Need assistance with OIDC Configuration (Authelia+ Docker Seafile Server Pro 12)

I was banging my head against this problem for the last day, and I could really use some help on it. I was tasked to setup Seafile Pro as a POC at work, but I can’t get the SSO portion working. Reverse proxy is handled via Traefik, and everything has valid certs.

Here is the integration guide I used www. authelia .com /integration/openid-connect/seafile/

Seafile redirects to authelia for authentication, but after passing it back to seafile it just gives a generic “Error, please contact administrator.” I don’t see anything in the logs as to why.

Using seafile image seafileltd/seafile-pro-mc:12.0-latest

seahub_settings.py

OAUTH_ENABLE_INSECURE_TRANSPORT = False

OAUTH_CLIENT_ID = "your_client_id"
OAUTH_CLIENT_SECRET = "your_plaintext_secret"

OAUTH_REDIRECT_URL = "https://files.example.com/oauth/callback/"

OAUTH_PROVIDER_DOMAIN = "authelia.example.com"
OAUTH_AUTHORIZATION_URL = "https://authelia.example.com/api/oidc/authorization"
OAUTH_TOKEN_URL = "https://authelia.example.com/api/oidc/token"
OAUTH_USER_INFO_URL = "https://authelia.example.com/api/oidc/userinfo"

OAUTH_CREATE_UNKNOWN_USER = True
OAUTH_ACTIVATE_USER_AFTER_CREATION = True

OAUTH_SCOPE = [
    "openid",
    "profile",
    "email",
]

OAUTH_ATTRIBUTE_MAP = {
    "id": (False, "not used"),
    "email": (True, "email"),
    "name": (False, "name"),
    "sub": (True, "uid"),
}

DEBUG = True

Authelia Configuration

- client_id: "your_client_id"
  client_name: "Your Client Name"
  client_secret: "$pbkdf2-sha512$310000$example_salt$example_hash_value"
  public: false
  token_endpoint_auth_method: "client_secret_basic"
  authorization_policy: "two_factor"
  redirect_uris:
    - "https://files.example.com/oauth/callback/"
  scopes:
    - "openid"
    - "profile"
    - "email"
  userinfo_signed_response_alg: "none"

Seafile Env Vars:

    environment:    
      - SEAFILE_SKIP_DB_INIT=true       
      - DB_HOST=${SEAFILE_MYSQL_DB_HOST:-db}
      - SEAFILE_CADDY_ENABLED=false      
      - DB_PORT=${SEAFILE_MYSQL_DB_PORT:-3306}
      - DB_USER=${SEAFILE_MYSQL_DB_USER:-seafile}
      - DB_ROOT_PASSWD=${INIT_SEAFILE_MYSQL_ROOT_PASSWORD:-}
      - DB_PASSWORD=${SEAFILE_MYSQL_DB_PASSWORD:?Variable is not set or empty}
      - SEAFILE_MYSQL_DB_CCNET_DB_NAME=${SEAFILE_MYSQL_DB_CCNET_DB_NAME:-ccnet_db}
      - SEAFILE_MYSQL_DB_SEAFILE_DB_NAME=${SEAFILE_MYSQL_DB_SEAFILE_DB_NAME:-seafile_db}
      - SEAFILE_MYSQL_DB_SEAHUB_DB_NAME=${SEAFILE_MYSQL_DB_SEAHUB_DB_NAME:-seahub_db}
      - TIME_ZONE=${TIME_ZONE:-Etc/UTC}
      - INIT_SEAFILE_ADMIN_EMAIL=${INIT_SEAFILE_ADMIN_EMAIL:-me@example.com}
      - INIT_SEAFILE_ADMIN_PASSWORD=${INIT_SEAFILE_ADMIN_PASSWORD:-asecret}
      - SEAFILE_SERVER_LETSENCRYPT=false       
      - SEAFILE_SERVER_HOSTNAME=${SEAFILE_SERVER_HOSTNAME:?Variable is not set or empty}
      - SEAFILE_SERVER_PROTOCOL=${SEAFILE_SERVER_PROTOCOL:-http}
      - SEAHUB_GUNICORN_HOST=0.0.0.0
      - SEAHUB_GUNICORN_PORT=8000      
      - SITE_ROOT=${SITE_ROOT:-/}
      - NON_ROOT=${NON_ROOT:-false}
      - JWT_PRIVATE_KEY=${JWT_PRIVATE_KEY:?Variable is not set or empty}
      - SEAFILE_LOG_TO_STDOUT=${SEAFILE_LOG_TO_STDOUT:-false}
      - ENABLE_SEADOC=${ENABLE_SEADOC:-true}
      - SEADOC_SERVER_URL=${SEAFILE_SERVER_PROTOCOL:-http}://${SEAFILE_SERVER_HOSTNAME:?Variable is not set or empty}/sdoc-server
      - INIT_S3_STORAGE_BACKEND_CONFIG=${INIT_S3_STORAGE_BACKEND_CONFIG:-false}
      - INIT_S3_COMMIT_BUCKET=${INIT_S3_COMMIT_BUCKET:-}
      - INIT_S3_FS_BUCKET=${INIT_S3_FS_BUCKET:-}
      - INIT_S3_BLOCK_BUCKET=${INIT_S3_BLOCK_BUCKET:-}
      - INIT_S3_KEY_ID=${INIT_S3_KEY_ID:-}
      - INIT_S3_SECRET_KEY=${INIT_S3_SECRET_KEY:-}
      - INIT_S3_USE_V4_SIGNATURE=${INIT_S3_USE_V4_SIGNATURE:-true}
      - INIT_S3_AWS_REGION=${INIT_S3_AWS_REGION:-us-east-1}
      - INIT_S3_HOST=${INIT_S3_HOST:-us-east-1}
      - INIT_S3_USE_HTTPS=${INIT_S3_USE_HTTPS:-true}

