docs: ✏️ Improve OIDC docs

This commit is contained in:
Jin
2025-08-12 22:03:36 +02:00
parent d8d0a64134
commit d224f33913
6 changed files with 183 additions and 46 deletions

View File

@@ -59,6 +59,102 @@ WantedBy=multi-user.target</code></pre>
<li>You can now open a browser to http://[your-server-hostname]:8080 and you
should see the Trilium initialization page.</li>
</ul>
<h2>Simple Autoupdate for Server</h2>
<p>Run as the same User Trilium runs</p>
<p>if you run as root please remove 'sudo' from the commands</p>
<p>requires "jq" <code>apt install jq</code>
</p>
<p>It will stop the service above, overwrite everything (i expect no config.ini),
and start service It also creates a version file in the Trilium directory
so it updates only with a newer Version</p><pre><code class="language-text-x-trilium-auto">#!/bin/bash
# Configuration
REPO="TriliumNext/Trilium"
PATTERN="TriliumNotes-Server-.*-linux-x64.tar.xz"
DOWNLOAD_DIR="/var/tmp/trilium_download"
OUTPUT_DIR="/opt/trilium"
SERVICE_NAME="trilium"
VERSION_FILE="$OUTPUT_DIR/version.txt"
# Ensure dependencies are installed
command -v curl &gt;/dev/null 2&gt;&amp;1 || { echo "Error: curl is required"; exit 1; }
command -v jq &gt;/dev/null 2&gt;&amp;1 || { echo "Error: jq is required"; exit 1; }
command -v tar &gt;/dev/null 2&gt;&amp;1 || { echo "Error: tar is required"; exit 1; }
# Create download directory
mkdir -p "$DOWNLOAD_DIR" || { echo "Error: Cannot create $DOWNLOAD_DIR"; exit 1; }
# Get the latest release version
LATEST_VERSION=$(curl -sL https://api.github.com/repos/$REPO/releases/latest | jq -r '.tag_name')
if [ -z "$LATEST_VERSION" ]; then
echo "Error: Could not fetch latest release version"
exit 1
fi
# Check current installed version (from version.txt or existing tarball)
CURRENT_VERSION=""
if [ -f "$VERSION_FILE" ]; then
CURRENT_VERSION=$(cat "$VERSION_FILE")
elif [ -f "$DOWNLOAD_DIR/TriliumNotes-Server-$LATEST_VERSION-linux-x64.tar.xz" ]; then
CURRENT_VERSION="$LATEST_VERSION"
fi
# Compare versions
if [ "$CURRENT_VERSION" = "$LATEST_VERSION" ]; then
echo "Latest version ($LATEST_VERSION) is already installed"
exit 0
fi
# Download the latest release
LATEST_URL=$(curl -sL https://api.github.com/repos/$REPO/releases/latest | jq -r ".assets[] | select(.name | test(\"$PATTERN\")) | .browser_download_url")
if [ -z "$LATEST_URL" ]; then
echo "Error: No asset found matching pattern '$PATTERN'"
exit 1
fi
FILE_NAME=$(basename "$LATEST_URL")
FILE_PATH="$DOWNLOAD_DIR/$FILE_NAME"
# Download if not already present
if [ -f "$FILE_PATH" ]; then
echo "Latest release $FILE_NAME already downloaded"
else
curl -LO --output-dir "$DOWNLOAD_DIR" "$LATEST_URL" || { echo "Error: Download failed"; exit 1; }
echo "Downloaded $FILE_NAME to $DOWNLOAD_DIR"
fi
# Extract the tarball
EXTRACT_DIR="$DOWNLOAD_DIR/extracted"
mkdir -p "$EXTRACT_DIR"
tar -xJf "$FILE_PATH" -C "$EXTRACT_DIR" || { echo "Error: Extraction failed"; exit 1; }
# Find the extracted directory (e.g., TriliumNotes-Server-0.97.2-linux-x64)
INNER_DIR=$(find "$EXTRACT_DIR" -maxdepth 1 -type d -name "TriliumNotes-Server-*-linux-x64" | head -n 1)
if [ -z "$INNER_DIR" ]; then
echo "Error: Could not find extracted directory matching TriliumNotes-Server-*-linux-x64"
exit 1
fi
# Stop the trilium-server service
if systemctl is-active --quiet "$SERVICE_NAME"; then
echo "Stopping $SERVICE_NAME service..."
sudo systemctl stop "$SERVICE_NAME" || { echo "Error: Failed to stop $SERVICE_NAME"; exit 1; }
fi
# Copy contents to /opt/trilium, overwriting existing files
echo "Copying contents from $INNER_DIR to $OUTPUT_DIR..."
sudo mkdir -p "$OUTPUT_DIR"
sudo cp -r "$INNER_DIR"/* "$OUTPUT_DIR"/ || { echo "Error: Copy failed"; exit 1; }
echo "$LATEST_VERSION" | sudo tee "$VERSION_FILE" &gt;/dev/null
echo "Files copied to $OUTPUT_DIR"
# Start the trilium-server service
echo "Starting $SERVICE_NAME service..."
sudo systemctl start "$SERVICE_NAME" || { echo "Error: Failed to start $SERVICE_NAME"; exit 1; }
# Clean up
rm -rf "$EXTRACT_DIR"
echo "Cleanup complete. Trilium updated to $LATEST_VERSION."</code></pre>
<h2>Common issues</h2>
<h3>Outdated glibc</h3><pre><code class="language-text-x-trilium-auto">Error: /usr/lib64/libstdc++.so.6: version `GLIBCXX_3.4.21' not found (required by /var/www/virtual/.../node_modules/@mlink/scrypt/build/Release/scrypt.node)
at Object.Module._extensions..node (module.js:681:18)

