Single Sign‐on Setup - jordan-dalby/ByteStash GitHub Wiki

2. Enter your application details and click "Next"

3. Select OAuth2/OIDC in Provider Type

4. Fill in the required Provider Type fields, keep a note of the Client ID and Client Secret, you will need it later

5. In the "Redirect URIs/Origins" field, enter https://bytestash.mydomain.com/api/auth/oidc/callback, replacing https://bytestash.mydomain.com with your actual domain name, do not include a forward slash at the end, make sure the protocol matches what your browser shows (http/https). If you run into any trouble, a good way to check the link is the examine the link on the failure page, the link will include a redirect_url that should match (with char replacements) what you have in the "Redirect URIs/Origins" field

That should be it on the Authentik side!

Assumptions:

• Authelia is running on https://authelia.DOMAIN.COM
• Bytestash is running on https://bytestash.DOMAIN.COM
• You have Authelia configured and working with OIDC.
• The client ID of Bytestash is bytestash

In the below change DOMAIN.COM to match your own domain.

Firstly generate your client secret with

docker run --rm authelia/authelia:latest \
    authelia crypto hash generate pbkdf2 \
    --variant sha512 \
    --random \
    --random.length 72 \
    --random.charset \
    rfc3986

Which should generate an output as follows:

Random Password: xS3Ptwi_oegChWfMw3IP8YBHBj4Jqrl__TYgX5YkDPpj85NCz5g-flexHTMuEOimBRtnfIff
Digest: $pbkdf2-sha512$310000$f7tw1h7FknGGc5BywsyI5A$wxQi7UpEpy/WOXLiTnu/9etVmWmWGDXgrvGilC0svbbMV/INpDQIeJj/of5r31X4ULl/xDxB5xLp3614jkfBmA

The Random Password should be used as the value for OIDC_CLIENT_SECRET in Bytestash which means our Bytestash environmental variables will be as follows:

            - OIDC_ENABLED=true
            - OIDC_DISPLAY_NAME=Authelia
            - OIDC_ISSUER_URL=https://authelia.DOMAIN.COM
            - OIDC_CLIENT_ID=bytestash
            - OIDC_CLIENT_SECRET=xS3Ptwi_oegChWfMw3IP8YBHBj4Jqrl__TYgX5YkDPpj85NCz5g-flexHTMuEOimBRtnfIff
            - OIDC_SCOPES="openid profile email groups"

In the OIDC setup in Authelia the Digest is used for the client_secret

      - client_id: bytestash
        client_name: Bytestash
        client_secret: $pbkdf2-sha512$310000$f7tw1h7FknGGc5BywsyI5A$wxQi7UpEpy/WOXLiTnu/9etVmWmWGDXgrvGilC0svbbMV/INpDQIeJj/of5r31X4ULl/xDxB5xLp3614jkfBmA
        public: false
        authorization_policy: two_factor
        consent_mode: explicit
        scopes:
          - openid
          - groups
          - email
          - profile
        redirect_uris:
          - https://bytestash.DOMAIN.COM/api/auth/oidc/callback
        token_endpoint_auth_method: 'client_secret_post'

Restart Authelia to pick up the new config and you should be able to use SSO with Bytestash

1. Create a new client by selecting clients on the sidebar, then "Create Client", from there give the client an ID (I'm using bytestash) and if you want a name and description, then click next.

2. Here you need to enable "Client Authentication", everything else can stay default (if you want to control access to ByteStash based on custom policies you will need to enable Authorization)

3. Now set up the Root, Home, and redirect URIs. Usually root and home are the same but adjust for your environment. Redirect URI needs to support /api/auth/oidc/callback, you can define it explicitly or use wildcards. Click Save.

4. Open your newly created client and go to the credentials tab, copy your Client Secret as you will need this for the ByteStash config

5. Finally, you will need the issuer URL for your keycloak realm, you can find it by going to realm settings and following the OpenID Endpoint Configuration link at the bottom of the page

That should have you setup in Keycloak, just get the ByteStash side sorted and you will be good to go!