Hello!

I just finished doing this this morning (Pro v12 with Docker), but with Authentik. To start, any OAuth-related URL item in your seahub_settings.py, make sure there is a forward slash at the end (so that would include OAUTH_AUTHORIZATION_URL, OAUTH_TOKEN_URL, and OAUTH_USER_INFO_URL.

Also, here is a forum post here that helped me:

that was a good suggestion, but I am not seeing any change

OAUTH_REDIRECT_URL = "https://files.example.us/oauth/callback/"

OAUTH_PROVIDER_DOMAIN = "authelia.example.us"
OAUTH_AUTHORIZATION_URL = "https://authelia.example.us/api/oidc/authorization/"
OAUTH_TOKEN_URL         = "https://authelia.example.us/api/oidc/token/"
OAUTH_USER_INFO_URL     = "https://authelia.example.us/api/oidc/userinfo/"

I noticed this warning is showing up in the browser console, but I am not sure why as I cant fidn any references to HTTP in my config

HTTPS-Only Mode: Upgrading insecure request “http://authelia.example.us/api/oidc/authorization?response_type=code&client_id=seafile&redirect_uri=https%3A%2F%2Ffiles.example.us%2Foauth%2Fcallback%2F&scope=openid+profile+email&state=ClAZSDMSX8FWpd4StGi4uKxQJL9QgN” to use “https”. authorization

Got it!

Okay just to clarify, your client’s secret is salted and hashed in both places right? Yielding the same value? Because one placeholder value says plain text and the other does not. If you’re doing a docker compose down to bounce Seafile, try using a docker compose restart instead. Those possible solutions are at the outside though, and I don’t expect them to make much of a difference, but let’s just get them crossed off the list anyway. Then I’d look at other places like Traefik (like making sure WebSocket handling is good).

Traefik labels seem to be okay. Currently im hunting down that insecure transport warning as it shouldn’t be hitting authelia on http. One thing that is making this pretty slow to troubleshoot is that it seems my config gets randomly wiped (everything in /seafile/data/seafile/ will be gone) when restarting seafile. I also have to manaully change gunicorn.conf.py to bind to 0.0.0.0 instead of 127.0.0.1 which seems odd

Volumes are persistent of course, seafile is on an NFS mount while elasticsearch and the DB or on a local ssd

• Seafile holds the plaintext secret in seahub_settings.py.
• Authelia holds the hashed version ($pbkdf2‑sha512$…) in its configuration.yml.
  They both originate from the same raw string—no second hash in Seafile.

