ContextQMD
Back to Authelia

opkssh

docs/content/integration/openid-connect/clients/opkssh/index.md

4.39.194.5 KB
Original Source

Tested Versions

{{% oidc-common %}}

Assumptions

This example makes the following assumptions:

  • Authelia Root URL: https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}/
  • Client ID: opkssh

Some of the values presented in this guide can automatically be replaced with documentation variables.

{{< sitevar-preferences >}}

Configuration

Authelia

The following YAML configuration is an example Authelia client configuration for use with opkssh which will operate with the application example:

yaml
identity_providers:
  oidc:
    ## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
    ## See: https://www.authelia.com/c/oidc
    clients:
      - client_id: 'opkssh'
        client_name: 'opkssh'
        public: true
        authorization_policy: 'two_factor'
        require_pkce: true
        pkce_challenge_method: 'S256'
        redirect_uris:
          - 'http://localhost:3000/login-callback'
          - 'http://localhost:10001/login-callback'
          - 'http://localhost:11110/login-callback'
        scopes:
          - 'openid'
          - 'offline_access'
        response_types:
          - 'code'
        grant_types:
          - 'authorization_code'
          - 'refresh_token'
        access_token_signed_response_alg: 'none'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'none'

Application

To configure opkssh to utilize Authelia as an OpenID Connect 1.0 Provider:

Client

To log in using Authelia run:

shell
opkssh login --provider=https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}},opkssh

You will now see your unique user identifier sub in the CLI, copy it to set up the access control on the server.

Configuration File

{{< callout context="tip" title="Did you know?" icon="outline/rocket" >}} Generally the configuration file is named ~/.opk/config.yml on Linux and C:\Users\{USER}\.opk\config.yml on Windows. {{< /callout >}}

To create a persistent configuration, generate a new configuration file by running the following command:

shell
opkssh login --create-config

Then add Authelia to the existing providers:

yaml{title="~/.opk/config.yml"}
providers:
  - alias: authelia
    issuer: https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}
    client_id: opkssh
    scopes: openid offline_access
    access_type: offline
    prompt: consent
    redirect_uris:
      - http://localhost:3000/login-callback
      - http://localhost:10001/login-callback
      - http://localhost:11110/login-callback

You can now run opkssh login to login.

Server

To configure opkssh there is one method, using the Configuration File.

Configuration File

{{< callout context="tip" title="Did you know?" icon="outline/rocket" >}} Generally the configuration file is named /etc/opk/providers. {{< /callout >}}

To configure opkssh to utilize Authelia as an OpenID Connect 1.0 Provider, use the following configuration:

txt
https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}} opkssh 24h

In addition to above, the CLI will need to be used to map users manually.

For example allow the user john with the user identifier of f0919359-9d15-4e15-bcba-83b41620a073 to login as root :

shell
opkssh add root f0919359-9d15-4e15-bcba-83b41620a073 https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}

To set up access control not just for yourself but other users as well, use the authelia storage user identifiers export command to get all user identifiers.

See Also