Authelia
Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for your applications via a web portal. It acts as a companion for reverse proxies by allowing, denying, or redirecting requests.
Configuration Notes
LLDAP Integration
Authelia is configured to use LLDAP for its source of truth.
- Create an
autheliauser account in LLDAP - Set group for
autheliauser:- By default, use
lldap_strict_readonlypermission - If you are configuring Authelia to change user passwords, then use
lldap_password_managerpermission
- By default, use
Refer to lldap/example_configs/authelia.md at main · lldap/lldap
Client Integration
Client integration requires configuration of Authelia and the client application (and perhaps also LLDAP if additional roles are required).
Generate and store the OAuth client secret in 1Password:
just oauth secret <namespace> <app>This generates a random secret + PBKDF2 digest and stores both in 1Password:
op://homelab/<namespace>.<app>/client-secret(plaintext, for the app)op://homelab/security.authelia/Client Secrets/<APP>_OAUTH_CLIENT_DIGEST(digest, for Authelia)
The command prints a reminder to complete the remaining Authelia wiring.
Add the client to
identity_providers.oidc.clientsin Authelia’sconfiguration.yaml, referencing the digest via{{ secret "/config/secrets/<APP>_OAUTH_CLIENT_DIGEST" }}.Add a
dataentry to Authelia’s ExternalSecret (secret.externalsecret.yaml) to pull<APP>_OAUTH_CLIENT_DIGESTfrom thesecurity.authelia1Password item.Update the application to point to Authelia as the OIDC provider with the plaintext secret.
Envoy-Gateway Integration
For use if/when the application itself does not support OAUTH/OIDC
- Envoy Gateway | Integration | Authelia - Instructions on how to use Envoy Gateway as an external authorization filter
- Envoy Gateway | OpenID Connect 1.0 | Integration - via Authelia
configuration.ymlor by HTTPRoute
Generating Secrets
For all 32-byte base64 secrets (like session secret, storage encryption key):
openssl rand -hex 64For RSA private key (like JWKS key), the following will create public/private .pem files in your working directory:
openssl genrsa -out private.pem 2048
openssl rsa -in private.pem -outform PEM -pubout -out public.pemFor client password / digest hash, create a long random password and PBKDF2-SHA512 hash (the hash/digest is provided to Authelia; the password is used by the app):
uv run scripts/authelia_hash.pyKyverno Policy
The Kyverno policy generates a new session secret every time authelia redeploys, invalidating existing sessions and preventing the invalid cookies from causing users auth problems.