ContextQMD
Back to Authelia

Wanderer

docs/content/integration/openid-connect/clients/wanderer/index.md

4.39.193.6 KB
Original Source

Tested Versions

{{% oidc-common %}}

Assumptions

This example makes the following assumptions:

  • Application Root URL: https://wanderer.{{< sitevar name="domain" nojs="example.com" >}}/
    • Wanderer uses the ORIGIN environment variable as the public URL. The redirect URL is ${ORIGIN}/login/redirect.
  • Authelia Root URL: https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}/
  • Client ID: wanderer
  • Client Secret: insecure_secret

Some of the values presented in this guide can automatically be replaced with documentation variables.

{{< sitevar-preferences >}}

Configuration

Authelia

The following YAML configuration is an example Authelia client configuration for use with Wanderer which will operate with the application example:

yaml
identity_providers:
  oidc:
    ## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
    ## See: https://www.authelia.com/c/oidc
    clients:
      - client_id: 'wanderer'
        client_name: 'Wanderer'
        client_secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng'  # The digest of 'insecure_secret'.
        public: false
        authorization_policy: 'two_factor'
        require_pkce: true
        pkce_challenge_method: 'S256'
        redirect_uris:
          - 'https://wanderer.{{< sitevar name="domain" nojs="example.com" >}}/login/redirect'
        scopes:
          - 'openid'
          - 'email'
          - 'profile'
        response_types:
          - 'code'
        grant_types:
          - 'authorization_code'
        access_token_signed_response_alg: 'none'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_basic'

Application

Wanderer uses PocketBase for authentication configuration. To configure Wanderer to utilize Authelia as an OpenID Connect 1.0 Provider:

  1. Sign in to the PocketBase admin UI using your superuser.

  2. Navigate to the users collection.

  3. Click the gear icon to open the collection settings.

  4. Navigate to Options.

  5. In the OAuth2 tab, add a new provider with type OpenID Connect (oidc).

  6. Configure the provider with these options:

    • Client ID: wanderer
    • Client secret: insecure_secret
    • Display name: Authelia
    • Auth URL: https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}/api/oidc/authorization
    • Token URL: https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}/api/oidc/token
    • Fetch user info from: User info URL
    • User info URL: https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}/api/oidc/userinfo
    • Support PKCE: enabled

  7. Save your changes.

Ensure the redirect URL configured at the provider is exactly ${ORIGIN}/login/redirect and that the same value is present in the Authelia redirect_uris list.

See Also