OIDC using authelia

[tetricky]

I have a stack using authelia as an authentication provider, which is using OIDC successfully for a number of services.

podfetch:postgres is running successfully in a container.

I am struggling with appropriate setting for the following environment variables, and a corresponding authelia client id config.

OIDC_AUTHORITY
OIDC_REDIRECT_URI
OIDC_SCOPE
OIDC_JWKS

Does anyone have an example or a guide that might help me crack it?

I am passing values and the container is running, and logs echoing setup. Also I can exec to run /app/podfetch

...is there a working shall accessible in the container? (/bin/bash, /bin/sh not working for me)

[SamTV12345]

https://www.authelia.com/integration/openid-connect/introduction/#discoverable-endpoints
I found this in the documentation. Does that help you?

[arcoast]

@SamTV12345 If I may add here, as I came to the Discussions page to ask some questions about Authelia and OIDC with Podfetch. I currently am able to login to Podfetch as a user but not as admin or uploader

I can add an account from the command line and make them admin, but because I'm using OIDC there's no facility to login using anything but OIDC.

@tetricky

In response to your question, here's my config info that gets me to the above situation:

PODFETCH_OIDC_AUTH=true
PODFETCH_OIDC_AUTHORITY=https://auth.domain.com
PODFETCH_OIDC_CLIENT_ID=podfetch
PODFETCH_OIDC_REDIRECT_URI=https://podfetch.domain.com/ui/login
PODFETCH_OIDC_SCOPE=openid profile email
PODFETCH_OIDC_JWKS=https://auth.domain.com/jwks.json

Here's the client config from my authelia configuration.yml

      - id: podfetch
        description: Podfetch
        public: true
        authorization_policy: two_factor
        scopes:
          - openid
          - profile
          - email
        consent_mode: explicit
        redirect_uris:
          - https://podfetch.domain.com/ui/login
        userinfo_signed_response_alg: none # Added in 4.38
#        userinfo_signing_algorithm: none # Removed in 4.38

If you wish to access the podfetch binary from the terminal then run: (Assuming your container is called podfetch

docker exec -it podfetch /app/podfetch --help

[SamTV12345]

@SamTV12345 If I may add here, as I came to the Discussions page to ask some questions about Authelia and OIDC with Podfetch. I currently am able to login to Podfetch as a user but not as admin or uploader

I can add an account from the command line and make them admin, but because I'm using OIDC there's no facility to login using anything but OIDC.

@tetricky

In response to your question, here's my config info that gets me to the above situation:

PODFETCH_OIDC_AUTH=true

PODFETCH_OIDC_AUTHORITY=https://auth.domain.com

PODFETCH_OIDC_CLIENT_ID=podfetch

PODFETCH_OIDC_REDIRECT_URI=https://podfetch.domain.com/ui/login

PODFETCH_OIDC_SCOPE=openid profile email

PODFETCH_OIDC_JWKS=https://auth.domain.com/jwks.json

Here's the client config from my authelia configuration.yml

      - id: podfetch

        description: Podfetch

        public: true

        authorization_policy: two_factor

        scopes:

          - openid

          - profile

          - email

        consent_mode: explicit

        redirect_uris:

          - https://podfetch.domain.com/ui/login

        userinfo_signed_response_alg: none # Added in 4.38

#        userinfo_signing_algorithm: none # Removed in 4.38

If you wish to access the podfetch binary from the terminal then run: (Assuming your container is called podfetch

docker exec -it podfetch /app/podfetch --help

When using OIDC Basic auth is disabled. For you to login as an administrator create a user in the CLI and in your SSO Provider. If they have the same username you will be able to login as this user.

[TheOfficialBurner]

@SamTV12345
i have created a user via CLI with the same name as in authelia. This user is set to admin via CLI. After logging into podfetch via SSO i am still no admin. My entrys under profile-icon are: System Information, Profil and Settings. I cannot manages users.

I am using the latest release on docker swarm.

Thank you for any help

[tetricky]

----edit--- the below was written while @arcoast was posting his reply. I leave it for completeness while I look at what he has suggested. I echo the creating of admin user question.

Not really. I've tried a few things, based on working configurations that I have for authelia and other clients, and some guesswork from the podfetch documentation, but I have not hit upon the magic incantation.

