ryan/triviathang
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
00e9eb89860752acf0a4d95353822b89c7a0e915
triviathang/AUTHELIA_SETUP.md
Ryan Chen 00e9eb8986 initial
2025-12-22 14:47:25 -05:00

184 lines
5.0 KiB
Markdown
Raw Blame History

# Authelia OIDC Setup Guide
This guide will help you configure Authelia OIDC authentication for the Trivia Game application.
## Prerequisites
- An existing Authelia instance running and accessible
- Access to Authelia's configuration file (`configuration.yml`)
- Users and groups configured in Authelia
## Step 1: Configure Authelia Client
Add the following client configuration to your Authelia `configuration.yml`:
```yaml
identity_providers:
oidc:
clients:
- id: trivia-app
description: Trivia Game Application
secret: <HASHED_SECRET> # Generate using: authelia crypto hash generate --password 'your-secret-here'
redirect_uris:
- http://localhost:3000/auth/callback
- http://localhost:5001/api/auth/callback
# Add production URLs when deploying:
# - https://trivia.example.com/auth/callback
# - https://trivia-api.example.com/api/auth/callback
scopes:
- openid
- email
- profile
grant_types:
- authorization_code
- refresh_token
response_types:
- code
token_endpoint_auth_method: client_secret_basic
```
**Generate the hashed secret:**
```bash
authelia crypto hash generate --password 'your-random-secret-here'
```
Save the **plaintext secret** (not the hash) for the next step.
## Step 2: Configure Environment Variables
Copy `.env.example` to `.env`:
```bash
cp .env.example .env
```
Edit `.env` with your Authelia details:
```bash
# Replace with your actual Authelia URL
OIDC_ISSUER=https://auth.example.com
# Must match the client ID in Authelia config
OIDC_CLIENT_ID=trivia-app
# Use the PLAINTEXT secret (not the hashed one)
OIDC_CLIENT_SECRET=your-random-secret-here
# Adjust for production deployment
OIDC_REDIRECT_URI=http://localhost:5001/api/auth/callback
FRONTEND_URL=http://localhost:3000
# Set to 'true' in production with HTTPS
SESSION_COOKIE_SECURE=false
```
## Step 3: Restart Authelia
After updating Authelia's configuration:
```bash
# Restart Authelia to apply the new client configuration
systemctl restart authelia
# or
docker restart authelia
```
## Step 4: Start the Trivia Application
```bash
# Start with Docker Compose
docker compose up
# Or start backend and frontend separately
PORT=5001 uv run python main.py # Backend
cd frontend/frontend && npm run dev # Frontend
```
## Step 5: Test Authentication
1. Navigate to `http://localhost:3000`
2. You should be redirected to the login page
3. Click "Login with Authelia"
4. You'll be redirected to your Authelia instance
5. Log in with an Authelia user
6. After successful login, you'll be redirected back to the trivia app
**All authenticated users** can:
- Access all routes (question management, game setup, admin controls)
- Create/edit questions
- Start/control games
- View contestant screens
## Troubleshooting
### "OAuth authentication disabled" warning
- **Cause**: `OIDC_ISSUER` is not set
- **Solution**: Ensure your `.env` file exists and has `OIDC_ISSUER` configured
### "Invalid or expired token" errors
- **Cause**: JWT validation failing
- **Solutions**:
- Verify `OIDC_ISSUER` matches exactly (no trailing slash)
- Check Authelia logs for JWKS endpoint errors
- Ensure clocks are synchronized between Authelia and trivia app
### Redirect loop on login
- **Cause**: Redirect URI mismatch
- **Solutions**:
- Ensure `OIDC_REDIRECT_URI` matches one of the `redirect_uris` in Authelia config
- Check that both frontend and backend URLs are correct
### WebSocket connection fails
- **Cause**: JWT token not being sent or invalid
- **Solutions**:
- Check browser console for socket errors
- Verify user is authenticated before joining game
- Check backend logs for JWT validation errors
## Production Deployment
When deploying to production:
1. Update Authelia client redirect URIs:
```yaml
redirect_uris:
- https://trivia.example.com/auth/callback
- https://trivia-api.example.com/api/auth/callback
```
2. Update environment variables:
```bash
OIDC_ISSUER=https://auth.example.com
OIDC_REDIRECT_URI=https://trivia-api.example.com/api/auth/callback
FRONTEND_URL=https://trivia.example.com
SESSION_COOKIE_SECURE=true # Important for HTTPS!
```
3. Ensure HTTPS is configured:
- Use a reverse proxy (nginx, Traefik, Caddy)
- Configure SSL certificates
- Update CORS origins to match production domains
## Security Best Practices
**Do:**
- Use strong, random client secrets
- Enable `SESSION_COOKIE_SECURE=true` in production
- Use HTTPS for all production deployments
- Regularly rotate client secrets
- Monitor Authelia logs for suspicious activity
**Don't:**
- Commit `.env` file to version control
- Use default secrets in production
- Disable HTTPS in production
- Share client secrets publicly
## Support
For Authelia-specific issues, refer to:
- [Authelia Documentation](https://www.authelia.com/docs/)
- [Authelia OIDC Configuration](https://www.authelia.com/configuration/identity-providers/oidc/)
For trivia app issues, check the backend logs:
```bash
docker compose logs backend -f
```
Reference in New Issue View Git Blame Copy Permalink