OIDC - configuration.yml
This configuration is for local users and WebAuthn (FIDO2)
This configuration was created with the help of Florian Muller's excellent guide which can be viewed here
###############################################################################
# Authelia Configuration #
###############################################################################
server:
host: 0.0.0.0
port: 9091
tls.certificate: /config/ssl/cert.pem #Port 443 SSL Certificate
asset_path: /config/assets/ #Custom Icons for Authelia
buffers.read: 8192
buffers.write: 8192
theme: auto
default_redirection_url: https://auth.<domain-name>.com/ #Set Domain Name
ntp:
address: "time.cloudflare.com:123"
version: 4
max_desync: 3s
disable_startup_check: false
disable_failure: true
webauthn: #FIDO2 Authentication
disable: false
display_name: Authelia
attestation_conveyance_preference: direct
user_verification: required
timeout: 60s
totp: #One Time Password
disable: true
authentication_backend:
password_reset.disable: true #Disabled Password Reset
refresh_interval: 5m
file:
path: /config/users/users_database.yml
password:
algorithm: argon2id
iterations: 1
key_length: 32
salt_length: 16
memory: 1024
parallelism: 8
access_control:
default_policy: deny #Default deny policy
rules:
- domain: "auth.<domain-name>" #Set Domain Name
policy: two_factor #Enforce 2FA
subject:
- 'group:cloudflare-admins' #Groups (currently not supported by OIDC)
networks: '192.168.0.2' #IP Address of Cloudflare Tunnel Container
session:
name: authelia_session
domain: auth.<domain-name>.com #Set Domain Name
same_site: strict
expiration: 30m
inactivity: 15m
remember_me_duration: 30m
redis:
host: 192.168.0.2 #Redis Connection
port: 6379
database_index: 0
maximum_active_connections: 8
minimum_idle_connections: 0
regulation:
max_retries: 3
find_time: 2m
ban_time: 5m
storage: #MariaDB Connection
mysql:
host: 192.168.0.2
port: 3306
database: authelia
username: authelia
notifier:
disable_startup_check: false
smtp:
username: email@gmail.com
sender: email@gmail.com
host: smtp.gmail.com
port: 587
identity_providers:
oidc:
access_token_lifespan: 30m
authorize_code_lifespan: 1m
id_token_lifespan: 30m
refresh_token_lifespan: 90m
enable_client_debug_messages: false
enforce_pkce: always #Enforces PKCE
cors:
endpoints:
- authorization
- token
- revocation
- introspection
- userinfo
allowed_origins:
- https://auth.<domain-name> #Enter Domain Name
allowed_origins_from_client_redirect_uris: false
clients:
- id: cloudflare
description: Cloudflare ZeroTrust
secret: <OIDC Secret> #Shared with Cloudflare
public: false
authorization_policy: two_factor #Enforces 2FA
consent_mode: pre-configured
pre_configured_consent_duration: '6M' #Must be re-authorised every 6 Months
redirect_uris:
- https://<domain-name>.cloudflareaccess.com/cdn-cgi/access/callback
scopes: #Attributes to forward
- openid
- profile
- email
- groups #Currently not supported in Authelia V
userinfo_signing_algorithm: RS256 #Encrypted User InfoLast updated