Traefik labels

      labels:
        #  Seahub (UI)
        - "traefik.enable=true"
        - "traefik.http.routers.seafile.rule=Host(`files.example.us`)"
        - "traefik.http.routers.seafile.entrypoints=websecure"
        - "traefik.http.routers.seafile.tls=true"
        - "traefik.http.routers.seafile.tls.certresolver=letsencrypt"
        - "traefik.http.services.seafile.loadbalancer.server.port=8000"
  
        #  “file server” router → port 8082, for /seafhttp (havent tested this as it doesnt seem related atm)
        - "traefik.http.routers.seafile-fs.rule=Host(`files.example.us`) && PathPrefix(`/seafhttp`)"
        - "traefik.http.routers.seafile-fs.entrypoints=websecure,web"
        - "traefik.http.routers.seafile-fs.tls=true"
        - "traefik.http.routers.seafile-fs.tls.certresolver=letsencrypt"
        - "traefik.http.services.seafile-fs.loadbalancer.server.port=8082"

Okay when I can, I’ll try to reproduce as well on my side. Oh, are you using any kind of 2FA?

That’s very kind of you thanks!

yes…im using passkeys with authelia which just occurred to me isn’t the best way to test this

I have it torn down atm but will test with single factor when I get it back up

Edit: resolved the vanishing data issue, i just needed to mount it, it may have gotten removed during troubleshooting

For the record here is my complete compose file

version: "3.8"

services:
  db:
    image: ${SEAFILE_DB_IMAGE:-mariadb:10.11}
    container_name: seafile-mysql
    deploy:
      placement:
        constraints:
          - node.labels.reserved != true
    environment:
      - MYSQL_ROOT_PASSWORD=${INIT_SEAFILE_MYSQL_ROOT_PASSWORD:-}   # set root password in your .env
      - MYSQL_LOG_CONSOLE=true
      - MARIADB_AUTO_UPGRADE=1
    volumes:
      - "./seafile_db:/var/lib/mysql"                              # host path for MySQL data
    healthcheck:
      test: ["CMD", "mysqladmin", "ping", "-u", "root", "-p${INIT_SEAFILE_MYSQL_ROOT_PASSWORD}"]
      interval: 20s
      start_period: 30s
      timeout: 5s
      retries: 10
    networks:
      - seafile-net

  memcached:
    image: ${SEAFILE_MEMCACHED_IMAGE:-memcached:1.6.29}
    container_name: seafile-memcached
    entrypoint: memcached -m 256
    networks:
      - seafile-net

  elasticsearch:
    image: ${SEAFILE_ELASTICSEARCH_IMAGE:-elasticsearch:8.15.0}
    container_name: seafile-elasticsearch
    environment:
      - discovery.type=single-node
      - bootstrap.memory_lock=true
      - ES_JAVA_OPTS=-Xms2g -Xmx2g
      - xpack.security.enabled=false
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - "./seafile_elasticsearch:/usr/share/elasticsearch/data"     # host path for ES data
    networks:
      - seafile-net

  seafile:
    image: ${SEAFILE_IMAGE:-seafileltd/seafile-pro-mc:12.0-latest}
    container_name: seafile
    ports:
      - "8001:8000"                                               # map host port 8001 to container 8000 (seahub)
    deploy:
      placement:
        constraints:
          - node.labels.reserved != true
    labels:
      # 1) Seahub UI → port 8000
      - "traefik.enable=true"
      - "traefik.http.routers.seafile-ui.rule=Host(`files.example.com`)"
      - "traefik.http.routers.seafile-ui.entrypoints=websecure"
      - "traefik.http.routers.seafile-ui.tls=true"
      - "traefik.http.routers.seafile-ui.tls.certresolver=letsencrypt"
      - "traefik.http.routers.seafile-ui.priority=10"
      - "traefik.http.services.seafile-ui.loadbalancer.server.port=8000"

      # 2) Fileserver → port 8082 at /seafhttp (uncomment if needed)
      # - "traefik.http.routers.seafile-fs.rule=Host(`files.example.com`) && PathPrefix(`/seafhttp`)"
      # - "traefik.http.routers.seafile-fs.entrypoints=websecure"
      # - "traefik.http.routers.seafile-fs.tls=true"
      # - "traefik.http.routers.seafile-fs.tls.certresolver=letsencrypt"
      # - "traefik.http.routers.seafile-fs.priority=5"
      # - "traefik.http.services.seafile-fs.loadbalancer.server.port=8082"

