feat: add Authelia SSO provider

[amauryconstant]

🔍 Overview

Phase currently supports several SSO/OIDC providers but lacks a lightweight, self-hosted option.

Authelia is an OpenID Certified™ authentication server that runs as a single Go binary (~25MB RAM), making it a natural complement to Authentik for self-hosters with smaller footprints or simpler identity needs. This PR adds Authelia as a named OIDC provider following the exact pattern established when Authentik was added in v2.50.2.

💡 Proposed Changes

Adds Authelia as a community-tier SSO provider. No new dependencies, no architectural changes — this reuses the existing GenericOpenIDConnectAdapter and GenericOpenIDConnectProvider base classes.

Backend (Django / django-allauth):

• New api/authentication/providers/authelia/ package (3 files) — thin adapter subclassing GenericOpenIDConnectAdapter with Authelia's OIDC endpoint paths
• New AutheliaLoginView in api/views/auth.py
• New route authelia/ in api/urls.py
• New authelia entry in SOCIALACCOUNT_PROVIDERS in settings.py

Frontend (Next.js / NextAuth):

• New generic OIDC provider block in [...nextauth].ts using type: 'oidc' with Authelia's issuer URL
• Added 'authelia' to the OIDC group in the JWT callback for id_token extraction
• New AutheliaLogo SVG component + logo index export
• New button entry in SignInButtons.tsx

Environment variables (all optional — provider activates only when set):

Variable	Description
AUTHELIA_URL	Base URL of Authelia instance (e.g. https://auth.example.com)
AUTHELIA_CLIENT_ID	OAuth2 client ID configured in Authelia
AUTHELIA_CLIENT_SECRET	OAuth2 client secret
SSO_PROVIDERS	Must include authelia to show the sign-in button

Files changed: 10 (3 new, 7 modified), ~106 insertions.

🖼️ Screenshots or Demo

None

📝 Release Notes

• New: Added Authelia as an SSO/OIDC provider. Self-hosters running Authelia can now use it for single sign-on by setting AUTHELIA_URL, AUTHELIA_CLIENT_ID, AUTHELIA_CLIENT_SECRET, and adding authelia to SSO_PROVIDERS.

❓ Open Questions

1. Documentation: Should Authelia get its own docs page under the SSO configuration section, or is a subsection on an existing page sufficient?

🧪 Testing

Manual testing performed:

• Authelia OIDC client configured with response_types: ['code'], grant_types: ['authorization_code'], scopes openid email profile
• Full login flow: sign-in button → Authelia consent → callback → Phase session created
• Verified id_token claims (sub, email, name) propagate correctly through the JWT callback
• Verified provider does not appear when env vars are unset

Testing gaps:

• No automated tests added (matches existing pattern — no other SSO provider has unit tests for the adapter layer)
• Not tested with Authelia's LDAP backend (only file-based users) — should work identically since the OIDC layer is the same

🎯 Reviewer Focus

Start with these files in order:

1. backend/api/authentication/providers/authelia/views.py — Core adapter. Compare against providers/authentik/views.py to verify the pattern is followed correctly. Key difference: Authelia's OIDC discovery URL is at issuer root (/.well-known/openid-configuration) rather than Authentik's /application/o/{slug}/ path.
2. frontend/pages/api/auth/[...nextauth].ts — Uses type: 'oidc' (generic OIDC) instead of a named NextAuth provider. Verify the provider block and JWT callback addition.
3. backend/backend/settings.py — Confirm the SOCIALACCOUNT_PROVIDERS entry matches the existing pattern.

Everything else is mechanical wiring (imports, routes, button entry, logo).

➕ Additional Context

• Authelia is OpenID Certified™ (Basic OP, Implicit OP, Hybrid OP, Config OP profiles), so OIDC discovery and token exchange are fully spec-compliant.
• Phase's GenericOpenIDConnectAdapter handles OIDC discovery, JWKS validation, and userinfo fallback — the Authelia adapter is a thin wrapper that only provides URL construction.
• NextAuth's openid-client library and Authelia both default to client_secret_basic for token endpoint auth, so no explicit token_endpoint_auth_method configuration is needed.

✨ How to Test the Changes Locally

1. Run an Authelia instance (Docker is easiest):

   docker run -d --name authelia \
     -v ./authelia-config:/config \
     -p 9091:9091 \
     authelia/authelia:latest

2. Configure an OIDC client in Authelia's configuration.yml:

   identity_providers:
     oidc:
       clients:
         - client_id: 'phase'
           client_name: 'Phase Console'
           client_secret: '$pbkdf2-sha512$...'  # authelia crypto hash generate pbkdf2
           redirect_uris:
             - 'http://localhost:3000/api/auth/callback/authelia'
           scopes: ['openid', 'email', 'profile']
           response_types: ['code']
           grant_types: ['authorization_code']

3. Set environment variables in Phase:

   AUTHELIA_URL=http://localhost:9091
   AUTHELIA_CLIENT_ID=phase
   AUTHELIA_CLIENT_SECRET=<plaintext secret>
   SSO_PROVIDERS=authelia

4. Start Phase locally and verify the Authelia button appears on the sign-in page. Click through the full OAuth flow.

💚 Did You...

• Ensure linting passes (code style checks)?
• Update dependencies and lockfiles (if required) — N/A, no new dependencies
• Update migrations (if required) — N/A, no model changes
• Regenerate graphql schema and types (if required) — N/A, no schema changes
• Verify the app builds locally?
• Manually test the changes on different browsers/devices?

[nimish-ks]

@amauryconstant Thanks so much for the PR! <160 lines is 🔥

We will review and get merged very soon. Meanwhile, it would be great if you could update the documentation to include instructions on how to setup Authelia here: https://github.com/phasehq/docs/blob/main/src/pages/access-control/authentication/oidc-sso.mdx

[amauryconstant]

I'll create a MR for the docs as well. In the meantime, would you like me to provide specifics docker compose files, conf and anything else I used for testing so you can check yourselves?

[nimish-ks]

I'll create a MR for the docs as well. In the meantime, would you like me to provide specifics docker compose files, conf and anything else I used for testing so you can check yourselves?

I think your PR instructions are good enough. Thanks!

[amauryconstant]

While testing to build good docs, I noticed an issue with the token extraction.

[amauryconstant]

phasehq/docs#209