The documentation does not seem to lead me towards any solution, presumably because nobody has actually done this?

In the wiki the heading (under tutorials) How to setup OIDC/OAuth2 actually links to the basic auth tutorial.

Which actual OIDC endpoints are used by the environment variables that I mentioned? What is the form of the request to the authentication provider? What response is required?

How do I create a user that will map to the OIDC authentication request? I can use the CLI to create users, but that seems only applicable to basic auth.

If I use the /api/oidc/authorization endpoint as OIDC_AUTHORITY I get an empty query visiting the podfetch url, pressing the connect with OIDC button repeats the same empty query. In the form (obviously it is using the actual location of my authelia instance rather than 'auth.example.com'):

time="2023-09-06T12:06:07Z" level=debug msg="Check authorization of subject username= groups= ip=[host_ip] and object https://auth.example.com/api/oidc/authorization/.well-known/openid-configuration (method GET)."

I just generally feel like I lack the information to make suitable informed guesses to move it forward....obviously this is largely down to my inability to understand and configure what is going on...and obviously there's the problem of the authelia client id settings to consider as well. The keycloak model of realms is not applicable in authelia, so keycloak settings are not proving instructive to me.

I could quit and just use basic auth and invites...but I would very much prefer to use my existing OIDC which is particularly important in terms of individual users managing their logins/passwords so that I have zero knowledge (and no maintenance).

I have a sense that authelia and podfetch are not really sympathetic partners.

[arcoast]

@tetricky I agree that where we are now is not really workable with Authelia and Podfetch, and I've also noticed the incorrect link in the wiki but did find this document in the actual repository regarding OIDC.

One thing I will say, I had an issue with Podfetch and URL encoding, it was a huge thread, but full credit to @SamTV12345 he worked away at it and solved the issue in the end, so I suspect being somewhat pioneers of Authelia OIDC with Podfetch, we're alpha/beta testing here a little but if we can work together I know Sam is incredibly responsive to issues.

[tetricky]

@arcoast ...yes, I set out on this from a position of little knowledge, but in the hope of making progress, in a constructive spirit!

Your comments are very helpful.

What is clear is that you are using a different version of authelia from me (for example my configuration.yml will not parse if I set public: true ).

I am on authelia v4.37.5 (running in a container), which from github appears to be the latest version...but I see that you have references to, and specific syntax for, 4.38. What version of authelia are you running?

Are you running a published version, or development? Is a container available for that do you know?

My situation is slightly complicated by testing on a live production stack (albeit not actually business critical/important...it's just a community site).......I know, I know....

[arcoast]

So at the moment I'm currently using :master as I wanted to test some functionality that's not available in 4.37 but I can confirm I had this working fine on 4.37 a couple of days ago, and here's a redacted copy of my full OIDC config from the 4.37 version.

When Authelia hits v4.38 a fair few parameters are being changed, it won't break initially but will spam the logs with what has been renamed in the new format.

identity_providers:
  oidc:
    hmac_secret: SECRET
    issuer_private_key: |
      -----BEGIN RSA PRIVATE KEY-----
      -----END RSA PRIVATE KEY-----
    access_token_lifespan: 1h
    authorize_code_lifespan: 1m
    id_token_lifespan: 1h
    refresh_token_lifespan: 90m
    enable_client_debug_messages: false
    enforce_pkce: public_clients_only
    cors:
      endpoints:
        - authorization
        - token
        - revocation
        - introspection
        - userinfo
      allowed_origins:
        - "*"
      allowed_origins_from_client_redirect_uris: false
    clients:
      - id: podfetch
        description: Podfetch
        public: true
        authorization_policy: two_factor
        scopes:
          - openid
          - profile
          - email
        consent_mode: explicit
        redirect_uris:
          - https://podfetch.DOMAIN.COM/ui/login
        userinfo_signing_algorithm: none

Might be helpful if you posted the logs if you want me to be a second pair of eyes.

[tetricky]

Might be helpful if you posted the logs if you want me to be a second pair of eyes.

I have not found a way to do this...the authelia logs are not mounted permanently (and I don't know where they are, if at all, in the container). The container stops on a false configuration, so I can't exec in and see the logs (if I knew where they were)....log level is set to debug.