    volumes:
      - "./data:/shared"                                           # shared config/logs
      - "./data:/opt/seafile-data"                                # seafile-data directory <-- configs stored here

    environment:
      # - SEAFILE_SKIP_DB_INIT=true                               # init skip didn’t work reliably
      - DB_HOST=${SEAFILE_MYSQL_DB_HOST:-db}
      - DB_PORT=${SEAFILE_MYSQL_DB_PORT:-3306}
      - DB_USER=${SEAFILE_MYSQL_DB_USER:-seafile}
      - DB_ROOT_PASSWD=${INIT_SEAFILE_MYSQL_ROOT_PASSWORD:-}       # root password
      - DB_PASSWORD=${SEAFILE_MYSQL_DB_PASSWORD:?}                 # seafile user password
      - SEAFILE_MYSQL_DB_CCNET_DB_NAME=${SEAFILE_MYSQL_DB_CCNET_DB_NAME:-ccnet_db}
      - SEAFILE_MYSQL_DB_SEAFILE_DB_NAME=${SEAFILE_MYSQL_DB_SEAFILE_DB_NAME:-seafile_db}
      - SEAFILE_MYSQL_DB_SEAHUB_DB_NAME=${SEAFILE_MYSQL_DB_SEAHUB_DB_NAME:-seahub_db}
      - TIME_ZONE=${TIME_ZONE:-Etc/UTC}
      - INIT_SEAFILE_ADMIN_EMAIL=${INIT_SEAFILE_ADMIN_EMAIL:-admin@example.com}
      - INIT_SEAFILE_ADMIN_PASSWORD=${INIT_SEAFILE_ADMIN_PASSWORD:-changeme}
      - SEAFILE_SERVER_LETSENCRYPT=false
      - SEAFILE_SERVER_HOSTNAME=${SEAFILE_SERVER_HOSTNAME:-files.example.com}
      - SEAFILE_SERVER_PROTOCOL=${SEAFILE_SERVER_PROTOCOL:-https}
      # - SEAHUB_GUNICORN_HOST=0.0.0.0                              # didn’t resolve listening issue
      # - SEAHUB_GUNICORN_PORT=8000
      - SITE_ROOT=${SITE_ROOT:-/}
      - NON_ROOT=${NON_ROOT:-false}
      - JWT_PRIVATE_KEY=${JWT_PRIVATE_KEY:?}                       # keep this secret!
      - SEAFILE_LOG_TO_STDOUT=${SEAFILE_LOG_TO_STDOUT:-false}
      - ENABLE_SEADOC=${ENABLE_SEADOC:-true}
      - SEADOC_SERVER_URL=${SEADOC_SERVER_URL}

    depends_on:
      - db
      - memcached
      - elasticsearch
    networks:
      - seafile-net
      - traefik_public

networks:
  seafile-net:
  traefik_public:
    external: true

Just tested with single factor, no dice
Edit:
found this in the oauth logs

  tail -n 100 /shared/seafile/logs/seahub.log | grep -i oauth
[2025-04-16 15:43:36] [ERROR] seahub.oauth.views:168 oauth_callback (invalid_request) The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Client Credentials missing or malformed.
[2025-04-16 15:46:39] [ERROR] seahub.oauth.views:168 oauth_callback (invalid_request) The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Client Credentials missing or malformed.
[2025-04-16 16:00:21] [ERROR] seahub.oauth.views:168 oauth_callback (invalid_request) The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Client Credentials missing or malformed.

Edit 2:

confirmed the keys work

curl -sk -H "Authorization: Bearer authelia_at_codez8.HlEp1c7C7pWJo3jAArZeyLCqjsEp8_AmvCZd14Vxni0" \
  https://authelia.example.us/api/oidc/userinfo | jq .

{
  "email": "Cory@domain.sh",
  "email_verified": true,
  "name": "Cory",
  "preferred_username": "cory",
  "sub": "coez8508-9c801eebed34",
  "updated_at": 1744839612
}

curl -sk -X POST "https://authelia.example.us/api/oidc/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=authorization_code&code=authelia_ac_BK2codezJDlQIpZcodezT7Yo4gwtcodezS_w9aE.4pyb_FxWeYbm6LaEX-cXMcodezBRMlQweCEj304&redirect_uri=https://files.example.us/oauth/callback&client_id=seafile&client_secret=codezBybbfwr4l859l_codezzU8u4NPKT0VknTYQ" \
| jq .

