September 30, 2025Sep 30 Community Expert Hi all,I've been trying to setup Unraid Connect's OIDC with authelia.It works well with the builtin Unraid.Net provider but I can't get it to work with my selfhosted Authelia instance.I did find the documentation but it did not get me any further.I receive this error when trying to login using Authelia OIDC (sensitive stuff redacted)[07:09:25 INFO OidcValidationService]: Starting discovery for provider authelia {"apiVersion":"4.25.0+f4f3e3c","logger":"OidcValidationService","context":"OidcValidationService"} [07:09:25 INFO OidcValidationService]: Discovery URL: https://authelia/.well-known/openid-configuration {"apiVersion":"4.25.0+f4f3e3c","logger":"OidcValidationService","context":"OidcValidationService"} [07:09:25 INFO OidcValidationService]: Client ID: unraid {"apiVersion":"4.25.0+f4f3e3c","logger":"OidcValidationService","context":"OidcValidationService"} [07:09:25 INFO OidcValidationService]: Client secret configured: Yes {"apiVersion":"4.25.0+f4f3e3c","logger":"OidcValidationService","context":"OidcValidationService"} [07:09:25 INFO OidcValidationService]: Discovery successful for authelia {"apiVersion":"4.25.0+f4f3e3c","logger":"OidcValidationService","context":"OidcValidationService"} [07:09:25 INFO OidcValidationService]: Discovery response metadata: {"apiVersion":"4.25.0+f4f3e3c","logger":"OidcValidationService","context":"OidcValidationService"} [07:09:25 INFO OidcValidationService]: - issuer: https://authelia {"apiVersion":"4.25.0+f4f3e3c","logger":"OidcValidationService","context":"OidcValidationService"} [07:09:25 INFO OidcValidationService]: - authorization_endpoint: https://authelia/api/oidc/authorization {"apiVersion":"4.25.0+f4f3e3c","logger":"OidcValidationService","context":"OidcValidationService"} [07:09:25 INFO OidcValidationService]: - token_endpoint: https://authelia/api/oidc/token {"apiVersion":"4.25.0+f4f3e3c","logger":"OidcValidationService","context":"OidcValidationService"} [07:09:25 INFO OidcValidationService]: - userinfo_endpoint: https://authelia/api/oidc/userinfo {"apiVersion":"4.25.0+f4f3e3c","logger":"OidcValidationService","context":"OidcValidationService"} [07:09:25 INFO OidcValidationService]: - jwks_uri: https://authelia/jwks.json {"apiVersion":"4.25.0+f4f3e3c","logger":"OidcValidationService","context":"OidcValidationService"} [07:09:25 INFO OidcValidationService]: - response_types_supported: code, id_token, token, id_token token, code id_token, code token, code id_token token {"apiVersion":"4.25.0+f4f3e3c","logger":"OidcValidationService","context":"OidcValidationService"} [07:09:25 INFO OidcValidationService]: - scopes_supported: offline_access, openid, profile, email, address, phone, groups {"apiVersion":"4.25.0+f4f3e3c","logger":"OidcValidationService","context":"OidcValidationService"} [07:09:25 INFO OidcService]: Built authorization URL via discovery for provider authelia {"apiVersion":"4.25.0+f4f3e3c","logger":"OidcService","context":"OidcService"} [07:09:25 INFO OidcService]: Authorization parameters: {"redirect_uri":"https://unraid/graphql/api/auth/oidc/callback","scope":"openid profile email groups","state":"authelia:xxx","response_type":"code"} {"apiVersion":"4.25.0+f4f3e3c","logger":"OidcService","context":"OidcService"} [07:09:25 INFO OidcRestController]: Redirecting to OIDC provider: https://authelia/api/oidc/authorization?redirect_uri=https%3A%2F%2Funraid%2Fgraphql%2Fapi%2Fauth%2Foidc%2Fcallback&scope=openid+profile+email+groups&state=authelia%3Axxx&response_type=code&client_id=unraid {"apiVersion":"4.25.0+f4f3e3c","logger":"OidcRestController","context":"OidcRestController"} [07:09:25 WARN OidcAuthorizationService]: Authorization failed for provider Authelia, user xxx, available claim keys: [amr, at_hash, aud, auth_time, azp, exp, iat, iss, jti, sub] {"apiVersion":"4.25.0+f4f3e3c","logger":"OidcAuthorizationService","context":"OidcAuthorizationService"} [07:09:25 ERROR OidcService]: OAuth callback error: Access denied: Your account does not meet the authorization requirements for Authelia. {"apiVersion":"4.25.0+f4f3e3c","logger":"OidcService","context":"OidcService"}This is my setup on the unraid side.The Client ID and secret match what's in Authelia's configuration. Same for the scopes.The Authorization rule is matching the email claim to the email of the Authelia user.This is my authelia client configurationI'm out of ideas on how to troubleshoot this.Do you guys have any idea or tips on how to get this further?It seems like it either can't find the email claim or it doesn't match (which i'm confident it should, I use Authelia's OIDC all over my selfhosted container instances).Authelia's logs don't provide anything and Authelia seems to be happy, so I think things go wrong on the Unraid side. Edited September 30, 2025Sep 30 by joz
September 30, 2025Sep 30 Author Community Expert Solution Allright, based on other Authelia client configurations I have, I started trial and erroring with Authelia's config for unraid.I was missing this bit claims_policy: 'default' Which is essential getting it going.For other people running into this, this is my working config in Autheliaidentity_providers: oidc: claims_policies: default: id_token: ['groups', 'email', 'email_verified', 'alt_emails', 'preferred_username', 'name'] clients: - client_id: 'someid' client_name: UnRAID client_secret: 'somesecret' public: false authorization_policy: two_factor consent_mode: implicit redirect_uris: - 'https://unraid/graphql/api/auth/oidc/callback' scopes: - openid - profile - email - groups token_endpoint_auth_method: client_secret_post claims_policy: 'default' Edited September 30, 2025Sep 30 by joz
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.