View File

@@ -1,6 +1,6 @@
<p>Official docker images are published on docker hub for <strong>AMD64</strong>, <strong>ARMv7</strong> and <strong>ARM64/v8</strong>:
<a
href="https://hub.docker.com/r/triliumnext/notes/">https://hub.docker.com/r/triliumnext/notes/</a>
href="https://hub.docker.com/r/triliumnext/trilium/">https://hub.docker.com/r/triliumnext/trilium/</a>
</p>
<h2>Prerequisites</h2>
<p>Ensure Docker is installed on your system.</p>
@@ -15,7 +15,7 @@
mounting your SMB share.</p>
</aside>
<h2>Running with Docker Compose</h2>
<h3>Grab the latest docker-compose.yml:</h3><pre><code class="language-text-x-trilium-auto">wget https://raw.githubusercontent.com/TriliumNext/Notes/master/docker-compose.yml</code></pre>
<h3>Grab the latest docker-compose.yml:</h3><pre><code class="language-text-x-trilium-auto">wget https://raw.githubusercontent.com/TriliumNext/Trilium/master/docker-compose.yml</code></pre>
<p>Optionally, edit the <code>docker-compose.yml</code> file to configure the
container settings prior to starting it. Unless configured otherwise, the
data directory will be <code>~/trilium-data</code> and the container will
@@ -26,7 +26,7 @@
<h3>Pulling the Docker Image</h3>
<p>To pull the image, use the following command, replacing <code>[VERSION]</code> with
the desired version or tag, such as <code>v0.91.6</code> or just <code>latest</code>.
(See published tag names at <a href="https://hub.docker.com/r/triliumnext/notes/tags">https://hub.docker.com/r/triliumnext/notes/tags</a>.):</p><pre><code class="language-text-x-trilium-auto">docker pull triliumnext/notes:v0.91.6</code></pre>
(See published tag names at <a href="https://hub.docker.com/r/triliumnext/trilium/tags">https://hub.docker.com/r/triliumnext/trilium/tags</a>.):</p><pre><code class="language-text-x-trilium-auto">docker pull triliumnext/trilium:v0.91.6</code></pre>
<p><strong>Warning:</strong> Avoid using the "latest" tag, as it may automatically
upgrade your instance to a new minor version, potentially disrupting sync
setups or causing other issues.</p>
@@ -37,7 +37,7 @@
<h4>Local Access Only</h4>
<p>Run the container to make it accessible only from the localhost. This
setup is suitable for testing or when using a proxy server like Nginx or
Apache.</p><pre><code class="language-text-x-trilium-auto">sudo docker run -t -i -p 127.0.0.1:8080:8080 -v ~/trilium-data:/home/node/trilium-data triliumnext/notes:[VERSION]</code></pre>
Apache.</p><pre><code class="language-text-x-trilium-auto">sudo docker run -t -i -p 127.0.0.1:8080:8080 -v ~/trilium-data:/home/node/trilium-data triliumnext/trilium:[VERSION]</code></pre>
<ol>
<li>Verify the container is running using <code>docker ps</code>.</li>
<li>Access Trilium via a web browser at <code>127.0.0.1:8080</code>.</li>
@@ -45,20 +45,20 @@
<h4>Local Network Access</h4>
<p>To make the container accessible only on your local network, first create
a new Docker network:</p><pre><code class="language-text-x-trilium-auto">docker network create -d macvlan -o parent=eth0 --subnet 192.168.2.0/24 --gateway 192.168.2.254 --ip-range 192.168.2.252/27 mynet</code></pre>
<p>Then, run the container with the network settings:</p><pre><code class="language-text-x-trilium-auto">docker run --net=mynet -d -p 127.0.0.1:8080:8080 -v ~/trilium-data:/home/node/trilium-data triliumnext/notes:-latest</code></pre>
<p>Then, run the container with the network settings:</p><pre><code class="language-text-x-trilium-auto">docker run --net=mynet -d -p 127.0.0.1:8080:8080 -v ~/trilium-data:/home/node/trilium-data triliumnext/trilium:-latest</code></pre>
<p>To set a different user ID (UID) and group ID (GID) for the saved data,
use the <code>USER_UID</code> and <code>USER_GID</code> environment variables:</p><pre><code class="language-text-x-trilium-auto">docker run --net=mynet -d -p 127.0.0.1:8080:8080 -e "USER_UID=1001" -e "USER_GID=1001" -v ~/trilium-data:/home/node/trilium-data triliumnext/notes:-latest</code></pre>
use the <code>USER_UID</code> and <code>USER_GID</code> environment variables:</p><pre><code class="language-text-x-trilium-auto">docker run --net=mynet -d -p 127.0.0.1:8080:8080 -e "USER_UID=1001" -e "USER_GID=1001" -v ~/trilium-data:/home/node/trilium-data triliumnext/trilium:-latest</code></pre>
<p>Find the local IP address using <code>docker inspect [container_name]</code> and
access the service from devices on the local network.</p><pre><code class="language-text-x-trilium-auto">docker ps