{
  "access_token": "authelia_at_codezzzHlEp1c7C7pWJo3jAArZeyLCqjsEp8_AmvCZd14Vxni0",
  "expires_in": 3239999,
  "id_token": "codezJxUqMT-9i5LXMHtEChu8b059I5YmsiqOmy_j_DqFkbiPIj_BBKSA3Fk3dEzikoYekedBwBhBdhz_76fvg62MrHCMEoqoYwJbpnS2bvFjBzN4fF4lOmaFLxodezE7jvA",
  "scope": "openid profile email",
  "token_type": "bearer"
}

Hello hello!

So, I spent several hours working with this in my homelab, and although I was able to get past the error you are describing, I ultimately couldn’t get past an error regarding Seafile being unable to create new users.

Error, new user registration is not allowed, please contact administrator.

All of the settings for Seafile necessary to perform this task are there in my configuration, and I ended up delving into some of the Python source which was a bit of a rabbit hole. I may take another whack at it later when my brain clears.

Suffice it to say though that I was able to get Authelia working & Seafile communicating with it with no certificate issues; now it is just this last hurdle. The Authelia documentation regarding Seafile integration only talks about version 10, so there may be some kind of issue on the Seafile side that needs resolution (or a doc issue on the Authelia side).

I was able to make the headway that I did by going into the Seafile container itself and checking logs there (as opposed to the standard Compose logs). However, being you’ve already spent a lot of time on this, was there any reason you were sticking with Authelia? Authentik is another option here and I have that working beautifully and I may be able to assist there.

EDIT 1: I GOT IT!!! Here was the last piece I was missing:

[2025-04-17 05:07:46] [WARNING] …/common/user-mgr.c(130): The number of users exceeds limit, max 3, current 3

So if you already have three users, are using Pro, and haven’t paid for a license yet, you won’t be able to create new users until you delete an existing one. If there’s any part of my Authelia/Seafile config I can share, do let me know!!!

EDIT 2: Full disclosure & FYI - I am not using Traefik for reverse proxy, but Apache Traffic Server (not the same product as their flagship web server).

That’s awesome news! My environment wouldn’t be able to justify an SSO platform switch so I’m glad this has the potential to work out, and 3 users is all I need for this POC.

Could you go into a bit more detail about what you did to get past the error, contact admin message? I do see those oauth errors from my previous post, but I’m not sure what to do about them.

Yes indeed!

I did a LOT of tweaking and I should have kept better track of my work, but I want to try to keep this concise yet helpful so I don’t just simply overload you with everything I did

If I’m looking at the Python source directly, there are five things that may be happening in that instance (unfortunately the same message is used for several scenarios):

1. Unable to add the user (i.e. user limit hit)

2. Unable to fetch session’s token using CLIENT_SECRET and CLIENT_ID using TOKEN_URL

3. Unable to get session state using AUTHORIZATION_URL

4. Unable to obtain user info from USER_INFO_URL

5. Unable to generally authenticate

That error message is repeated in other places as well, but in those other instances, they have other attendant messages too which give more descriptive information.

Your URL’s for the above look fine. My only real difference is that I added port 9091 to my PROVIDER_DOMAIN as Authelia was listening there (i.e. authelia.example.us:9091).

(Incidentally, in Authelia’s docker-compose, I had to change…

expose:
   - 9091

…to…

ports:
   - 9091:9091

…in order for Authelia to start listening there)

So that’s on the Seafile side. As for the Authelia side, of course I had to properly set the authentication_backend properly with the encryption algorithm (and corresponding users database, for which I just used a YAML file). I also had to set the OIDC provider with a Java Web Key set, using client_secret_basic for the token_endpoint_auth_method, although for the key set, I needed to add a container environment variable in the docker-compose file so I could properly template/include the key file contents in the configuration:

environment:
- X_AUTHELIA_CONFIG_FILTERS=template

Then the last piece was Apache Traffic Server, my reverse proxy. I just had to make sure I was passing both HTTPS & WebSockets traffic.

So that’s it in a high-level nutshell. If need be we can start matching up configs.

My, you did dig deeply into this. That is a rather significant deep dive

we currently already have 9091 open for authelia, which is where traefik is pointed

    ports: 
      - 9091:9091

So… I’m a bit confused on the change. because authelia.example.com already points to authelia:9091. I could reference the container directly in the provider domain and see if docker DNS can handle it.

