-
Notifications
You must be signed in to change notification settings - Fork 0
/
authelia-config.yml
154 lines (139 loc) · 3.62 KB
/
authelia-config.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
###############################################################
# Authelia configuration #
###############################################################
jwt_secret: ${AUTHELIA_JWT_SECRET}
default_redirection_url: ${AUTHELIA_DEFAULT_REDIRECT}
server:
host: 0.0.0.0
port: 9092
buffers:
read: 8192
write: 8192
telemetry:
metrics:
enabled: true
address: "tcp://0.0.0.0:9959"
buffers:
read: 4096
write: 4096
timeouts:
read: 6s
write: 6s
idle: 30s
theme: auto
log:
level: debug
totp:
disable: false
issuer: ${LDAP_DOMAIN}.${LDAP_TLD}
algorithm: sha1
digits: 6
period: 30
skew: 1
secret_size: 32
# webauthn:
# disable: false
# display_name: Authelia
# attestation_conveyance_preference: indirect
# user_verification: preferred
# timeout: 60s
authentication_backend:
ldap:
implementation: custom
url: ldap://openldap
timeout: 5s
start_tls: false
tls:
server_name: openldap
skip_verify: true
minimum_version: TLS1.2
base_dn: DC=${LDAP_DOMAIN},DC=${LDAP_TLD}
additional_users_dn: OU=users
users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
username_attribute: uid
mail_attribute: mail
display_name_attribute: displayName
additional_groups_dn: OU=groups
groups_filter: (&(member=UID={input},OU=users,DC=${LDAP_DOMAIN},DC=${LDAP_TLD})(objectClass=groupOfNames))
group_name_attribute: cn
user: cn=admin,dc=${LDAP_DOMAIN},dc=${LDAP_TLD}
password: ${LDAP_ADMIN_PASSWORD}
access_control:
default_policy: deny
rules:
- domain: www.${LDAP_DOMAIN}.${LDAP_TLD} # just an example
policy: bypass # options are: bypass, one_factor and two_factor
session:
name: authelia_session
secret: ${AUTHELIA_SESSION_SECRET}
expiration: 3600 # 1 hour
inactivity: 300 # 5 minutes
same_site: lax
domain: ${LDAP_DOMAIN}.${LDAP_TLD}
redis:
host: authelia-redis
port: 6379
regulation:
max_retries: 3
find_time: 120
ban_time: 300
storage:
encryption_key: ${AUTHELIA_STORAGE_ENCRYPTION_KEY}
postgres:
host: ${DATABASE_HOST}
port: 5432
database: authelia
schema: public
username: ${DATABASE_USER}
password: ${DATABASE_PASSWORD}
notifier:
smtp:
username: ${MAILER_USERNAME}
password: ${MAILER_PASSWORD}
host: ${MAILER_HOST}
port: ${MAILER_PORT}
sender: ${MAILER_USERNAME}
identity_providers:
oidc:
hmac_secret: ${AUTHELIA_OAUTH_SECRET}
issuer_private_key: |
${AUTHELIA_OAUTH_PRIVATE_KEY}
access_token_lifespan: 1h
authorize_code_lifespan: 1m
id_token_lifespan: 1h
refresh_token_lifespan: 90m
enable_client_debug_messages: false
enforce_pkce: public_clients_only
cors:
endpoints:
- authorization
- token
- revocation
- introspection
allowed_origins:
- https://${LDAP_DOMAIN}.${LDAP_TLD}
allowed_origins_from_client_redirect_uris: false
clients:
- id: myapp
description: My Application
secret: 'clientsecret'
public: false
authorization_policy: two_factor
pre_configured_consent_duration: 1w
scopes:
- openid
- groups
- email
- profile
redirect_uris:
- https://oidc.${LDAP_DOMAIN}.${LDAP_TLD}/oauth2/callback # just an example
grant_types:
- refresh_token
- authorization_code
response_types:
- code
response_modes:
- form_post
- query
- fragment
userinfo_signing_algorithm: none