SFTPGo

Tested Versions

Authelia
- v4.39.19
SFTPGo
- v2.6.6

Assumptions

This example makes the following assumptions:

Application Root URL: https://sftpgo.{{< sitevar name="domain" nojs="example.com" >}}/
Authelia Root URL: https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}/
Client ID: sftpgo
Client Secret: insecure_secret

Some of the values presented in this guide can automatically be replaced with documentation variables.

Configuration

Authelia

{{< callout context="tip" title="Did you know?" icon="outline/rocket" >}} The sftpgo_role user attribute renders the value admin if the user is in the sftpgo_admins group within Authelia, renders the value manager if they are in the sftpgo_managers group, otherwise it renders user. You can adjust this to your preference to assign a role to the appropriate user groups. {{< /callout >}}

The following YAML configuration is an example Authelia client configuration for use with SFTPGo which will operate with the application example:

yaml

definitions:
  user_attributes:
    sftpgo_role:
      expression: '"sftpgo_admins" in groups ? "admin" : "sftpgo_managers" in groups ? "manager" : "user"'
identity_providers:
  oidc:
    ## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
    ## See: https://www.authelia.com/c/oidc
    claims_policies:
      sftpgo:
        id_token: ['preferred_username', 'sftpgo_role']
        custom_claims:
          sftpgo_role: {}
    scopes:
      sftpgo:
        claims:
          - 'sftpgo_role'
    clients:
      - client_id: 'sftpgo'
        client_name: 'SFTPGo'
        client_secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng'  # The digest of 'insecure_secret'.
        public: false
        authorization_policy: 'two_factor'
        claims_policy: 'sftpgo'
        require_pkce: false
        pkce_challenge_method: ''
        redirect_uris:
          - 'https://sftpgo.{{< sitevar name="domain" nojs="example.com" >}}/web/oidc/redirect'
          - 'https://sftpgo.{{< sitevar name="domain" nojs="example.com" >}}/web/oauth2/redirect'
        scopes:
          - 'openid'
          - 'profile'
          - 'email'
          - 'sftpgo'
        response_types:
          - 'code'
        grant_types:
          - 'authorization_code'
        access_token_signed_response_alg: 'none'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_basic'

Application

To configure SFTPGo there are two methods, using the Configuration File, or using the Environment Variables.

Configuration File

To configure SFTPGo to utilize Authelia as an OpenID Connect 1.0 Provider, use the following configuration:

json

{
  "oidc": {
    "client_id": "sftpgo",
    "client_secret": "insecure_secret",
    "config_url": "https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}",
    "redirect_base_url": "https://sftpgo.{{< sitevar name="domain" nojs="example.com" >}}",
    "scopes": [
      "openid",
      "profile",
      "email",
      "sftpgo"
    ],
    "username_field": "preferred_username",
    "role_field": "sftpgo_role",
    "implicit_roles": false,
    "custom_fields": []
  }
}

Environment Variables

To configure SFTPGo to utilize Authelia as an OpenID Connect 1.0 Provider, use the following environment variables:

Standard

shell

SFTPGO_HTTPD__BINDINGS__0__OIDC__CLIENT_ID=sftpgo
SFTPGO_HTTPD__BINDINGS__0__OIDC__CLIENT_SECRET=insecure_secret
SFTPGO_HTTPD__BINDINGS__0__OIDC__CONFIG_URL=https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}
SFTPGO_HTTPD__BINDINGS__0__OIDC__REDIRECT_BASE_URL=https://sftpgo.{{< sitevar name="domain" nojs="example.com" >}}
SFTPGO_HTTPD__BINDINGS__0__OIDC__SCOPES=openid,profile,email,sftpgo
SFTPGO_HTTPD__BINDINGS__0__OIDC__USERNAME_FIELD=preferred_username
SFTPGO_HTTPD__BINDINGS__0__OIDC__ROLE_FIELD=sftpgo_role

Docker Compose