docker inspect [container_name]</code></pre>
<h4>Global Access</h4>
<p>To allow access from any IP address, run the container as follows:</p><pre><code class="language-text-x-trilium-auto">docker run -d -p 0.0.0.0:8080:8080 -v ~/trilium-data:/home/node/trilium-data triliumnext/notes:[VERSION]</code></pre>
<p>To allow access from any IP address, run the container as follows:</p><pre><code class="language-text-x-trilium-auto">docker run -d -p 0.0.0.0:8080:8080 -v ~/trilium-data:/home/node/trilium-data triliumnext/trilium:[VERSION]</code></pre>
<p>Stop the container with <code>docker stop &lt;CONTAINER ID&gt;</code>,
where the container ID is obtained from <code>docker ps</code>.</p>
<h3>Custom Data Directory</h3>
<p>For a custom data directory, use:</p><pre><code class="language-text-x-trilium-auto">-v ~/YourOwnDirectory:/home/node/trilium-data triliumnext/notes:[VERSION]</code></pre>
<p>For a custom data directory, use:</p><pre><code class="language-text-x-trilium-auto">-v ~/YourOwnDirectory:/home/node/trilium-data triliumnext/trilium:[VERSION]</code></pre>
<p>If you want to run your instance in a non-default way, please use the
volume switch as follows: <code>-v ~/YourOwnDirectory:/home/node/trilium-data triliumnext/notes:&lt;VERSION&gt;</code>.
volume switch as follows: <code>-v ~/YourOwnDirectory:/home/node/trilium-data triliumnext/trilium:&lt;VERSION&gt;</code>.
It is important to be aware of how Docker works for volumes, with the first
path being your own and the second the one to virtually bind to. <a href="https://docs.docker.com/storage/volumes/">https://docs.docker.com/storage/volumes/</a> The
path before the colon is the host directory, and the path after the colon
@@ -89,10 +89,10 @@ docker inspect [container_name]</code></pre>
<p><em><strong>If you're unsure, stick to the “rootful” Docker image referenced above.</strong></em>
</p>
<p>Below are some commands to pull the rootless images:</p><pre><code class="language-text-x-trilium-auto"># For Debian-based image
docker pull triliumnext/notes:rootless
docker pull triliumnext/trilium:rootless
# For Alpine-based image
docker pull triliumnext/notes:rootless-alpine</code></pre>
docker pull triliumnext/trilium:rootless-alpine</code></pre>
<h3>Why Rootless?</h3>
<p>Running containers as non-root is a security best practice that reduces
the potential impact of container breakouts. If an attacker manages to
@@ -117,13 +117,13 @@ TRILIUM_UID=$(id -u) TRILIUM_GID=$(id -g) docker-compose -f docker-compose.rootl
TRILIUM_DATA_DIR=/path/to/your/data TRILIUM_UID=$(id -u) TRILIUM_GID=$(id -g) docker-compose -f docker-compose.rootless.yml up -d
</code></pre>
<h4><strong>Using Docker CLI</strong></h4><pre><code class="language-text-x-trilium-auto"># Build the image
docker build -t triliumnext/notes:rootless -f apps/server/Dockerfile.rootless .
docker build -t triliumnext/trilium:rootless -f apps/server/Dockerfile.rootless .
# Run with default UID/GID (1000:1000)
docker run -d --name trilium -p 8080:8080 -v ~/trilium-data:/home/trilium/trilium-data triliumnext/notes:rootless
docker run -d --name trilium -p 8080:8080 -v ~/trilium-data:/home/trilium/trilium-data triliumnext/trilium:rootless
# Run with custom UID/GID
docker run -d --name trilium -p 8080:8080 --user $(id -u):$(id -g) -v ~/trilium-data:/home/trilium/trilium-data triliumnext/notes:rootless
docker run -d --name trilium -p 8080:8080 --user $(id -u):$(id -g) -v ~/trilium-data:/home/trilium/trilium-data triliumnext/trilium:rootless
</code></pre>
<h3>Environment Variables</h3>
<ul>
@@ -176,11 +176,11 @@ TRILIUM_UID=1001 TRILIUM_GID=1001 docker-compose -f docker-compose.rootless.yml
<h3>Building Custom Rootless Images</h3>
<p>If you would prefer, you can also customize the UID/GID at build time:</p><pre><code class="language-text-x-trilium-auto"># For Debian-based image with custom UID/GID
docker build --build-arg USER=myuser --build-arg UID=1001 --build-arg GID=1001 \
-t triliumnext/notes:rootless-custom -f apps/server/Dockerfile.rootless .
-t triliumnext/trilium:rootless-custom -f apps/server/Dockerfile.rootless .
# For Alpine-based image with custom UID/GID
docker build --build-arg USER=myuser --build-arg UID=1001 --build-arg GID=1001 \
-t triliumnext/notes:alpine-rootless-custom -f apps/server/Dockerfile.alpine.rootless .
-t triliumnext/trilium:alpine-rootless-custom -f apps/server/Dockerfile.alpine.rootless .
</code></pre>
<p>Available build arguments:</p>
<ul>

