:
    path: '/config/users_database.yml'
 access_control:
  default_policy: 'deny'
  rules:
    - domain: 'traefik.example.com'
      policy: 'one_factor'
    - domain: 'linkding.example.com'
      policy: 'one_factor'
 session:
  secret: 'insecure_session_secret'
  cookies:
    - name: 'authelia_session'
      domain: 'example.com'  # Should match whatever your root protected domain is
      authelia_url: 'https://authelia.example.com'
      expiration: '1 hour'  # 1 hour
      inactivity: '5 minutes'  # 5 minutes
      default_redirection_url: 'https://linkding.example.com'
 regulation:
  max_retries: 3
  find_time: '2 minutes'
  ban_time: '5 minutes'
 storage:
  encryption_key: 'you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this'
  local:
    path: '/config/db.sqlite3'
 notifier:
  filesystem:
    filename: '/tmp/notification.txt'
 identity_providers:
  oidc:
    ## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
    ## See: https://www.authelia.com/c/oidc
    hmac_secret: 'this_is_a_secret_abc123abc123abc'
    jwks:
      - key_id: 'example'
        algorithm: 'RS256'
        use: 'sig'
        key: |
          -----BEGIN PRIVATE KEY-----
          MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCuS2pK2VzqW+Sn
          hBATps7vo2AdZCtF3p+FOJ4WEwQoiJarS0pAJxKn4BT9PHP1gY8XCs45Qys586xQ
          UZwS1/9B482tQwkDQkfqXOIfTzqhTydVsi6t8Ff7ywW8K2lURcK+PnSE91Yp8tSO
          YWlXDajoI8wKkRSpcCApkmBZ3hJiJR9DlcfwKBJSNxt+DbuobQs4SOpjSY4fnDpn
          S5DFc72hiFOxvdx48y8c08UU+zNyHIIjYQ1995HwXysn7UwWCJaC4lI4ecaxHa01
          4irOx3HsuXEzs/U5UBs2lBXFfKn/JHAPVJvxlER5ciUCNiHGWWh+A7hrd9BemoMQ
          kRCIlldJAgMBAAECggEACtSWGmhTFx+Gb/fbeWMjRv4RkAX8T+NHaZN09FVya9Pf
          ++0p5B5hcQPSPhGqeXoXYoTJ/4IqXpejEJsfngakvosJqe9pURXmatxiczRcxe8J
          mFBCCQ4vI27wUGroqMNMeH6gRi5p4OGtXlsUfQO06BboXAw7mtNENl0ZhmAPp6BB
          ZWyQm90Kwx4T0JgNwdlau+9ZWQ/10/7mOs1bX+8vZDFCmzbzFfoPjgEo+Mw1sE/H
          i5kQxWErkWfeiabVp/7JlazHSYygwk21t1VgSBP4tgfkdAht68BievwguxCIrFRG
          MPCkgzktJgIfo5k0yuo//afKUKo+OViQ3ZB4YdGKkQKBgQDPgl59fqRZpGCwnKPu
          ymVi2c/bxjm6aK2VLX2dUFrPprzmfvUY8j/jDDcx4zOJg7jxNs2PGDooLDOSwa82
          i+YPTnBHlS3PBUp7jLPdCcZ0I8gMT5OWxnmPwGqUS6BqVTAhDq3QsJxD88FS8eD2
          mbFuBh5WAhj9URX+vc/FwLO/+QKBgQDXBhOXNAB64goQOM7ymUxihLQtYemO9h5N
          /cXsxpJF8KH/PtWpw9c6nc2d/GPs4OYoCaqsuQVSyQXDcXayNC6Dn8KwUrJP2yGL
          CHOAGg6HJbq+c5AKE1ytzvblTCyOcHZCjtlqwqJwO68xTWfSdbkvYYnfwyx+g0O9
          SsoouvzF0QKBgHI2GBnMZVrtbUZnwJbCkVD5/zzAeq+Nw9RyqEu4mXLnG9tljzM+
          ykkGRS7RFWGfvWAOQM98jy3jPjONJQnJsENGcegERKVIDTm5NJn5MmBj/UxBVENN
          VET5q++ZPF6qKoZXVPWi7y87b3Fereosp4qeFX5TQzvRsGB4Sm5WZNjJAoGAbezN
          Vx9en3OvcVuZcKyuQC9XbVwA6vUnyPdTmBhr7xV1u+eDk6ZrAaxq0bmV3COdhhpr
          BqIP9qKOL7xx0eibXu7tuPaN8gU0wL8xTOwFQVIohfTOTlhXqQOFdPPcU3Vq/9vH
          iqy2Hmpkxe+shAtrAK38rkg5FvRETSFO+EOftgECgYEAi7nAy4ta2X5hHqt+86Rr
