Authelia

Use Authelia as the identity provider for Perch sign-ins. Authelia has no web UI for managing OIDC clients, so you register them right in the config file.

Your redirect URI

The redirect URI to register is your hub’s URL with this exact path:

https://your-hub-url/api/auth/custom/callback

Register the client in Authelia

Add a new entry under identity_providers.oidc.clients in your Authelia config:

configuration.yml 
identity_providers:
  oidc:
    clients:
      - client_id: perch
        client_name: Perch
        client_secret: '$argon2id$...'
        public: false
        authorization_policy: two_factor
        redirect_uris:
          - https://your-hub-url/api/auth/custom/callback
        scopes:
          - openid
          - email
          - profile
        grant_types:
          - authorization_code
        response_types:
          - code

The secret must be an Argon2 digest

Since Authelia 4.38.0, client_secret holds an Argon2 digest, not the plaintext secret. Generate one with the command below, which prints both the raw secret and the digest. Put the digest in the config, and hang onto the raw secret for the Perch side.

generate-secret.sh 
docker run --rm authelia/authelia:latest \
  authelia crypto hash generate argon2 \
  --random --random.length 72 --random.charset rfc3986

Restart Authelia to load the new client.

Setup in Perch

Open the Custom OIDC card in Perch (Admin → Auth) and fill in:

  • Client ID: perch
  • Client Secret: the raw secret from the command above

For the URLs, use your Authelia discovery document:

https://auth.example.com/.well-known/openid-configuration

Open it in your browser and copy the values across:

Perch fieldDiscovery doc key
Authorization URLauthorization_endpoint
Token URLtoken_endpoint
Userinfo URLuserinfo_endpoint

Set Scopes to openid email, then enable the provider.