So I can't check what is actually happening....but if I have a working config where the container runs, and ONLY change public: from false to true the container now fails.

[arcoast]

So Authelia logs can be configured in the configuration.yml file.

log:
  level: info
  format: text
  file_path: /config/authelia.log
  keep_stdout: true

To look at the logs in the terminal:

docker logs authelia

[arcoast]

When using OIDC Basic auth is disabled. For you to login as an administrator create a user in the CLI and in your SSO Provider. If they have the same username you will be able to login as this user.

Starting from a completely new install:

# docker exec -it podfetch /app/podfetch users add
Debug file located at /home/rust/src/target/x86_64-unknown-linux-musl/release/build/podfetch-433e4bf6518fbe3b/out/built.rs
Starting from command line
User management
Enter your username: 
fred
Connecting to postgresql://podfetch:password@podfetch-postgres/podfetch
User does not exist
Enter your password: 

Select your role user, admin, uploader
admin
Should a user with the following settings be applied User { id: 0, username: "fred", role: "admin", password: Some("password"), explicit_consent: false, created_at: 2023-09-06T13:11:13.809415057 }
Y[es]/N[o]
Y
Connecting to postgresql://podfetch:password@podfetch-postgres/podfetch
User succesfully created

And then trying to login as the user fred with oidc doesn't I'm afraid result in admin permissions.

[arcoast]

I've also tried adding a user called [email protected] and logging in with email from OIDC which results in the same behaviour and just for troubleshooting purposes also created another user with the first letter capitalised Fred but none are able to login as an admin using OIDC.

[SamTV12345]

Can you decode your token at jwt.io. What is contained in the preferred_username field?

[SamTV12345]

And what does login as administrator mean? Are you able to login but cannot perform any actions like downloading a podcast?

[tetricky]

And what does login as administrator mean? Are you able to login but cannot perform any actions like downloading a podcast?

If I go to the profile button, and choose "User Administration" and choose either "users" or "invites" I get a cloud picture and the text "You are not an admin".

[tetricky]

I am now where @arcoast is.

I hadn't got userinfo set as an endpoint in my authelia identity_providers: oidc: cors: endpoints

I have the same behaviour regarding users and admin.

[arcoast]

As an aside, I was really impressed you got as far with Authelia as you have without looking at logs! I'd never have been able to do that, admittedly it was a few years ago I started using Authelia.

[tetricky]

...don't be impressed. I probably used them when I set up the stack, then turned them off when I got everything working. Then forgot how to use them.

[SamTV12345]

I pushed a commit that outputs the username of the token and also the result of the lookup in the database. Should arrive shortly on the develop tags.

[SamTV12345]

Ok great. So the other option being left is that there is an error when validating the token. I added a debug statement for that case, so you can checkout the cause.

[tetricky]

I am getting:

2023-09-07T09:10:08 ℹ️ - Using cached jwk set
2023-09-07T09:10:08 ℹ️ - error validating token Err(
    Error(
        InvalidToken,
    ),
)
2023-09-07T09:10:08 ℹ️ - Using cached jwk set
2023-09-07T09:10:08 ℹ️ - error validating token Err(
    Error(
        InvalidToken,
    ),
)

[tetricky]

In full:

  ____           _ _____    _       _
 |  _ \ ___   __| |  ___|__| |_ ___| |__
 | |_) / _ \ / _` | |_ / _ \ __/ __| '_ \
 |  __/ (_) | (_| |  _|  __/ || (__| | | |
 |_|   \___/ \__,_|_|  \___|\__\___|_| |_|
        

