Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v0.10.4 seems not to access properly the secrets #290

Closed
flixman opened this issue Mar 26, 2025 · 4 comments
Closed

v0.10.4 seems not to access properly the secrets #290

flixman opened this issue Mar 26, 2025 · 4 comments

Comments

@flixman
Copy link

flixman commented Mar 26, 2025

I am defining the secrets on a k8s manifest:

apiVersion: v1
kind: Secret
metadata:   
  name: oidc-clients
  namespace: authelia
type: Opaque
stringData:
  argocd.password: "<base64encoded>$pbkdf2-sha512$310000$....."

Then, in authelia config file, I am including this secret:

secret:
  additionalSecrets:
    oidc-clients:
      items:
        - key: 'argocd.password'
          path: 'argocd.password'

Finally, I am using this secret when declaring the oidc clients:

configMap:
  identity_providers:
    oidc:
      clients:
        - client_id: 'argocd'
          client_name: 'Argo CD'
          client_secret:
            path: '/secrets/oidc-clients/argocd.password'
          public: false

The error I am getting when authelia gets initialised is:

time="2025-03-26T16:32:00Z" level=warning msg="Configuration: identity_providers: oidc: clients: client 'argocd': option 'client_secret' is plaintext but for clients not using any endpoint authentication method 'client_secret_jwt' it should be a hashed value as plaintext values are deprecated with the exception of 'client_secret_jwt' and will be removed in the near future"

I have a number of questions, but I do not know to whom should be pointed:

  1. When setting up the secret: should I use just "data", instead of using stringData, then I get an error:
time="2025-03-26T16:12:37Z" level=error msg="Configuration: error occurred during unmarshalling configuration: decoding failed due to the following error(s):\n\nerror decoding 'identity_providers.oidc.clients[0].client_secret': could not decode '$pbkdf2-sha512$310000$...' to a *schema.PasswordDigest: pbkdf2 decode error: provided encoded hash has a salt value that can't be decoded: illegal base64 data at input byte 8\nerror decoding 'identity_providers.oidc.clients[1].client_secret': could not decode '$pbkdf2-sha512$310000$xxdMgeP+ORVUd/yYgERkEw$UJmaXRz4T718HL9EiHLgvyE0k48gSfzcHz27MLiidtEZPo8QdD2WMiBtv1iYuYkGdLWF10T6Xt5OWr0zzD+2LA' to a *schema.PasswordDigest: pbkdf2 decode error: provided encoded hash has a salt value that can't be decoded: illegal base64 data at input byte 7"

meaning that is decoding it once, and tries to decode it a second time. I assume that the reason the "stringData" works is that I am passing it encoded, and stringData encodes it a second time.
2. Using stringData, with a base64-encoded input, and pointing the path field to the secret, complains about having client_secret as plain text. This seems to suggest that it has decoded it only once and does not see it has the format of a hashed password.

Or am I doing something seriously wrong?
@Crowley723
Copy link
Member

Crowley723 commented Mar 26, 2025
edited
Loading

The error I am getting when authelia gets initialised is:

I think this error points to authelia treating the value of your base64 encoded hash as the secret (in plaintext) which is why its complaining.

I would avoid encoding the values that are in the manifest since K8s will base64 encode them anyways.

As far as the format of the file, here is what mine looks like (truncated)

apiVersion: v1
kind: Secret
metadata:
  name: authelia
  namespace: authelia
  labels:
    app.kubernetes.io/managed-by: Helm
  annotations:
    meta.helm.sh/release-name: authelia
    meta.helm.sh/release-namespace: authelia
type: Opaque
stringData:
  LDAP_PASSWORD: >-
    this_is_a_really_good_password
  STORAGE_PASSWORD: >-
    this_is_another_really_good_password
  SOME_CLIENT_SECRET: >-
    $pbkdf2-sha512$310000$wowLookAtThisAmazingSaltAndHashOfTheProperLength
  A_COOL_PRIVATE_KEY: |
    -----BEGIN PRIVATE KEY-----
    this_is_obviously_a_valid_private_key...
    -----END PRIVATE KEY-----

@james-d-elliott
Copy link
Member

Yep, when you use stringData it will automatically convert it when you add it, my recollection is if you just use data it wont.

@flixman
Copy link
Author

flixman commented Mar 27, 2025

@Crowley723 @james-d-elliott Thank you for your answers. However, as reported (and I have just checked it again, to be sure), if I am using the non base64-encoded string like:

apiVersion: v1
kind: Secret
metadata:   
  name: oidc-clients
  namespace: authelia
type: Opaque
stringData:
  argocd.password: "$pbkdf2-sha512$310000$....."

the error I get then is:

time="2025-03-27T06:53:44Z" level=error msg="Configuration: error occurred during unmarshalling configuration: decoding failed due to the following error(s):\n\nerror decoding 'identity_providers.oidc.clients[1].client_secret': could not decode '$pbkdf2-sha512$310000$3KkSEj9K0+J....' to a *schema.PasswordDigest: pbkdf2 decode error: provided encoded hash has a salt value that can't be decoded: illegal base64 data at input byte 9"

@flixman
Copy link
Author

flixman commented Mar 28, 2025

Ok, figured out what was wrong: I was generating a standard base64 secret, as opposed to a bcrypt-base64 variant. The moment this secret has been properly generated, all has started to work. Thank you!

@flixman flixman closed this as completed Mar 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@james-d-elliott @flixman @Crowley723