How to setup a proxy with Authelia?

[wsw70]

I am trying to setup a proxy with Authelia as the authentication layer, following the suggested documentation. Authelia provides SSO for other services so this is not a new configuration from that side.

I fail with (logs from Authelia, replicated in Etherpad):

proxy-authelia  | time="2024-11-12T13:59:39Z" level=error msg="Access Request failed with error: Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The request was determined to be using 'token_endpoint_auth_method' method 'client_secret_basic', however the OAuth 2.0 client registration does not allow this method. The registered client with id 'etherpad' is configured to only support 'token_endpoint_auth_method' method 'client_secret_post'. Either the Authorization Server client registration will need to have the 'token_endpoint_auth_method' updated to 'client_secret_basic' or the Relying Party will need to be configured to use 'client_secret_post'." method=POST path=/api/oidc/token remote_ip=192.168.10.1

Would someone know what this means in simpler terms, and ideally share a configuration?

I added to "Current Configuration" in Etherpad, at the root, the required entry

  "sso": {
    "issuer": "${SSO_ISSUER:http://localhost:9001}",
      "clients": [
        {
          "client_id": "${ADMIN_CLIENT:admin_client}",
          "client_secret": "${ADMIN_SECRET:admin}",
          "grant_types": ["authorization_code"],
          "response_types": ["code"],
          "redirect_uris": ["${ADMIN_REDIRECT:http://localhost:9001/admin/}"]
        },
        {
          "client_id": "${USER_CLIENT:user_client}",
          "client_secret": "${USER_SECRET:user}",
          "grant_types": ["authorization_code"],
          "response_types": ["code"],
          "redirect_uris": ["${USER_REDIRECT:http://localhost:9001/}"]
        }
      ]
    },"ep_openid_connect": {
    "issuer": "https://authelia.XXX",
    "client_id": "etherpad",
    "client_secret": "YYY",
    "base_url": "https://etherpad.XXX"
  },
}

This is verbatim the end of the configuration "file" (this is not a file, at least I did not find it anywhere - but the content of the "Current Configuration" screen). Note that:

• "ep_openid_connect" is added right after the pre-existing "sso" entry, at the highest (root) level of the dictionary/hash.
• I did not touch the "sso" entry as I do not know what this is but it looks awfully like an SSO configuration ("sso" is the name, to start with). Shouldn't it be modified as well?

A side note (for which I will open bug report) is that it is not possible to make a new line in the file by pressing the Enter key (this is why "ep_openid_connect" is glued to the pre-existing comma)