Connecting to postgresql://podfetch:[password_redacted]@postgres:5432/podfetch
2023-09-07T12:30:17 ℹ️ - Settings already present
2023-09-07T12:30:17 ℹ️ - Starting with the following environment variables:
2023-09-07T12:30:17 ℹ️ - Public server url: https://[url_redacted]/
2023-09-07T12:30:17 ℹ️ - Polling interval for new episodes: 300 minutes
2023-09-07T12:30:17 ℹ️ - Developer specifications available at https://[url_redacted]/swagger-ui/index.html#/
2023-09-07T12:30:17 ℹ️ - GPodder integration enabled: true
2023-09-07T12:30:17 ℹ️ - Database url is set to: postgresql://podfetch:[password_redacted]@postgres:5432/podfetch
2023-09-07T12:30:17 ℹ️ - Podindex API key&secret configured: true
2023-09-07T12:30:17 ℹ️ - starting 4 workers
2023-09-07T12:30:17 ℹ️ - Actix runtime found; starting in Actix runtime
2023-09-07T12:30:55 ℹ️ - error validating token Err(
    Error(
        InvalidToken,
    ),
)
2023-09-07T12:30:55 ℹ️ - Using cached jwk set
2023-09-07T12:30:55 ℹ️ - error validating token Err(
    Error(
        InvalidToken,
    ),
)
2023-09-07T12:30:55 ℹ️ - Using cached jwk set
2023-09-07T12:30:55 ℹ️ - error validating token Err(
    Error(
        InvalidToken,
    ),
)

...on logging in:

2023-09-07T12:38:51 ℹ️ - error validating token Err(
    Error(
        InvalidToken,
    ),
)
2023-09-07T12:38:51 ℹ️ - error validating token Err(
    Error(
        InvalidToken,
    ),
)
2023-09-07T12:38:51 ℹ️ - error validating token Err(
    Error(
        InvalidToken,
    ),
)
2023-09-07T12:38:59 ℹ️ - Using cached jwk set
2023-09-07T12:38:59 ℹ️ - error validating token Err(
    Error(
        InvalidToken,
    ),
)
2023-09-07T12:38:59 ℹ️ - Using cached jwk set
2023-09-07T12:38:59 ℹ️ - error validating token Err(
    Error(
        InvalidToken,
    ),
)
2023-09-07T12:38:59 ℹ️ - Using cached jwk set
2023-09-07T12:38:59 ℹ️ - error validating token Err(
    Error(
        InvalidToken,
    ),
)

[tetricky]

p.s. If I query the user list I get first:

podman exec -it podfetch /app/podfetch users list
Debug file located at /home/rust/src/target/x86_64-unknown-linux-musl/release/build/podfetch-40d4a7d282197545/out/built.rs
Starting from command line
User management

..is there any way to see that debug file?

[SamTV12345]

The debug file is only there at startup. On build time it is injected into the binary. So there is no way to see or check it.

[tetricky]

The positive, for me, is that the config examples provided by @arcoast work to allow login to podfetch using authelia.

The issues regarding user and admin accounts aside.

[SamTV12345]

Nice. I'm unfortunately on vacation, so I can't really start exploring anthelia. I upgraded my main PodFetch server to the latest version and I can still login and go to the admin page etc.

[arcoast]

OK, listen, enjoy your holiday. log off, don't check Github and don't make any more commits! Seriously, enjoy your holiday!

[SamTV12345]

Thanks haha. See you in one week. 😃

[SamTV12345]

@arcoast Could you please send a starting point for a configuration.yml. I am getting errors that my configuration file is invalid but I cannot really find the error. It just says error parsing file and then crashes.

[arcoast]

@SamTV12345

Here's a basic configuration.yml which I've confirmed works and a sample user_database.yml
docker-compose.yml

    authelia:
        image: authelia/authelia
        container_name: authelia
        ports:
            - 9091:9091
        environment:
            - TZ=${TZ}
        volumes:
            - ${CONFIG}/authelia/authelia:/config
        restart: unless-stopped

configuration.yml

theme: dark

jwt_secret: 'a_very_important_secret'

server:
  host: 0.0.0.0
  port: 9091
  path: ""

log:
  level: info
  format: text
#  file_path: /config/authelia.log
#  keep_stdout: true

totp:
  issuer: Podfetch
  period: 30
  skew: 1

webauthn:
  disable: false
  display_name: Authelia
  attestation_conveyance_preference: indirect
  user_verification: preferred
  timeout: 60s

authentication_backend:
  password_reset:
    disable: false
  refresh_interval: 5m
  file:
    path: '/config/users_database.yml'
    watch: false
    search:
      email: false
      case_insensitive: false

session:
  name: authelia_session
  domain: SERVER.COM
  same_site: lax
  expiration: 1h
  inactivity: 5m
  remember_me_duration: 1M

