Wulf's Various Things

User Tools

Site Tools

Trace: Authelia and NPM
config:authelia-npm

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
config:authelia-npm [2026/03/13 13:22] – [Authelia Configuration] Wuffconfig:authelia-npm [2026/03/19 22:34] (current) – [Redis for Authelia session] Wuff
Line 338: Line 338:
  
 By default, authentication is valid for 1 hour or 30 days when the remember me is checked on login. This can be changed in the authelia configuration.yml By default, authentication is valid for 1 hour or 30 days when the remember me is checked on login. This can be changed in the authelia configuration.yml
 +
 +
 +===== Authelia email backend =====
 +gmail example for email backend. Requires google mail app password. 
 +<code>
 +notifier:
 +  ## You can disable the notifier startup check by setting this to true.
 +  disable_startup_check: true
 +
 +  ##
 +  ## File System (Notification Provider)
 +  ##
 +  #filesystem:
 +  #  filename: '/config/notification.txt'
 +
 +  smtp:
 +    address: 'smtp://smtp.gmail.com:587'
 +    username: 'email address'
 +    password: 'app password'
 +    sender: 'Authelia <noreply@domain>'
 +    subject: '[Authelia] {title}'
 +    startup_check_address: 'email address'
 +</code>
 +
 +===== Authelia SSO backend =====
 +
 +Single sign on through authelia for booklore:
 +<code>
 +server:
 +  endpoints:
 +    authz:
 +      forward-auth:
 +        implementation: 'ForwardAuth'
 +        authn_strategies:
 +          - name: 'HeaderAuthorization'
 +            schemes:
 +              - 'Basic'
 +              - 'Bearer'
 +          - name: 'CookieSession'
 +      ext-authz:
 +        implementation: 'ExtAuthz'
 +        authn_strategies:
 +          - name: 'HeaderAuthorization'
 +            schemes:
 +              - 'Basic'
 +              - 'Bearer'
 +          - name: 'CookieSession'
 +      auth-request:
 +        implementation: 'AuthRequest'
 +        authn_strategies:
 +          - name: 'HeaderAuthRequestProxyAuthorization'
 +            schemes:
 +              - 'Basic'
 +              - 'Bearer'
 +          - name: 'CookieSession'
 +      legacy:
 +        implementation: 'Legacy'
 +        authn_strategies:
 +          - name: 'HeaderLegacy'
 +          - name: 'CookieSession'
 +
 +
 +##
 +## Identity Providers
 +##
 +
 +#Valid keys can be generated using the following commands:
 +#openssl genrsa -out private.pem 2048
 +#openssl rsa -in private.pem -outform PEM -pubout -out public.pem
 +
 +identity_providers:
 +  oidc:
 +    jwks:
 +      - algorithm: 'RS256'
 +        use: 'sig'
 +        key: |
 +          -----BEGIN PRIVATE KEY-----
 +          MIIEvQI....
 +          iulbfHg....
 +          -----END PRIVATE KEY-----
 +
 +    clients:
 +      - 
 +        client_id: 'booklore'
 +        client_name: 'BookLore'
 +        public: true
 +        authorization_policy: 'two_factor'
 +        require_pkce: true
 +        pkce_challenge_method: 'S256'
 +        redirect_uris:
 +          - 'https://booklore.domain/oauth2-callback'
 +        scopes:
 +          - 'openid'
 +          - 'offline_access'
 +          - 'profile'
 +          - 'email'
 +          - 'groups'
 +        response_types:
 +          - 'code'
 +        grant_types:
 +          - 'authorization_code'
 +          - 'refresh_token'
 +        access_token_signed_response_alg: 'none'
 +        userinfo_signed_response_alg: 'none'
 +        token_endpoint_auth_method: 'none'
 +</code>
 +
 +Restart Authelia for the changes to take effect!
 +
 +In booklore gui:
 +Settings -> OIDC Settings:
 +  * In the top right click the settings icon (looks like a cog)
 +  * Provider Name: Authelia
 +  * Client ID: booklore
 +  * Issuer URI: https://auth.example.com
 +  * Scope: openid profile email offline_access
 +  * Username Claim: preferred_username
 +  * Email Claim: email
 +  * Display Name Claim: name
 +  * Test, then click Save Settings.
 +  * OIDC Enabled: Toggle to the on Position above the settings.
 +
 +Further down on the page, "OIDC-Only Mode" can be enabled to enforce authelia and prevent local user login. Admins can still log in with password only using /login?local=true 
 +
 +{{.:pasted:20260318-162841.png}}
 +
 +
 +Make sure to remove the advanced nginx config in NPM and enable websocket support in NPM.
 +The OIDC integration replaces the proxy authelia protection. 
 +
 +===== Redis for Authelia session =====
 +
 +Authelia stores session data in memory by default. This means whenever the container or server is restarted, all users will have to log in again as the session data is lost. To store data across restarts, Redis can be used as in memory database and cache. 
 +
 +Authelia docker compose file should be adjusted as following:
 +<code yaml>
 +name: authelia
 +services:
 +  authelia:
 +    image: authelia/authelia
 +    container_name: authelia
 +    restart: unless-stopped
 +    volumes:
 +      - /opt/authelia:/config
 +    ports:
 +      - 6091:9091
 +    environment:
 +      - TZ=Europe/London
 +    depends_on:
 +      redis:
 +        condition: service_started
 +  redis:
 +    image: redis:alpine
 +    container_name: authelia-redis
 +    command: >
 +      redis-server
 +      --appendonly yes
 +      --appendfsync everysec
 +      --save 900 1
 +      --save 300 10
 +      --save 60 10000
 +    volumes:
 +      - /opt/authelia/redis:/data
 +    restart: unless-stopped
 +</code>
 +
 +And in /opt/authelia/configuration.yml add redis to the session section:
 +<code>
 +session:
 +  redis:
 +    host: authelia-redis
 +    port: 6379
 +</code>
 +
 +Then stop and fully restart the authelia container.
config/authelia-npm.1773408163.txt.gz · Last modified: by Wuff