Authelia Oauth 2 guide

Misago Unofficial-community Documentation

Tested Versions

• Authelia
  • v4.37.5
• Misago
  • misago-image v0.29.1

Before You Begin

Common Notes

1. You are required to utilize a unique client id for every client.
2. The client id on this page is merely an example and you can theoretically use any alphanumeric string.
3. You should not use the client secret in this example, We strongly recommend reading the Generating Client Secrets guide instead

Assumptions

This example makes the following assumptions:

• Application Root URL: https://misago.example.com
• Authelia Root URL: https://auth.example.com
• Client ID: misago
• Client Secret: misago_client_secret

Configuration

Application

To configure Misago to utilize Authelia as an OpenID Connect 1.0 Provider:

1. sign in to your forum's admin panel
2. go to settings and click on "OAuth 2"

1. Basic Settings (for now leave 'Enable Oauth2 Client:' set to No)
   1. Provider name: authelia
   2. Client ID: misago
   3. Client Secret: misago_client_secret

1. Initializing Login
   1. Login form URL: https://auth.example.com/api/oidc/authorization
   2. Scopes: openid profile email

1. Retrieving access token
   1. Access token retrieval URL: https://auth.example.com/api/oidc/token
   2. Request method: POST
   3. JSON path to access token: access_token

1. Retrieving user data
   1. User data URL: https://auth.example.com/api/oidc/userinfo
   2. Request method: GET
   3. Access token location: Query string
   4. Access token name: access_token

1. User JSON mappings
   1. User ID path: sub
   2. User name path: name
   3. User e-mail path: email

Save the settings and set up the authelia configuration.

Authelia

The following YAML configuration is an example Authelia client configuration for use with Misago which will operate with the above example:

for allowed origin:

identity_providers:
  oidc:
      allowed_origins:
        - https://misago.example.com
      allowed_origins_from_client_redirect_uris: true

and for the client section:

    clients:
      - id: misago
        secret: <misago_client_secret>
        public: false
        authorization_policy: two_factor
        scopes:
          - openid
          - profile
          - email
        redirect_uris:
          - https://misago.example.com/oauth2/complete/
        grant_types:
          - refresh_token
          - authorization_code
        response_types:
          - code
        response_modes:
          - form_post
          - query
          - fragment
        userinfo_signing_algorithm: none

The refresh_token is not used in the authorization flow by misago, but will allow you to use a reverse proxy to only allow access to the admin panel by a user with the correct group permissions.

Restart Authelia to apply to new configuration and check for any errors in the log

Return to Application

Assuming all is well, you can return to the Misago Oauth2 Settings page, in the admin panel:

1. Basic Settings:
   1. Enable Oauth2 Client: Yes

# Authelia - Misago

Saving the settings should now activate Oauth2 login to Misago as a client from your Authelia instance.

See Also

• Misago OAuth 2 client configuration guide