regulation:
  max_retries: 3
  find_time: 2m
  ban_time: 5m

storage:
  encryption_key: you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this
  local:
    path: /config/db.sqlite3

notifier:
  disable_startup_check: false
  filesystem:
    filename: /config/notification.txt

access_control:
  default_policy: one_factor

  rules:
   # Allow free access from local network
    - domain: "*.SERVER.COM"
      policy: bypass
      networks:
      - 192.168.0.0/16
      - 172.16.0.0/12
      - 10.0.0.0/8

identity_providers:
  oidc:
    hmac_secret: this_is_a_secret_abc123abc123abc
    issuer_private_key: |
      -----BEGIN RSA PRIVATE KEY-----
      MIIEowIBAAKCAQEAu1oYYPDQQwEeMTPoFs/VIBjCpXPfaJF30KBVRGCtCB7s4cYm
      3DUZkm6JNHD8lA6RpwOg8MDF/4TOnCZpX1c15uCPfpfCbXdeAtNW8SNFZcFabCVr
      XnoftaQ69F9jyRWcxgroeHzY/Y4JikyfYPGKv1i9ZVPFIStFweXJNZBmW81bqyb4
      5Qv7yrvqh80jIKh9w0LyZXDf4J6DGn19h0uByx7BZIplxoxp9TsBHyriTGRPKNhh
      TGXAFqSfk4Sc6sb7Q/SFRBqMRjh3/gxup1yAUG+pmz2bGedWPz3+day1+Bvccfoo
      R8HVVK146LJutc/3MqfDMiXaSUgzIPFK9JqNawIDAQABAoIBAFsi0IkXm7d8a7tz
      jIrMPtiGMulZHGw5lxcdZ10DyigRIxoQ0gZ8rhvVOVkRPUyoaaHc2gVDQQ2zBO5g
      oRGH0uikhCkImcO2NT0aoUhb5/4/uESzTy9+KL6rTSJi5J+Eq+aKl9tEoCl3Vpy3
      +S+nT98Uw8zumw4vhpdzuBUeUSyGO82pWO1UKgiSLcEDeE339/u5Xij1mDBzk16R
      ZdVV6QWDYPkxy948v6F9ou1r9zsoYtzelnCUEFKp2eFMwMZsiRMDt/20unmGgQSy
      YHRX3FXfJKLdpGXXTOOYs2g59xZD397fvD59heZaZT3ufBgnv9LdpgnQSG1+lyZF
      cdpPl8ECgYEA4ewnYOCaKgBc5LxsTKAAX54U72AQu/HMUqfjkoO9quMffk6vpZCc
      D6fdWwG50t7KDYU20lWBg67DD7w6AOVg7LbfMh/c3SPBObwbV4s2SjPqBa6ShR4q
      dA6qtm9m2Ru0xID3mhulIRPT2pp9UlPdOZR5NkoCv20hLPcFJI7VnmUCgYEA1Etj
      PiesBuE1BcTQ3QsobFxqgvheZYneTNMuaFupmtBBw3dZlgEQTC7wBLeg8lWD6p1j
      WMB1mxtqvnRfFezAcqRdQB1kvbs5CZ5bbo1W1hbnt08hncK5+IW2wBVTjTNL/7NX
      hWKz5FawiiGYJ3FmPvpjSPG49gDn92nemBscF48CgYEAyJlWMbfcSvT9hoAjrTnY
      ew4zSoTC9w5wvOejsoFVVLnMSet2HI01dNU5P8hdhfYZ9D1XexU/JXx0aLFZ01fY
      YvbRYYFXK+fGdwwmPuo2L1a/MYJbSOWLDnfDbq+l45qtPFnDAEwRqDghwRWxtvsO
      EEVcBy9aFzy/21wObfKBjN0CgYAkMi5bnJwCGEfYEfSim5Jq1175sas2mMkkRCV3
      eZlzYeq0jxbhMpE6zA30X/K7HsV9LRSRP09OAOC0VFcZ/+HYKhoUIm7YwqE4+J0S
      Plr96a3cXUuYAGmA7Bt6qKg0PPjKQiO8BFYzqmwzQQMWRoluV3ayKzSkDQd/8bcY
      LBcgFQKBgGj1Nos02yLFoghHzKdTK5gATc2ZpwBCs7ZckCVuqGTHr/2xc87Jnoyo
      DaYf2i3hYkkxComTEYxrnG4SX9xLMSMxYi0jl6uL6GAaTSo90LUygd+y51gDnLvz
      Bim50KFgeTCEpjdEqStFqsRbvT4j4msJMKDMrVeHAoCbgC4CE270
      -----END RSA PRIVATE KEY-----
    access_token_lifespan: 1h
    authorize_code_lifespan: 1m
    id_token_lifespan: 1h
    refresh_token_lifespan: 90m
    enable_client_debug_messages: false
    minimum_parameter_entropy: 8
    enforce_pkce: public_clients_only
    cors:
      endpoints:
         - authorization
         - token
         - revocation
         - introspection
         - userinfo
      allowed_origins:
        - "*"
      allowed_origins_from_client_redirect_uris: false

