authelia: Update config for 4.39

Authelia made breaking changes to the OIDC issuer configuration in 4.39,
specifically around what claims are present in identity tokens.  Without
a claims policy set, clients will _not_ get the correct claims, which
breaks authentication and authorization in many cases (including
Kubernetes).

While I was fixing that, I went ahead and fixed a few of the other
deprecation warnings.  There are still two that show up at startup, but
fixing them will be a bit more involved, it seems.

authelia/authelia.yaml

@@ -54,7 +54,7 @@ spec:
       - name: authelia
         image: ghcr.io/authelia/authelia
         env:
-        - name: AUTHELIA_JWT_SECRET_FILE
+        - name: AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE
           value: /run/authelia/secrets/jwt.secret
         - name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
           value: /run/authelia/secrets/ldap.password

authelia/configuration.yml

@@ -74,20 +74,30 @@ authentication_backend:
     implementation: activedirectory
     tls:
       minimum_version: TLS1.2
-    url: ldaps://pyrocufflink.blue
+    address: ldaps://pyrocufflink.blue
     user: CN=svc.authelia,CN=Users,DC=pyrocufflink,DC=blue
 
 certificates_directory: /run/authelia/certs
 
 identity_providers:
   oidc:
+    claims_policies:
+      default:
+        id_token:
+        - groups
+        - email
+        - email_verified
+        - preferred_username
+        - name
     clients:
-    - id: e20a50c2-55eb-4cb1-96ce-fe71c61c1d89
-      description: Jenkins
-      secret: >-
+    - client_id: e20a50c2-55eb-4cb1-96ce-fe71c61c1d89
+      client_name: Jenkins
+      client_secret: >-
         $argon2id$v=19$m=65536,t=3,p=4$qoo6+3ToLbsZOI/BxcppGw$srNBfpIHqpxLh+VfVNNe27A1Ci9dCKLfB8rWXLNkv44
       redirect_uris:
       - https://jenkins.pyrocufflink.blue/securityRealm/finishLogin
+      response_types:
+      - code
       scopes:
       - openid
       - groups
@@ -97,51 +107,58 @@ identity_providers:
       authorization_policy: one_factor
       pre_configured_consent_duration: 8h
       token_endpoint_auth_method: client_secret_post
-    - id: kubernetes
-      description: Kubernetes
+    - client_id: kubernetes
+      client_name: Kubernetes
       public: true
+      claims_policy: default
       redirect_uris:
       - http://localhost:8000
       - http://localhost:18000
       authorization_policy: one_factor
       pre_configured_consent_duration: 8h
-    - id: 1b6adbfc-d9e0-4cab-b780-e410639dc420
-      description: MinIO
-      secret: >-
+    - client_id: 1b6adbfc-d9e0-4cab-b780-e410639dc420
+      client_name: MinIO
+      client_secret: >-
         $pbkdf2-sha512$310000$TkQ1BwLrr.d8AVGWk2rLhA$z4euAPhkkZdjcxKFD3tZRtNQ/R78beW7epJ.BGFWSwQdAme5TugNj9Ba.aL5TEqrBDmXRW0xiI9EbxSszckG5A
       redirect_uris:
       - https://burp.pyrocufflink.blue:9090/oauth_callback
       - https://minio.backups.pyrocufflink.blue/oauth_callback
-    - id: step-ca
-      description: step-ca
+    - client_id: step-ca
+      client_name: step-ca
       public: true
+      claims_policy: default
       redirect_uris:
       - http://127.0.0.1
       pre_configured_consent_duration: 8h
-    - id: argocd
-      description: Argo CD
+    - client_id: argocd
+      client_name: Argo CD
+      claims_policy: default
       pre_configured_consent_duration: 8h
       redirect_uris:
       - https://argocd.pyrocufflink.blue/auth/callback
-      secret: >-
+      client_secret: >-
         $pbkdf2-sha512$310000$l/uOezgWjqe3boGLYAnKcg$uqn1FC8Lj2y1NG5Q91PeLfLLUQ.qtlKFLd0AWJ56owLME9mV/Zx8kQ2x7OS/MOoMLmUgKd4zogYKab2HGFr0kw
-    - id: argocd-cli
-      description: argocd CLI
+    - client_id: argocd-cli
+      client_name: argocd CLI
       public: true
+      claims_policy: default
       pre_configured_consent_duration: 8h
       audience:
       - argocd-cli
       redirect_uris:
       - http://localhost:8085/auth/callback
+      response_types:
+      - code
       scopes:
       - openid
+      - groups
       - profile
       - email
-      - groups
       - offline_access
-    - id: sshca
-      description: SSHCA
+    - client_id: sshca
+      client_name: SSHCA
       public: true
+      claims_policy: default
       pre_configured_consent_duration: 4h
       redirect_uris:
       - http://127.0.0.1
@@ -157,17 +174,18 @@ log:
 notifier:
   smtp:
     disable_require_tls: true
-    host: mail.pyrocufflink.blue
-    port: 25
+    address: 'mail.pyrocufflink.blue:25'
     sender: auth@pyrocufflink.net
 
 session:
-  domain: pyrocufflink.blue
   expiration: 1d
   inactivity: 4h
   redis:
     host: redis
     port: 6379
+  cookies:
+  - domain: pyrocufflink.blue
+    authelia_url: 'https://auth.pyrocufflink.blue'
 
 server:
   buffers:
@@ -175,7 +193,7 @@ server:
 
 storage:
   postgres:
-    host: postgresql.pyrocufflink.blue
+    address: postgresql.pyrocufflink.blue
     database: authelia
     username: authelia
     password: unused