View File

@@ -27,36 +27,43 @@ class="admonition warning">
</aside>
<h3>TOTP</h3>
<ol>
<li>Go to "Menu" -&gt; "Options" -&gt; "MFA"</li>
<li>Click the “Enable Multi-Factor Authentication” checkbox if not checked</li>
<li>Choose “Time-Based One-Time Password (TOTP)” under MFA Method</li>
<li>Click the "Generate TOTP Secret" button</li>
<li>Copy the generated secret to your authentication app/extension</li>
<li>Click the "Generate Recovery Codes" button</li>
<li>Save the recovery codes. Recovery codes can be used once in place of the
TOTP if you loose access to your authenticator. After a rerecovery code
is used, it will show the unix timestamp when it was used in the MFA options
tab.</li>
<li>Re-login will be required after TOTP setup is finished (After you refreshing
the page).</li>
<li data-list-item-id="ee190226d19e91a9330c263fa05fc61e7">Go to "Menu" -&gt; "Options" -&gt; "MFA"</li>
<li data-list-item-id="ec7573505a7c9607c44a6a525a063fd3d">Click the “Enable Multi-Factor Authentication” checkbox if not checked</li>
<li
data-list-item-id="e49b476d39ceb086ac8ffab93be7ddb46">Choose “Time-Based One-Time Password (TOTP)” under MFA Method</li>
<li
data-list-item-id="e8104db62f8a7b835cba5c79377ea441d">Click the "Generate TOTP Secret" button</li>
<li data-list-item-id="e4928e65314a99efe44ee2806c989ac45">Copy the generated secret to your authentication app/extension</li>
<li
data-list-item-id="ea96afadbac44638a6ec6e13733e23b53">Click the "Generate Recovery Codes" button</li>
<li data-list-item-id="e67fffe2e3d945b23f93668c3ead03da7">Save the recovery codes. Recovery codes can be used once in place of the
TOTP if you loose access to your authenticator. After a rerecovery code
is used, it will show the unix timestamp when it was used in the MFA options
tab.</li>
<li data-list-item-id="ee94c4493042bb4d50ef6e07a30c65b95">Re-login will be required after TOTP setup is finished (After you refreshing
the page).</li>
</ol>
<h3>OpenID</h3>
<p>In order to setup OpenID, you will need to setup a authentication provider.
This requires a bit of extra setup. Follow <a href="https://developers.google.com/identity/openid-connect/openid-connect">these instructions</a> to
setup an OpenID service through google.</p>
setup an OpenID service through google. The Redirect URL of Trilium is <code>https://&lt;your-trilium-domain&gt;/callback</code>.</p>
<ol>
<li>Set the <code>oauthBaseUrl</code>, <code>oauthClientId</code> and <code>oauthClientSecret</code> in
<li data-list-item-id="e12ea6450b407f0bbcb4109ef082bdfe3">Set the <code>oauthBaseUrl</code>, <code>oauthClientId</code> and <code>oauthClientSecret</code> in
the <code>config.ini</code> file (check&nbsp;<a class="reference-link" href="#root/_help_Gzjqa934BdH4">Configuration (config.ini or environment variables)</a>&nbsp;for
more information).
<ol>
<li>You can also setup through environment variables (<code>TRILIUM_OAUTH_BASE_URL</code>, <code>TRILIUM_OAUTH_CLIENT_ID</code> and <code>TRILIUM_OAUTH_CLIENT_SECRET</code>).</li>
</ol>
