From 28d00db42de5ba488020d7d4345ef44aa3ae0ee8 Mon Sep 17 00:00:00 2001 From: Dominik Polakovics Date: Thu, 16 Apr 2026 09:08:29 +0200 Subject: [PATCH] feat: authelia add ocis client and fix header --- hosts/web-arm/modules/authelia.nix | 98 ++++++++++++++++++++++++++++-- 1 file changed, 92 insertions(+), 6 deletions(-) diff --git a/hosts/web-arm/modules/authelia.nix b/hosts/web-arm/modules/authelia.nix index 1fe16ad..e3e8a94 100644 --- a/hosts/web-arm/modules/authelia.nix +++ b/hosts/web-arm/modules/authelia.nix @@ -173,6 +173,23 @@ in { oidc = { ## The other portions of the mandatory OpenID Connect 1.0 configuration go here. ## See: https://www.authelia.com/c/oidc + lifespans = { + custom = { + ocis = { + access_token = "2 days"; + refresh_token = "3 days"; + }; + }; + }; + cors = { + endpoints = [ + "authorization" + "token" + "revocation" + "introspection" + "userinfo" + ]; + }; authorization_policies = { "admin-only" = { default_policy = "deny"; @@ -284,6 +301,78 @@ in { ]; userinfo_signing_algorithm = "none"; } + # oCIS (ownCloud Infinite Scale) - web client (public, PKCE) + { + id = "ocis"; + description = "ownCloud Infinite Scale"; + lifespan = "ocis"; + public = true; + authorization_policy = "internal"; + require_pkce = true; + pkce_challenge_method = "S256"; + redirect_uris = [ + "https://files.cloonar.com/" + "https://files.cloonar.com/oidc-callback.html" + "https://files.cloonar.com/oidc-silent-redirect.html" + "https://files.cloonar.com/apps/openidconnect/redirect" + ]; + scopes = [ "openid" "offline_access" "groups" "profile" "email" ]; + response_types = [ "code" ]; + grant_types = [ "authorization_code" "refresh_token" ]; + access_token_signed_response_alg = "none"; + userinfo_signing_algorithm = "none"; + token_endpoint_auth_method = "none"; + } + # oCIS Desktop - static credentials hardcoded in the oCIS desktop app + { + id = "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69"; + description = "ownCloud Infinite Scale (Desktop)"; + secret = "$pbkdf2-sha512$310000$NR4tztBecptj1ZiITK/Ktw$GkFNBfq1B3T1lDTKMci1aO8iulQFNlEtfydLwTrNTKIfrQFjM7EiOBaHGOBC7ohPaNfYCRAYYzcP2fDQf5XRGQ"; + public = false; + authorization_policy = "internal"; + require_pkce = true; + pkce_challenge_method = "S256"; + redirect_uris = [ "http://127.0.0.1" "http://localhost" ]; + scopes = [ "openid" "offline_access" "groups" "profile" "email" ]; + response_types = [ "code" ]; + grant_types = [ "authorization_code" "refresh_token" ]; + access_token_signed_response_alg = "none"; + userinfo_signing_algorithm = "none"; + token_endpoint_auth_method = "client_secret_basic"; + } + # oCIS Android - static credentials hardcoded in the oCIS Android app + { + id = "e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD"; + description = "ownCloud Infinite Scale (Android)"; + secret = "$pbkdf2-sha512$310000$NjEumkph77Gql.CH0Oq3zg$I9ubOZ3VRCXPbHpW1U4bQmvLgP5DdiFeGgple2nIjtUJsFgkdiV/hcCt1h6adr1uvJSJAtHDRnMhYf3Zp2BpcQ"; + public = false; + authorization_policy = "internal"; + require_pkce = true; + pkce_challenge_method = "S256"; + redirect_uris = [ "oc://android.owncloud.com" ]; + scopes = [ "openid" "offline_access" "groups" "profile" "email" ]; + response_types = [ "code" ]; + grant_types = [ "authorization_code" "refresh_token" ]; + access_token_signed_response_alg = "none"; + userinfo_signing_algorithm = "none"; + token_endpoint_auth_method = "client_secret_basic"; + } + # oCIS iOS - static credentials hardcoded in the oCIS iOS app + { + id = "mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1"; + description = "ownCloud Infinite Scale (iOS)"; + secret = "$pbkdf2-sha512$310000$.nIk0IUua7n8VAUoR85yyA$6UhT/gi7spH/0PRqTa6clz7QMRSmP/FZ0BDIumJupM4V2Ai6MgGKdzlEaNTc2IDqpGL3NxF626g4zAHFRgD7Zg"; + public = false; + authorization_policy = "internal"; + require_pkce = true; + pkce_challenge_method = "S256"; + redirect_uris = [ "oc://ios.owncloud.com" "oc.ios://ios.owncloud.com" ]; + scopes = [ "openid" "offline_access" "groups" "profile" "email" ]; + grant_types = [ "authorization_code" "refresh_token" ]; + access_token_signed_response_alg = "none"; + userinfo_signing_algorithm = "none"; + token_endpoint_auth_method = "client_secret_basic"; + } ]; }; }; @@ -323,16 +412,13 @@ in { proxy_connect_timeout 360; # Basic Proxy Config - proxy_set_header Host $host; + # Host, X-Real-IP, X-Forwarded-For, X-Forwarded-Proto, X-Forwarded-Host + # and Connection are already set by recommendedProxySettings; redefining + # them here caused duplicate headers and fasthttp "too many Host headers" 400s. proxy_set_header X-Original-URL $scheme://$http_host$request_uri; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Uri $request_uri; proxy_set_header X-Forwarded-Ssl on; proxy_redirect http:// $scheme://; - proxy_set_header Connection ""; proxy_cache_bypass $cookie_session; proxy_no_cache $cookie_session; proxy_buffers 64 256k;