    clients:
      - id: podfetch
        description: Podfetch
        public: true
        authorization_policy: one_factor
        scopes:
          - openid
          - profile
          - email
        consent_mode: explicit
        redirect_uris:
          - https://podfetch.SERVER.COM/ui/login
        userinfo_signing_algorithm: none

user_database.yml

# List of users
users:
  authelia:
    disabled: false
    displayname: "Authelia User"
    # Password is authelia
    password: "$6$rounds=50000$BpLnfgDsc2WD8F2q$Zis.ixdg9s/UOJYrs56b5QEZFiZECu0qZVNsIYxBaNJ7ucIL.nlxVCT5tqh8KHG8X4tlwCFm5r6NTOZZ5qRFN/"  # yamllint disable-line rule:line-length
    email: [email protected]
    groups:
      - admins
      - dev
...

[SamTV12345]

Thanks it started. But when I want to login with authelia, authelia nothing happens. I access the authelia website via the raw ip address.

[arcoast]

What reverse proxy you using?

[SamTV12345]

Currently none. I just added your docker compose from above. Do I need one in order to experiment with it?

[arcoast]

Yeah you do I think. I'm using it with Traefik, but I have used it a few years ago with nginx.

[arcoast]

If it helps, here's how it's set up for Traefik, I know you've set that up before but posted my setup as well below.

Traefik Middleware

http:
  middlewares:
    authelia:
      forwardauth:
        address: http://authelia:9091/api/verify?rd=https://login.{{env "TRAEFIK_DOMAIN"}}/
        trustForwardHeader: true
        authResponseHeaders:
          - Remote-User
          - Remote-Groups
          - Remote-Name
          - Remote-Email

Podfetch & Authelia

services:
   podfetch:
       image: samuel19982/podfetch
       container_name: podfetch
       user: ${PUID}:${PGID}
       networks:
           - traefik
       ports:
           - 8000:8000
       volumes:
           - ${PODCASTS}:/app/podcasts
           - ${CONFIG}/podfetch/podfetch/db:/app/db
       environment:
           - POLLING_INTERVAL=${POLLING_INTERVAL}
           - SERVER_URL=${SERVER_URL}
           - GPODDER_INTEGRATION_ENABLED=${GPODDER_INTEGRATION_ENABLED}
           - PODINDEX_API_KEY=${PODINDEX_API_KEY}
           - PODINDEX_API_SECRET=${PODINDEX_API_SECRET}
           - OIDC_AUTH=${PODFETCH_OIDC_AUTH}
           - OIDC_AUTHORITY=${PODFETCH_OIDC_AUTHORITY}
           - OIDC_CLIENT_ID=${PODFETCH_OIDC_CLIENT_ID}
           - OIDC_REDIRECT_URI=${PODFETCH_OIDC_REDIRECT_URI}
           - OIDC_SCOPE=${PODFETCH_OIDC_SCOPE}
           - OIDC_JWKS=${PODFETCH_OIDC_JWKS}
       labels:
           - "traefik.enable=true"
           - "traefik.docker.network=traefik"
           - "traefik.http.services.podfetch.loadbalancer.server.port=8000"
           - "traefik.http.routers.podfetch.entrypoints=https"
           - "traefik.http.routers.podfetch.rule=Host(`podfetch.${TRAEFIK_DOMAIN}`)"
           - "traefik.http.routers.podfetch.middlewares=authelia@file"

