OAuth setup with Authelia #3338
Replies: 10 comments 46 replies
-
Fixed the formatting, unfortunately does not work: identity_providers:
oidc:
jwks:
- key: {{ secret "/config/keys/private.pem" | mindent 10 "|" | msquote }}
enforce_pkce: public_clients_only
cors:
endpoints:
- userinfo
- authorization
- token
- revocation
- introspection
allowed_origins:
- https://mealie.example.com
allowed_origins_from_client_redirect_uris: true
clients:
- client_id: mealie
client_name: Mealie
authorization_policy: one_factor
redirect_uris:
- https://mealie.example.com/login
public: true
pkce_challenge_method: S256
grant_types:
- authorization_code
scopes:
- openid
- profile
- groups
- email Any ideas? what exact environment variables are required? |
Beta Was this translation helpful? Give feedback.
-
Bonus suggestions:
|
Beta Was this translation helpful? Give feedback.
-
I have Authelia 4.37.5 and Mealie Nightly. Authelia: id: melie
description: mealie
authorization_policy: one_factor
public: true
grant_types:
- authorization_code
scopes:
- openid
- email
- profile
- groups
redirect_uris:
- https://mealie.gasimzada.casa/login
userinfo_signing_algorithm: none Mealie: environment:
- ALLOW_SIGNUP=false
- PUID=1000
- PGID=1000
- TZ=Europe/Amsterdam
- MAX_WORKERS=1
- WEB_CONCURRENCY=1
- BASE_URL=https://mealie.example.com
- OIDC_AUTH_ENABLED=true
- OIDC_SIGNUP_ENABLED=true
- OIDC_CONFIGURATION_URL=https://auth.example.com/.well-known/openid-configuration
- OIDC_CLIENT_ID=mealie
- OIDC_ADMIN_GROUP=admins
- OIDC_USER_GROUP=users
- OIDC_AUTO_REDIRECT=false When I log in with OIDC, the user is created (with correct permissions based on groups defined in Authelia) but I cannot log into Mealie. It basically never logs in. When I log in with the default Admin user, I can see the user being created with all the information there. Is there something that I am missing here? |
Beta Was this translation helpful? Give feedback.
-
Out of interest: Why no client secret? Why use
Also configuration for all others is a bit simpler / less to configure. Why go a different route? Safer? Less safe? Easier to manage? |
Beta Was this translation helpful? Give feedback.
-
I get an infinite redirect after logging in. Configuration works as described, Authelia assigns a token - but after that I am caught in a loop. Debug-level logging shows this:
I'm not redirecting to the |
Beta Was this translation helpful? Give feedback.
-
Not actually tested but here's a theoretically working guide provided Mealie supports PKCE S256: https://www.authelia.com/integration/openid-connect/mealie/ |
Beta Was this translation helpful? Give feedback.
-
I don't know if it me completely missing something but I can't make the integration work. I reach the login page and once i press the oauth-login button, I get redirected to a 404 page the url looks is the following: identity_providers:
oidc:
hmac_secret: ':>)'
jwks:
- key_id: 'example'
algorithm: 'RS256'
key: {{ secret "/config/secrets/oidc/jwks/private_authelia.pem" | mindent 10 "|" | msquote }}
cors:
endpoints:
- userinfo
- authorization
- token
- revocation
- introspection
allowed_origins:
- 'https://mealie.domain.lan'
allowed_origins_from_client_redirect_uris: false
clients:
- client_id: 'mealie'
client_name: 'Mealie'
public: true
authorization_policy: 'one_factor'
require_pkce: true
pkce_challenge_method: 'S256'
grant_types:
- 'authorization_code'
redirect_uris:
- 'https://mealie.domain.lan/login'
scopes:
- openid
- profile
- groups
- email
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'none' And this is my enviroment variables from the compose file: environment:
- ALLOW_SIGNUP=true
- PUID=1000
- PGID=1000
- TZ=Europe/Berlin
- MAX_WORKERS=1
- WEB_CONCURRENCY=1
- BASE_URL=https://mealie.domain.lan
# Database Settings
- DB_ENGINE=postgres
- POSTGRES_USER=username
- POSTGRES_PASSWORD=password
- POSTGRES_SERVER=db
- POSTGRES_PORT=5432
- POSTGRES_DB=mealie
- OIDC_AUTH_ENABLED=true
- OIDC_SIGNUP_ENABLED=true
- OIDC_CONFIGURATION_URL=https://authelia.domain.lan/.well-known/openid-configuration
- OIDC_CLIENT_ID=mealie
- OIDC_AUTO_REDIRECT=false
- OIDC_ADMIN_GROUP=mealie-admins
- OIDC_USER_GROUP=mealie-users
- LOG_LEVEL=DEBUG I've tried to switch around with different settings in order to get it work but without success. When I look at the network tab I get a error on a options request to my authelia address where the "Transferred" value is: "CORS missing allow origin" |
Beta Was this translation helpful? Give feedback.
-
First off, loving the support for OIDC, thank you again for the implementation! Quick question: When I put my admin user into the
config includes:
The temporary solution seems to just put the admin user into the Am I missing something here? |
Beta Was this translation helpful? Give feedback.
-
I tried setting up authelia, but it didn't work mealie config: authelia config:
INFO 2024-07-21T08:59:21 - [192.168.254.21:0] 307 Temporary Redirect "GET /login?code=authelia_ac_zYpqmL_zUlyMYxfFJKI4tcVtYD78eVza5edvJDz-6L8.ZdYQ35Uug8xCvDlrVFOjzRn91pQbaCON1RgZqHN36AI&iss=https%3A%2F%2Fauthelia.lan&scope=openid+profile+email+groups&state=pwVwtQjKxZ HTTP/1.1" |
Beta Was this translation helpful? Give feedback.
-
Can someone update with an example for Mealie (latest version). I'm having the most unusual time debugging my setup. Authelia logs show the login with OIDC is successful but I get the following error from Mealie logs:
I supply the scope as recommended in my authelia config yml:
|
Beta Was this translation helpful? Give feedback.
-
This post is meant to serve as a companion to the guide in the docs with examples specifically for Authelia. The following configurations are only partial and are intended only as examples. You will likely need to modify them as necessary for your particular setup.
Authelia Configuration
Important
This is only an example and is not a full configuration. You should read through the Authelia documentation and adjust your configuration as needed.
Mealie Configuration
These are the minimum required environment variables to get it working. See the docs for full options.
Beta Was this translation helpful? Give feedback.
All reactions