Conversation
Replace direct LDAP login with Authelia OIDC Authorization Code + PKCE flow. Users configure TOTP/WebAuthn in Authelia's UI, platform leverages it for login. - Add OIDC login/callback endpoints, remove old POST /rest/login - Add 2FA settings page and API (enable/disable with Authelia config regen) - Add OIDC session state management for PKCE flow - Add disable-2fa CLI recovery command - Update Authelia config template with dynamic authorization policy - Add Authelia branding assets - Update E2E tests for OIDC login flow and 2FA scenarios
Make Authelia default_policy template-based so it switches to two_factor when 2FA is enabled, allowing TOTP registration in settings.
Generate authelia config to a temp directory first, validate it using authelia validate-configuration, and only copy to the live directory and restart the service if validation passes. This prevents Authelia from crash-looping on invalid configs.
There is no SMTP server available. Use filesystem notifier so verification links are written to a file that can be read directly.
Authelia v4.38+ replaced email-based identity verification with Device Registration OTP and session elevation for TOTP registration. Update the test to handle the new settings page flow: click Add, enter elevation OTP code, navigate the 3-step registration dialog.
Authelia 4.39.15 switched from musl to glibc, so ld-musl-*.so* no longer exists. Use ld-*.so* glob to match any dynamic linker.
Authelia 4.39.15 is glibc-linked with the dynamic linker in /lib64, not /lib. Use LD_LIBRARY_PATH and let the system linker load it.
Use lib/*-linux*/ld-linux*.so* pattern matching gogs/postgresql and other glibc-based projects in the codebase.
The Authelia container has a flat /lib structure without arch subdirs. Use find to locate ld-*.so* regardless of directory layout. Added ls logging to test.sh to debug lib contents if it fails again.
The Authelia container has /lib -> usr/lib symlink. cp -r copies the broken symlink. Use cp -rL to follow symlinks and copy actual files.
Test authelia -v directly in the build container (same arch) to distinguish wrapper issues from binary issues. Use find -print -quit instead of head -1 to get exactly one result.
Use syncloud/bootstrap-bookworm-{arch} instead of debian:bookworm-slim
for authelia test. Rename package.sh to build.sh for consistency.
The bundled libs are in lib/arm-linux-gnueabihf/ (or equivalent), not directly in lib/. Use the *-linux-gnu* glob for library path, matching the pattern used by gogs/postgresql wrappers.
Authelia 4.39 config uses template filters (secret, mindent, msquote) which require the template filter flag. The service already uses it but validate-config was missing it. Also clean up debug logging.
Authelia 4.39 validates that asset_path exists. Create an empty assets dir in the tmp config when source assets don't exist.
The config template references the final output path for asset_path, not the tmp dir. Ensure the assets dir exists at the output location so validate-config can find it.
The one-time verification code changed from 6 digits to 8-char alphanumeric (e.g. 26NZDLY9). Update regex to match new format.
Extract code between dash separators instead of guessing the format.
After test_2fa_enable the browser is on the Authelia page, so the platform logout menu item doesn't exist. Navigate to platform first.
Use delete_all_cookies instead of platform logout (unreachable with 2FA enabled). Replace all time.sleep with implicit waits via find_by.
Wait for btn_disable_2fa to appear (confirming enable API call finished and authelia restarted) before navigating to authelia settings.
delete_all_cookies only clears cookies for the current domain. Need to navigate to auth domain first to clear Authelia session cookie.
…lite3 The sqlite3 CLI isn't available on the device. Store the TOTP secret during test_2fa_enable and reuse it in test_2fa_login.
…nput Authelia 4.39 TOTP second factor page uses 6 individual OTP input boxes that auto-submit, not a single tel input with a sign-in button.
Registration and login can happen within the same 30-second TOTP window, causing Authelia to reject the login code as a replay of the registration code.
After device reactivation the session cookie secret changes, making old cookies invalid (securecookie: the value is not valid). Clear cookies on both auth and platform domains before attempting Authelia login.
…ctivation After reactivation, services need time to restart. Use wait_for_login helper to retry until Authelia login page is available.
The securecookie error occurred because cookies were only cleared on auth.full_domain and full_domain, but wait_for_login navigates to device_host which is a different domain with stale session cookies. Also added debug screenshots around the failure point.
After reactivation, navigating to device_host directly doesn't initiate the OIDC authorization flow (no state/nonce), so Authelia login completes but the platform returns "no OIDC session". Use full_domain instead so the OIDC redirect chain works correctly.
After platform logout, the Authelia session cookie persists. When navigating to full_domain, OIDC auto-authorizes without showing the login page, so the test can't enter non-admin credentials.
Both test_2fa_recovery_cli and test_permission_denied need to clear Authelia session cookies after platform logout, otherwise the OIDC flow auto-authorizes without showing the login page.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.