Setup OIDC using Authelia

Technical Support
1

OS Name/Version: Debian 13

Product Name/Version: AMP 2.6.4.2

Problem Description:

Hi, I’m trying to setup OIDC auth using Authelia. I’ve configured it following your Authentik guide and adapting it with my Authelia stuff. There must be something wrong since I can’t login in the AMP app anymore once OIDC is activated, and I have to disable it manually from the AMPConfig.conf. The issue is that once logged in, I’m always getting redirected to Authelia’s sso page, I’m unable to access amp anymore.

Please note that the issue isn’t coming from the Authelia service itself since I’m using it to access others services with no issues.

Steps to reproduce:

  • Create a new Authelia client with these properties in configuration.yml:
identity_providers:
  oidc:
    clients:
      - client_id: amp
        client_name: AMP
        public: false
        authorization_policy: one_factor
        consent_mode: implicit
        client_secret: "$pbkdf2-sha512$HASH_SECRET_HERE"
        redirect_uris:
          - https://amp.mydomain.com/oauth/callback
        scopes:
          - openid
          - profile
          - groups
          - email

access_control:
  default_policy: deny
  rules:
    - domain: "amp.mydomain.com"
      policy: one_factor
  • Add a user with a group matching AMP’s in Authelia’s users_database.yml:
users:
  alexis:
    password: "$argon2id$HASH_PASSWORD_HERE"
    displayname: "Alexis"
    email: alexis@mydomain.com
    groups:
      - "AMP_Super Admins"
  • Configure AMP’s OIDC parameters (done in ui, here is the .conf equivalent for convenience)
Login.UseOIDC=True
Login.OIDCProviderFriendlyName=Authelia
Login.OIDCClientID=enc:ENCRYPTED_ID # amp
Login.OIDCClientSecret=enc:ENCRYPTED_SECRET # raw secret that matches the pbkdf2 one in Authelia's configuration.yml
Login.OIDCAuthorizeScopes=["openid","profile","email","groups"]
Login.OIDCRedirectUri=https://amp.mydomain.com/oauth/callback
Login.OIDCAuthorizeEndpoint=https://auth.mydomain.com/oidc/authorize
Login.OIDCValidationEndpoint=https://auth.mydomain.com/api/oidc/userinfo
Login.OIDCTokenEndpoint=https://auth.mydomain.com/api/oidc/token
Login.OIDCUserInfoEndpoint=https://auth.mydomain.com/api/oidc/userinfo
Login.OIDCLogoutEndpoint=https://auth.mydomain.com/logout
Login.OIDCRevokeEndpoint=https://auth.mydomain.com/logout
Login.OIDCRoleNamePrefix=AMP_
Login.OIDCUsernameClaim=preferred_username # tried with email claim too
Login.OIDCNewUsersDisabledAtCreation=False # tried with True too
  • Go to amp.mydomain.com => redirect to authelia sso page auth.mydomain.com: OK
  • Login using created user credentials => redirects to amp.mydomain.com: OK (should stop here)
  • Immediatly redirected again to auth.myomain.com: KO

Actions taken to resolve so far:

  • Tried using longer id in case ‘amp’ is too short.
  • Tried using different password hashes, using SHA256 or SHA512
  • Tried creating a new group without spaces in it
  • Tried using different claims for username that I knew were present in userinfo response
  • Tried setting ignore TLS failure to True (I’m not sure what is this really implying)

Thank you for your help :slightly_smiling_face:

2

The callback URL looks wrong. It should just be your base ANP URL, there is no callback subpage.

3

I just tried using https://amp.mydomain.com instead of https://amp.mydomain.com/oauth/callback in Authelia’s config file and in AMP ui, but the exact same issue is still there, I keep getting redirected to Authelia’s sso page even with this config.

4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.