   authelia:
       image: authelia/authelia
       container_name: authelia
       networks:
           - traefik
       ports:
           - 9091:9091
       environment:
           - TZ=${TZ}
       volumes:
           - ${CONFIG}/authelia/authelia:/config
       restart: unless-stopped
       labels:
           - "traefik.enable=true"
           - "traefik.docker.network=traefik"
           - "traefik.http.services.authelia.loadbalancer.server.port=9091"
           - "traefik.http.routers.authelia.entrypoints=https"
           - "traefik.http.routers.authelia.rule=Host(`login.${TRAEFIK_DOMAIN}`)"

   traefik:
       image: traefik:v2.10.4
       container_name: traefik
       networks:
           - traefik
       ports:
#            - 80:80
           - 443:443
       environment:
           - TZ=$TZ
           - TRAEFIK_DOMAIN=${TRAEFIK_DOMAIN}
           - CF_API_EMAIL=${TRAEFIK_CF_API_EMAIL}
           - CF_DNS_API_TOKEN=${TRAEFIK_CF_DNS_API_TOKEN}
       volumes:
           - ${CONFIG}/traefik/traefik/traefik.yaml:/traefik.yaml:ro
           - ${CONFIG}/traefik/traefik/configs:/configs:ro
           - ${CONFIG}/traefik/traefik/acme.json:/acme.json # Must create file and chmod 600
           - ${CONFIG}/traefik/traefik/logs/:/logs
       labels:
           - "traefik.enable=true"
           - "traefik.docker.network=traefik"
           - "traefik.http.routers.traefik.service=api@internal"
           - "traefik.http.routers.traefik.entrypoints=https"
           - "traefik.http.routers.traefik.rule=Host(`traefik.${TRAEFIK_DOMAIN}`)"
           - "traefik.http.routers.traefik.middlewares=authelia@file"

[arcoast]

@SamTV12345 Forgot to say, if you want me to run anything locally to help figure things out just shout.

[SamTV12345]

Thanks for the help and the code snippets. Can I also setup authelia without a domain? I'd like to setup authelia on an external computer and have PodFetch running on my own computer so I can debug and restart it more easily.

[arcoast]

Honestly, I don't know. One thing I did think though, would it be helpful if I exposed an authelia test instance for you to use? I think I could do that and give access to authelia logs, but obviously I'd like to flesh out the details in private.

[SamTV12345]

That would be fantastic if you could do so. I can chat via email/Mastodon/Twitter/Discord.

[arcoast]

That would be fantastic if you could do so. I can chat via email/Mastodon/Twitter/Discord.

Discord is easiest for me, which channel?

[SamTV12345]

My DC name is samtv. You can send a friend request then we can chat via PMs.

[tetricky]

I've been away for a few days, but have an authelia and caddy setup, with a podman stack running containers. Am available today and can help/test if needed.

[arcoast]

Hey @tetricky we've had a look at it on a test instance I spun up and @SamTV12345 has been speaking to the Authelia devs.

I was thinking about writing some docs on Traefik, you fancy doing something for Caddy? Feel free to post it here and I'll write something up.

I'm happy to do docs on Authelia.

[SamTV12345]

@tetricky You can now use Authelia without a problem. @arcoast helped me a lot with debugging the issue. Thanks 🙏 .

[tetricky]

What do I have to do? Obviously my setup doesn't work. What is the resolution?

[TheOfficialBurner]

I found that, but can that not only be used with BASIC-AUTH, that does not work with OIDC at the same time? Or do i misunderstood that?

[SamTV12345]

True I don't think both will work. I checked the source code. You need to have a claim called preferred_username which is the same as your username.

[TheOfficialBurner]

Thank you for checking. I have set up the prefferred_username in my OIDC Config and this user matches the user i have created via CLI.
Did i got it right, that it have to match the "preferred_username" with the user i have set in the docker-compose to get admin rights?

Thank you!

[SamTV12345]

You're welcome :). The preferred username needs to match the username configured via the CLI and that user should differ from the admin user in your docker-compose

[TheOfficialBurner]

ok, I fulfil the requirement that the ‘preferred_username’ is the same as the user created in the CLI. This user differs from the ‘admin-user’ set in docker-compose.
I can now log in via OIDC, but my user name of the ‘preferred_username’ is not displayed under profile information.
How can I now log in as ‘admin’ to make the required settings if no login mask is displayed?

