Added server.endpoints.authz.forward-auth configuration to explicitly
use CookieSession authentication strategy. This ensures browsers
receive HTTP 302 redirects instead of HTTP 401 responses when
accessing protected services while unauthenticated.
Without this configuration, the forward-auth endpoint was returning
401 with Location headers, which browsers don't automatically follow.
With CookieSession strategy, GET requests from browsers will now
receive 302 redirects that automatically redirect to the Authelia
login page.
Authentication strategy order:
1. CookieSession - for browser users (returns 302 redirects)
2. HeaderAuthorization - for API clients (returns 401 with headers)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Set AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET in compose
- Set AUTHELIA_SESSION_SECRET in compose
- Set AUTHELIA_STORAGE_ENCRYPTION_KEY in compose
- Set AUTHELIA_STORAGE_POSTGRES_PASSWORD in compose
- Remove variable syntax from configuration.yml
- Authelia reads these directly from environment variables
- Use modern server.address syntax instead of host/port
- Add identity_validation.reset_password.jwt_secret (deprecates jwt_secret)
- Update session to use cookies array with secret
- Fix session.remember_me_duration to remember_me
- Remove envsubst complexity for password hashes
- Keep users_database.yml only on server (not in git)
- Add users_database.yml to .gitignore
- Update users_database.template.yml with multi-user examples
- Configure Authelia to watch users_database.yml for changes
- Users can now be added/removed by editing the file on server
- Supports unlimited users without code changes
- Rename users_database.yml to users_database.template.yml
- Use envsubst to substitute AUTHELIA_USER_PASSWORD_HASH from .env
- Update configuration.yml to use /config/users_database.yml
- Add AUTHELIA_USER_PASSWORD_HASH environment variable to compose
- Password hash now stored securely in .env instead of git
