SingleSignOn (SSO) server with Authelia
Authelia is a SSO server.
Create data/config/configuration.yml
log: level: 'info' access_control: default_policy: deny rules: - domain: {{ printf "https://*.%s" (mustEnv "DOMAIN") }} policy: one_factor storage: local: path: '/config/db.sqlite3' authentication_backend: file: path: '/config/users_database.yml' extra_attributes: immich_quota: multi_valued: false value_type: 'integer' immich_role: multi_valued: false value_type: 'string' session: cookies: - domain: {{ printf "%s" (mustEnv "DOMAIN") }} authelia_url: {{ printf "https://auth.%s" (mustEnv "DOMAIN") }} notifier: smtp: address: 'submission://mailserver:587' # see mailserver setup sender: "<EMAIL>" username: '<EMAIL>' disable_require_tls: true ntp: max_desync: '10s' password_policy: standard: enabled: true require_uppercase: true require_lowercase: true require_number: true require_special: true identity_providers: oidc: jwks: - key: {{ secret "/secrets/oidc/jwks/rsa.2048.key" | mindent 10 "|" | msquote }} claims_policies: immich_policy: custom_claims: immich_quota: attribute: 'immich_quota' immich_role: attribute: 'immich_role' scopes: immich_scope: claims: - 'immich_quota' - 'immich_role' cors: endpoints: - 'authorization' - 'token' - 'revocation' - 'introspection' - 'userinfo' clients: - client_id: 'immich' client_secret: '<REDACTED>' # see https://www.authelia.com/integration/openid-connect/frequently-asked-questions/#client-secret redirect_uris: - {{ printf "https://images.%s/auth/login" (mustEnv "DOMAIN") }} - {{ printf "https://images.%s/user-settings" (mustEnv "DOMAIN") }} - 'app.immich:///oauth-callback' id_token_signed_response_alg: 'RS256' userinfo_signed_response_alg: 'RS256' token_endpoint_auth_method: 'client_secret_post' claims_policy: 'immich_policy' scopes: - 'openid' - 'profile' - 'email' - 'immich_scope' authorization_policy: 'one_factor' - client_id: 'jellyfin' client_secret: '<REDACTED>' # see https://www.authelia.com/integration/openid-connect/frequently-asked-questions/#client-secret authorization_policy: 'one_factor' require_pkce: true pkce_challenge_method: 'S256' redirect_uris: - {{ printf "https://videos.%s/sso/OID/redirect/authelia" (mustEnv "DOMAIN") }} - 'org.jellyfin.mobile://login-callback' token_endpoint_auth_method: 'client_secret_post' - client_id: 'opencloud-web' authorization_policy: 'one_factor' public: true require_pkce: true pkce_challenge_method: 'S256' redirect_uris: - {{ printf "https://files.%s" (mustEnv "DOMAIN") }} - {{ printf "https://files.%s/oidc-callback.html" (mustEnv "DOMAIN") }} - {{ printf "https://files.%s/oidc-silent-redirect.html" (mustEnv "DOMAIN") }} - client_id: 'OpenCloudDesktop' authorization_policy: 'one_factor' public: true require_pkce: true pkce_challenge_method: 'S256' redirect_uris: - 'http://127.0.0.1' - 'http:localhost' scopes: - openid - groups - profile - email - offline_access response_types: - code grant_types: - refresh_token - authorization_code - client_id: 'OpenCloudIOS' authorization_policy: 'one_factor' public: true require_pkce: true pkce_challenge_method: 'S256' redirect_uris: - 'oc://ios.opencloud.eu' scopes: - openid - groups - profile - email - offline_access response_types: - code grant_types: - refresh_token - authorization_code - client_id: 'OpenCloudAndroid' authorization_policy: 'one_factor' public: true require_pkce: true pkce_challenge_method: 'S256' redirect_uris: - 'oc://android.opencloud.eu' scopes: - openid - groups - profile - email - offline_access response_types: - code grant_types: - refresh_token - authorization_codeCreate data/config/users_database.yml
users: <USERNAME>: password: <REDACTED> # initial password - see https://www.authelia.com/reference/guides/passwords/#passwords displayname: <USERNAME> email: <EMAIL> profile: https://opencloud-admin #hack until https://github.com/opencloud-eu/desktop/issues/217 is resolved groups: - admins - dev - jellyfin-admins - jellyfin-users - opencloud-admin - opencloud-user extra: immich_role: admin # user or admin immich_quota: 10 # 10gbCreate secrets in data/secrets
Create
docker-compose.ymlfile:secrets: JWT_SECRET: file: '${PWD}/data/secrets/JWT_SECRET' SESSION_SECRET: file: '${PWD}/data/secrets/SESSION_SECRET' STORAGE_ENCRYPTION_KEY: file: '${PWD}/data/secrets/STORAGE_ENCRYPTION_KEY' SMTP_PASSWORD: file: '${PWD}/data/secrets/SMTP_PASSWORD' services: authelia: image: 'docker.io/authelia/authelia:4.39.15' container_name: 'authelia' restart: 'unless-stopped' networks: server: aliases: [] secrets: ['JWT_SECRET', 'SESSION_SECRET', 'STORAGE_ENCRYPTION_KEY', 'SMTP_PASSWORD'] environment: AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE: '/run/secrets/JWT_SECRET' AUTHELIA_SESSION_SECRET_FILE: '/run/secrets/SESSION_SECRET' AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: '/run/secrets/STORAGE_ENCRYPTION_KEY' AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE: '/run/secrets/SMTP_PASSWORD' X_AUTHELIA_CONFIG_FILTERS: 'template' DOMAIN: $DOMAIN TZ: 'Europe/Berlin' volumes: - '${PWD}/data/config:/config' - '${PWD}/data/secrets/jwks/private.pem:/secrets/oidc/jwks/rsa.2048.key' labels: - "traefik.enable=true" - "traefik.http.routers.authelia.rule=Host(`auth.${DOMAIN}`)" - "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/authz/forward-auth" - "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true" - "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email" networks: server: external: true