[tetricky]

I have that (although I had to rebuild from scratch - the container wouldn't run if I just updated the image).

I also am turning to the gpodder element.

I do not see how that can work. Suppose that I want to connect using antennapod. If I point that to my service, there is no facility within antennapod to log in using oidc. That is the login credentials/token that exist within a browser login, can never be accessible from antennapod. So the login (correctly) fails.

It seems to me that there needs to be a separate service for a basic auth type format, that exists as a sub-service, enabled when an oidc user has joined. Such that clients like antennapod have a supported authentication method. This could then be reverse proxied differently (podfetch.domain web client login using oidc, gpodfetch.domain a basic auth type scheme with username and password set within the web client).

I just can't see any other way that clients can hurdle the OIDC auth. Unless there are clients that I don't know that support OIDC login?

Does that make any sense, or am I completely misunderstanding what is going on?

[arcoast]

I've been working on this a bit with some more help from @SamTV12345, waiting to hear back from him to confirm nothing else needs to be done, but so far here's what I've got and I've successfully connected my AntennaPod instance on my phone with Podfetch.

EDIT: Confirmation received this should be all that's required.

You need some ACL rules in Authelia to put certain subfolders outside of the Authelia OIDC protection. Now I'd already figured out two from when I was just using Podfetch behind Authelia (Without OIDC) and they are:

• /rss
• /podcasts

To get gPodder working two other things need to happen:

• /api needs an ACL rule
• a password needs to be set outside of OIDC for gPodder to authenticate against (password can be the same of the OIDC password)

In summary here's my ACL rules in Authelia which are working:

access_control:
default_policy: deny
rules:
  - domain: podfetch.DOMAIN.COM
    resources:
      - "^/podcasts([/?].*)?$"
    policy: bypass

  - domain: podfetch.DOMAIN.COM
    resources:
      - "^/rss([/?].*)?$"
    policy: bypass

  - domain: podfetch.DOMAIN.COM
    resources:
      - "^/api([/?].*)?$"
    policy: bypass

Then to add a password with user sam:

• Run docker exec -it $PODFETCH /app/podfetch users update
• Enter the name sam
• Enter password
• Enter $DESIRED_GPODDER_PASSWORD

I've started on the docs for Authelia and once I've confirmed the above (I'm like 99% confident this is all that will need to happen) then I'll commit this stuff to the docs.

[tetricky]

My problem with this workflow is that with OIDC I operate zero knowledge of the users password. They set and manage it. For me to set a password in podfetch I need to compromise that, or set a different password, that I then manage, for podfetch on it's own. Which is sub-optimal, and undermines the advantages of OIDC. I might as well just use basic auth, and set the users credentials. Which I don't really want to do.

The current alternative is to only use the web-client.

[SamTV12345]

Yes. This is unfortunately a problem with AntennaPod/GPodder API. I can't change anything about that. I made it so that only those endpoints are reachable by password.

[tetricky]

That's fair enough. I will consider them separately managed services.

[lennart-m]

Hi, i have another issue using Authelia and PodFetch. I am using consent_mode: implicit in my Authelia client config so I don't have to always click 'confirm' after logging in.

But now whenever I refresh the site the login screen ('Sign in' with button 'OIDC Login') is shown. When refreshing again I am logged in and can see the podcasts etc.

Could you maybe look into this? I guess the frontend somehow is not able to see that I am already logged in on every other refresh.

Thanks a lot!
Lennart

[zacharyburnett]

I have a similar issue; additionally, under Profile, the API Key field is always blank upon logging in.

EDIT: I think this was just me misunderstanding it; I assume these fields are for updating those values, not displaying them, so they should be blank. Perhaps the UI should indicate that

[SamTV12345]

Normally you should be able to regenerate the api key except for the admin user.

[zacharyburnett]

oh, that must be why. The profile I am using is the admin user. I assume then that I should have a separate profile for admin

[zacharyburnett]

I also found that, when using OIDC, episode progress was not saved between sessions. I moved back to using BASIC_AUTH, and just put the entire app behind Authelia's SSO, and that seems to work fine