<li data-list-item-id="ed369d1f114cb20a128dc286729d8370d">You can also setup through environment variables (<code>TRILIUM_OAUTH_BASE_URL</code>, <code>TRILIUM_OAUTH_CLIENT_ID</code> and <code>TRILIUM_OAUTH_CLIENT_SECRET</code>).</li>
<li
data-list-item-id="e1b13f1b5f3be3cf1d2cb4f26da326b60"><code>oauthBaseUrl</code> should be the link of your Trilium instance server,
for example, <code>https://&lt;your-trilium-domain&gt;</code>.</li>
</ol>
</li>
<li>Restart the server</li>
<li>Go to "Menu" -&gt; "Options" -&gt; "MFA"</li>
<li>Click the “Enable Multi-Factor Authentication” checkbox if not checked</li>
<li>Choose “OAuth/OpenID” under MFA Method</li>
<li>Refresh the page and login through OpenID provider</li>
<li data-list-item-id="e7e03745ea93c9ce8d79cfb4bd2815db2">Restart the server</li>
<li data-list-item-id="edbb2231e1ec4b4d1296245db1ab87f8d">Go to "Menu" -&gt; "Options" -&gt; "MFA"</li>
<li data-list-item-id="e1300f72967b25817d5944b27afa26182">Click the “Enable Multi-Factor Authentication” checkbox if not checked</li>
<li
data-list-item-id="ea1290a6b9568d1f4bf44c803d366248d">Choose “OAuth/OpenID” under MFA Method</li>
<li data-list-item-id="e1801298cdda474547d810959fc3e79ef">Refresh the page and login through OpenID provider</li>
</ol>
<aside class="admonition note">
<p>The default OAuth issuer is Google. To use other services such as Authentik
@@ -65,4 +72,25 @@ class="admonition warning">
these values can be set using environment variables: <code>TRILIUM_OAUTH_ISSUER_BASE_URL</code>, <code>TRILIUM_OAUTH_ISSUER_NAME</code>,
and <code>TRILIUM_OAUTH_ISSUER_ICON</code>. <code>oauthIssuerName</code> and <code>oauthIssuerIcon</code> are
required for displaying correct issuer information at the Login page.</p>
</aside>
</aside>
<h4>Authentik</h4>
<p>If you dont already have a running Authentik instance, please follow
<a
href="https://docs.goauthentik.io/docs/install-config/install/docker-compose">these instructions</a>to set one up.</p>
<ol>
<li data-list-item-id="eedb3ea2a0107b0bc34a61a088fba1b2d">In the Authentik admin dashboard, create a new OAuth2 application by following
<a
href="https://docs.goauthentik.io/docs/add-secure-apps/providers/oauth2/create-oauth2-provider">these steps</a>. Make sure to set the Redirect URL to: <code>https://&lt;your-trilium-domain&gt;/callback</code>.</li>
<li
data-list-item-id="eb98f26412740c574a384128637681e7d">In your config.ini file, set the relevant OAuth variables:
<ol>
<li data-list-item-id="e12ec552e0c5ce7f6a12af520dc6d8aa2"><code>oauthIssuerBaseUrl</code> → Use the <code>OpenID Configuration Issuer</code> URL
from your application's overview page.</li>
<li data-list-item-id="e3f6d6bbf6cf4cdee38be3a7d53bd57b9"><code>oauthIssuerName</code> and <code>oauthIssuerIcon</code> → Set these
to customize the name and icon displayed on the login page. If omitted,
Googles name and icon will be shown by default.</li>
</ol>
</li>
<li data-list-item-id="eeae084919db88733646612f3c4f55a6e">Apply the changes by restarting your server.</li>
<li data-list-item-id="ec71ab917862af5f96f2a5567d82ac0da">Proceed with the remaining steps starting from Step 3 in the OpenID section.</li>
</ol>