Authelia route config:

      labels:
        - traefik.enable=true
        ## HTTP Routers
        - traefik.http.routers.authelia-rtr.entrypoints=websecure
        - 'traefik.http.routers.authelia-rtr.rule=Host(`authelia.$DOMAINNAME`)'
        ## Middlewares
        - "traefik.http.routers.authelia-rtr.tls.certresolver=letsencrypt"
        - 'traefik.http.routers.authelia-rtr.tls=true'
       
        ## HTTP Services
        - traefik.http.routers.authelia-rtr.service=authelia-svc
        - traefik.http.services.authelia-svc.loadbalancer.server.port=9091
        - traefik.http.middlewares.traefik-real-ip@file

Our authentication provider is setup with ldap

authentication_backend:
  password_reset:
    disable: false
  refresh_interval: 1m
  ldap:
    implementation: custom
    url: ldap://lldap:3890
    timeout: 5s
    start_tls: false
    base_dn: dc=example,dc=us
    username_attribute: uid
    additional_users_dn: ou=people
    users_filter: "(&({username_attribute}={input})(objectClass=person))"
    additional_groups_dn: ou=groups
    groups_filter: "(member={dn})"
    group_name_attribute: cn
    mail_attribute: mail
    display_name_attribute: displayName
    user: uid=admin,ou=people,dc=example,dc=us
    password: 'dontleakthis'

I also had to set the OIDC provider with a Java Web Key set, using client_secret_basic for the token_endpoint_auth_method

I have tried post and basic, but had been leaving it on post being that’s what the outdated guide had used. I’ll switch it to basic and see if it in combination with some other changes is the ticket

For the Java web key portion we have a mature fully configured Authelia instance so we have that covered, unless I’m misunderstanding

    environment:
      - TZ=$TZ
      - AUTHELIA_JWT_SECRET_FILE=/run/secrets/jwt_secret
      - AUTHELIA_SESSION_SECRET_FILE=/run/secrets/authelia_session_secret
      - AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/run/secrets/gmail-smtp-pw
      - AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/run/secrets/authelia_db_key

identity_providers:
  oidc:
    claims_policies:
      default:
        id_token:
          - "groups"
          - "email"
          - "email_verified"
          - "preferred_username"
          - "name"

So, I think the only material differences between our configurations is Traefik vs Apache, and post vs basic

You didn’t make any changes to your seahub_settings.py file outside of what I had setup?

SUCCESS

however…I dont know why. The only change I made was changing it to basic from post…but I’d done that a dozen times while troubleshooting.

Ah well, I’m going to try and break it for a bit and if I can’t I’ll just hand it over to the next sucker I mean engineer in the chain to do his part

Thanks so much for your help, this has been a rough 3 days trying to get this working

I love a good deep dive; helping people, problem solving and all that

Yeah, the 9091 ports change I made is something that I missed initially, and if you can already hit yours on that port then that crosses that off the list anyway.

The only seahub_settings.py changes that may differ are:

ENABLE_OAUTH= True
OAUTH_ATTRIBUTE_MAP = {
    "name": (False, "name"),
    "sub": (True, "uid"),
    "email": (True, "username"),
}

…although you may have already done it and it’s just outside the snip

Incidentally did you try using a YAML file for your backend? Just to ensure something in the LDAP config wasn’t causing issues? Granted I know you need to use LDAP, just a process of elimination.

For the Authelia configuration, I’ll just put what I have for that section so you can compare:

identity_providers:
  oidc:
    jwks:
      - key_id: 'seafile'
        algorithm: 'RS256'
        use: 'sig'
        key: {{ secret "/config/rsa.2048.key" | mindent 10 "|" | msquote }}
    clients:
      - client_id: 'seafile'
        client_name: 'Seafile'
        client_secret: <DIGEST_FOR_SECRET>
        public: false
        authorization_policy: 'one_factor'
        redirect_uris:
          - 'https://<SEAFILE_SERVER>/oauth/callback/'
        scopes:
          - 'user'
          - 'openid'
          - 'profile'
          - 'email'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_basic'

OH AWESOME!!!

So glad you were able to break on through to the other side

Now go grab a coffee, tea or whatever is your jam. Have a great day!