Single Sign-On for web apps using Authelia

Authelia is an open-source authentication and authorization server and portal fulfilling the identity and access management (IAM) role of information security in providing multi-factor authentication and single sign-on (SSO) for your applications via a web portal. It acts a a companion for common reverse proxies.

HedgeDoc as an example web app (formerly know as CodiMD) is an open-source, web-based, self-hosted, collaborative markdown editor. You can use it to easily collaborate on notes, graphs or even presentations in real-time.

Tested Version

  • Authelia v4.36.3
  • HedgeDoc 1.9.4

Before you begin

You are required to utilize a unique client id and a unique and random client secret for all OpenID Connect relying parties. You should not use the client secret in this example, you should randomly generate one yourself. You may also choose a to utilize a different client id, it’s completely up to you.

The example makes the following assumptions:

  • Application Root URL:
    https://hedgedoc.example.com
  • Authelia Root URL:
    https://auth.example.com
  • Client ID: hedgedoc
    Client Secret: hedgedoc_client_secret

Configuration

Application

To configure HedgeDoc to utilize Authelia as an OpenID Connect Provider:

Set the following HedgeDoc OAUTH2 configuration parameters.

  - CMD_OAUTH2_PROVIDERNAME=Authelia
  - CMD_OAUTH2_CLIENT_ID=hedgedoc
  - CMD_OAUTH2_CLIENT_SECRET=hedgedoc_client_secret
  - CMD_OAUTH2_SCOPE=openid email profile
  - CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=sub
  - CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name
  - CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email
  - CMD_OAUTH2_USER_PROFILE_URL=https://auth.example.com/api/oidc/userinfo
  - CMD_OAUTH2_TOKEN_URL=https://auth.example.com/api/oidc/token
  - CMD_OAUTH2_AUTHORIZATION_URL=https://auth.example.com/api/oidc/authorize

Authelia

The following YAML configuration is an example Authelia client configuration for use with HedgeDoc which will operate with the above example.

  - id: hedgedoc
    description: HedgeDoc SSO
    secret: hedgedoc_client_secret
    public: false
    authorization_policy: two_factor
    pre_configured_consent_duration: 3M
    audience: []
    scopes:
      - openid
      - email
      - profile
    redirect_uris:
      - https://hedgedoc.example.com/auth/oauth2/callback