          OD1M1zdhreF73WvSBIeKiR+rffbgBvIRNFkGk4iYs6Wc6ZyoS+FEJGjO33Om+I1s
          Emd8JSHhRcRBq6cOsDzo4PKzMVSJaWpAfmCk9wVjAz0gpJDn2MtSanTqn1749A3L
          VU7Fiz0jxshSPqw2KIjcnBI=
          -----END PRIVATE KEY-----
        certificate_chain: |
          -----BEGIN CERTIFICATE-----
          MIIDIzCCAgugAwIBAgIQBDUsQ9wfCEtzppdn5GlKUDANBgkqhkiG9w0BAQsFADAy
          MREwDwYDVQQKEwhBdXRoZWxpYTEdMBsGA1UEAxMUYXV0aGVsaWEuZXhhbXBsZS5j
          b20wHhcNMjUwODIzMTEwOTM2WhcNMjYwODIzMTEwOTM2WjAyMREwDwYDVQQKEwhB
          dXRoZWxpYTEdMBsGA1UEAxMUYXV0aGVsaWEuZXhhbXBsZS5jb20wggEiMA0GCSqG
          SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCuS2pK2VzqW+SnhBATps7vo2AdZCtF3p+F
          OJ4WEwQoiJarS0pAJxKn4BT9PHP1gY8XCs45Qys586xQUZwS1/9B482tQwkDQkfq
          XOIfTzqhTydVsi6t8Ff7ywW8K2lURcK+PnSE91Yp8tSOYWlXDajoI8wKkRSpcCAp
          kmBZ3hJiJR9DlcfwKBJSNxt+DbuobQs4SOpjSY4fnDpnS5DFc72hiFOxvdx48y8c
          08UU+zNyHIIjYQ1995HwXysn7UwWCJaC4lI4ecaxHa014irOx3HsuXEzs/U5UBs2
          lBXFfKn/JHAPVJvxlER5ciUCNiHGWWh+A7hrd9BemoMQkRCIlldJAgMBAAGjNTAz
          MA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8E
          AjAAMA0GCSqGSIb3DQEBCwUAA4IBAQAb910zH+0Yqxxq+LgJiIFC5guJAorY9WlD
          nRHvt/1i+ZvNdc57Xq6W5/YI1g5IG/EWyDOSr5mkw6VWvGrN/HTE7cH9d2LPyWxb
          n5dyUezUMdoXmizANJq7ixQLLSJiRFRhYGjiMK816m9zY/3KZqacpTJDsrhM2i6d
          aaGgfkxpivMDb4PEZs4dDlR5PfFuEBFWpTDBdUeWEx/sL3t1Zfogr6lKb8PmmnEI
          RKzofXAvAPQ69hE3jSWSldxqgE0Jofzwiw4dcLLAHmLlJDkbB+2HMJljFW9Fj7fK
          DW7HwcVQqJ4GOW/1IjuogZuDQUlXZPMI3iujoOhYOypx6Wpf4LzO
          -----END CERTIFICATE-----
    clients:
      - client_id: 'linkding'
        client_name: 'Linkding'
        client_secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng'  # The digest of 'insecure_secret'.
        public: false
        authorization_policy: 'one_factor'
        require_pkce: false
        pkce_challenge_method: ''
        redirect_uris:
          - 'https://linkding.example.com/oidc/callback/'
        scopes:
          - 'openid'
          - 'email'
          - 'profile'
        access_token_signed_response_alg: 'none'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_post'
 ...
--- a/scripts/unsecure-test-setups/authelia-oidc/authelia/users_database.yml
+++ b/scripts/unsecure-test-setups/authelia-oidc/authelia/users_database.yml
@@ -0,0 +1,18 @@
 ---
 ###############################################################
 #                         Users Database                      #
 ###############################################################
 # This file can be used if you do not have an LDAP set up.
 # List of users
 users:
  admin:
    disabled: false
    displayname: 'admin'
    password: '$argon2id$v=19$m=65536,t=3,p=4$t6SNxOtQ6wBnGZUbPu/MVQ$+KCk9Zfc7gemFDRo5a90yfbTkkR0dI5DbeNzYkKxXLE'
    email: 'admin@example.com'
    groups:
      - 'admins'
      - 'dev'
 ...
