debugging authelia swag
voc0der opened this issue · comments
docker-compose.yaml
swag:
image: linuxserver/swag
container_name: swag
networks:
default:
ipv4_address: 172.28.0.105
depends_on:
- authelia
cap_add:
- NET_ADMIN
environment:
- PUID=${PUID}
- PGID=${PGID}
- TZ=America/New_York
- URL=${DOMAIN_NAME}
- SUBDOMAINS=wildcard
- VALIDATION=dns
- DNSPLUGIN=cloudflare
- DOCKER_MODS=linuxserver/mods:universal-cloudflared
- CF_ZONE_ID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
- CF_ACCOUNT_ID=${CF_ACCOUNT_ID}
- CF_API_TOKEN=${CF_API_TOKEN}
- CF_TUNNEL_NAME=${DOMAIN_NAME}
- CF_TUNNEL_PASSWORD=${CF_TUNNEL_PASSWORD}
- FILE__CF_TUNNEL_CONFIG=/config/tunnelconfig.yml
extra_hosts:
- ${DOMAIN_NAME}:127.0.0.1
volumes:
- /dockercfg/swag:/config
ports:
- 443:443
- 80:80
restart: "no"
labels:
- com.centurylinklabs.watchtower.enable=true
authelia:
image: authelia/authelia #:4.34.6
container_name: authelia
networks:
default:
ipv4_address: 172.28.0.107
user: ${PUID}:${PGID}
environment:
- TZ=America/New_York
depends_on:
- openldap
volumes:
- /dockercfg/authelia:/config
restart: "no"
labels:
- com.centurylinklabs.watchtower.enable=true
gitlab:
image: gitlab/gitlab-ee:latest
container_name: gitlab
environment:
GITLAB_OMNIBUS_CONFIG: |
external_url 'http://gitlab.${DOMAIN_NAME}:80'
letsencrypt['enable'] = false
gitlab_rails['omniauth_providers'] = [
{
name: "openid_connect",
label: "Authelia",
icon: "https://www.authelia.com/images/branding/logo-cropped.png",
args: {
name: "openid_connect",
scope: ["openid","profile","email","groups"],
response_type: "code",
issuer: "https://auth.${DOMAIN_NAME}",
discovery: true,
client_auth_method: "query",
uid_field: "preferred_username",
send_scope_to_token_endpoint: "false",
client_options: {
identifier: "gitlab",
secret: "XXXXXXXXxxxxxxxxxxxxxxxxxxxxxx",
redirect_uri: "https://gitlab.${DOMAIN_NAME}/users/auth/openid_connect/callback"
}
}
}
]
volumes:
- /dockercfg/gitlab/config:/etc/gitlab
- /dockercfg/gitlab/logs:/var/log/gitlab
- /dockercfg/gitlab/data:/var/opt/gitlab
shm_size: '256m'
restart: "no"
labels:
- com.centurylinklabs.watchtower.enable=true
authelia\configuration.yaml
identity_providers:
oidc: ## See: https://www.authelia.com/c/oidc
issuer_private_key: |
--- the RSA key -----
clients:
- id: gitlab
description: GitLab
secret: '$pbkdf2-sha512xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
sector_identifier: ''
public: false
authorization_policy: two_factor
pre_configured_consent_duration: ''
audience: []
redirect_uris:
- https://gitlab.${DOMAIN_NAME}/users/auth/openid_connect/callback
scopes:
- openid
- profile
- groups
- email
grant_types:
- refresh_token
- authorization_code
response_types:
- code
response_modes:
- query
- form_post
userinfo_signing_algorithm: none
gitlab.subdomain.conf
## Version 2023/05/31
# make sure that your gitlab container is named gitlab
# make sure that your dns has a cname set for gitlab
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name gitlab.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
# enable for ldap auth (requires ldap-location.conf in the location block)
#include /config/nginx/ldap-server.conf;
# enable for Authelia (requires authelia-location.conf in the location block)
include /config/nginx/authelia-server.conf;
# enable for Authentik (requires authentik-location.conf in the location block)
#include /config/nginx/authentik-server.conf;
location / {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable for ldap auth (requires ldap-server.conf in the server block)
#include /config/nginx/ldap-location.conf;
# enable for Authelia (requires authelia-server.conf in the server block)
include /config/nginx/authelia-location.conf;
# enable for Authentik (requires authentik-server.conf in the server block)
#include /config/nginx/authentik-location.conf;
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app gitlab;
set $upstream_port 80;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
}
Could not authenticate you from OpenIDConnect because "Invalid client :: client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method).".
When I click or sign in with Authelia in my Network tab I get these two links:
https://gitlab.mydomain.tld/users/auth/openid_connect
Both render in the Response viewer to say You need to enable JavaScript to run this app.
In LDAP my usernames are uid
time="2023-12-26T17:15:02-05:00" level=error msg="Access Request failed with error: Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). the passwords don't match" method=POST path=/api/oidc/token remote_ip=73.201.29.125 stack="github.com/authelia/authelia/v4/internal/handlers/handler_oidc_token.go:27 OpenIDConnectTokenPOST\ngithub.com/authelia/authelia/v4/internal/middlewares/http_to_authelia_handler_adaptor.go:113 NewHTTPToAutheliaHandlerAdaptor.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/bridge.go:54 (*BridgeBuilder).Build.func1.1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:35 SecurityHeadersNoStore.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:25 SecurityHeadersCSPNone.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:16 SecurityHeaders.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/cors.go:216 (*CORSPolicy).Middleware.func1\ngithub.com/fasthttp/router@v1.4.14/router.go:414 (*Router).Handler\ngithub.com/valyala/fasthttp@v1.43.0/http.go:154 (*Response).StatusCode\ngithub.com/authelia/authelia/v4/internal/middlewares/strip_path.go:22 StripPath.func1.1\ngithub.com/valyala/fasthttp@v1.43.0/server.go:2338 (*Server).serveConn\ngithub.com/valyala/fasthttp@v1.43.0/workerpool.go:224 (*workerPool).workerFunc\ngithub.com/valyala/fasthttp@v1.43.0/workerpool.go:196 (*workerPool).getCh.func1\nruntime/asm_amd64.s:1594 goexit"