--- a/scripts/unsecure-test-setups/authelia-oidc/compose.yml
+++ b/scripts/unsecure-test-setups/authelia-oidc/compose.yml
@@ -0,0 +1,72 @@
 # DO NOT USE THIS!
 # This is only intended for testing OIDC functionality when developing Linkding.
 # Follow the linkding and Authelia documentation to set up a proper production deployment.
 networks:
  net:
    driver: 'bridge'
 services:
  linkding:
    image: 'sissbruecker/linkding:local'
    environment:
      LD_SUPERUSER_NAME: 'admin'
      LD_SUPERUSER_PASSWORD: 'admin'
      LD_ENABLE_OIDC: 'True'
      OIDC_RP_CLIENT_ID: 'linkding'
      OIDC_RP_CLIENT_SECRET: 'insecure_secret'
      OIDC_OP_AUTHORIZATION_ENDPOINT: 'https://authelia.example.com/api/oidc/authorization'
      OIDC_OP_TOKEN_ENDPOINT: 'http://authelia:9091/api/oidc/token'
      OIDC_OP_USER_ENDPOINT: 'http://authelia:9091/api/oidc/userinfo'
      OIDC_OP_JWKS_ENDPOINT: 'http://authelia:9091/jwks.json'
    networks:
      net: {}
    labels:
      traefik.enable: 'true'
      traefik.http.routers.public.rule: 'Host(`linkding.example.com`)'
      traefik.http.routers.public.entrypoints: 'https'
      traefik.http.routers.public.tls: 'true'
      traefik.http.routers.public.tls.options: 'default'
  authelia:
    image: 'authelia/authelia:latest'
    volumes:
      - './authelia:/config'
    networks:
      net: {}
    labels:
      traefik.enable: 'true'
      traefik.http.routers.authelia.rule: 'Host(`authelia.example.com`)'
      traefik.http.routers.authelia.entrypoints: 'https'
      traefik.http.routers.authelia.tls: 'true'
      traefik.http.routers.authelia.tls.options: 'default'
  traefik:
    image: 'traefik:v3.5.0'
    volumes:
      - './traefik:/etc/traefik'
      - '/var/run/docker.sock:/var/run/docker.sock'
    networks:
      net: {}
    labels:
      traefik.enable: 'true'
      traefik.http.routers.api.rule: 'Host(`traefik.example.com`)'
      traefik.http.routers.api.entrypoints: 'https'
      traefik.http.routers.api.service: 'api@internal'
      traefik.http.routers.api.tls: 'true'
      traefik.http.routers.api.tls.options: 'default'
    ports:
      - '80:80/tcp'
      - '443:443/tcp'
      - '443:443/udp'
    command:
      - '--api'
      - '--providers.docker=true'
      - '--providers.docker.exposedByDefault=false'
      - '--providers.file.filename=/etc/traefik/certificates.yml'
      - '--entrypoints.http=true'
      - '--entrypoints.http.address=:80'
      - '--entrypoints.http.http.redirections.entrypoint.to=https'
      - '--entrypoints.http.http.redirections.entrypoint.scheme=https'
      - '--entrypoints.https=true'
      - '--entrypoints.https.address=:443'
      - '--log=true'
      - '--log.level=DEBUG'
--- a/scripts/unsecure-test-setups/authelia-oidc/setup.sh
+++ b/scripts/unsecure-test-setups/authelia-oidc/setup.sh
@@ -0,0 +1,42 @@
 #!/usr/bin/env bash
 writehosts(){
  echo "\
 127.0.0.1  authelia.$DOMAIN
 127.0.0.1  linkding.$DOMAIN
 127.0.0.1  traefik.$DOMAIN" | sudo tee -a /etc/hosts > /dev/null
 }
 if [ $(id -u) != 0 ]; then
  echo "The script requires root access to perform some functions such as modifying your /etc/hosts file"
  read -rp "Would you like to elevate access with sudo? [y/N] " confirmsudo
  if ! [[ "$confirmsudo" =~ ^([yY][eE][sS]|[yY])$ ]]; then
    echo "Sudo elevation denied, exiting"
    exit 1
  fi
 fi
 DOMAIN="example.com"
 MODIFIED=$(cat /etc/hosts | grep $DOMAIN && echo true || echo false)
 if [[ $MODIFIED == "false" ]]; then
  writehosts
 fi
 sudo docker run -a stdout -v $PWD/traefik/certs:/tmp/certs authelia/authelia authelia crypto certificate rsa generate --common-name="*.${DOMAIN}" --directory=/tmp/certs/ > /dev/null
 echo "Generated SSL certificate for *.$DOMAIN"
 cat << EOF
 Setup completed successfully.
 You can start the stack with:
  docker compose up
 You can then visit the following locations:
 - https://linkding.$DOMAIN
 - https://authelia.$DOMAIN
 - https://traefik.$DOMAIN
 You will need to authorize the self-signed certificate upon visiting each domain.
 EOF
--- a/scripts/unsecure-test-setups/authelia-oidc/traefik/certificates.yml
+++ b/scripts/unsecure-test-setups/authelia-oidc/traefik/certificates.yml
@@ -0,0 +1,6 @@
 ---
 tls:
  certificates:
    - certFile: '/etc/traefik/certs/public.crt'
      keyFile: '/etc/traefik/certs/private.pem'
 ...