View File

@@ -60,15 +60,16 @@ sudo systemctl enable --now -q trilium
```
* You can now open a browser to http://\[your-server-hostname\]:8080 and you should see the Trilium initialization page.
## Simple Autoupdate for Server
Run as the same User Trilium runs
if you run as root please remove 'sudo' from the commands
if you run as root please remove 'sudo' from the commands
requires "jq" ```apt install jq```
requires "jq" `apt install jq`
It will stop the service above, overwrite everything (i expect no config.ini), and start service
It also creates a version file in the Trilium directory so it updates only with a newer Version
It will stop the service above, overwrite everything (i expect no config.ini), and start service It also creates a version file in the Trilium directory so it updates only with a newer Version
```
#!/bin/bash
@@ -177,4 +178,4 @@ If you get an error like this, you need to either upgrade your glibc (typically
## TLS
Don't forget to [configure TLS](../TLS%20Configuration.md), which is required for secure usage!
Don't forget to [configure TLS](../TLS%20Configuration.md), which is required for secure usage!

View File

@@ -236,4 +236,4 @@ Available build arguments:
* `USER`: Username for the non-root user (default: trilium)
* `UID`: User ID for the non-root user (default: 1000)
* `GID`: Group ID for the non-root user (default: 1000)
* `GID`: Group ID for the non-root user (default: 1000)

View File

@@ -34,10 +34,11 @@ MFA can only be set up on a server instance.
### OpenID
In order to setup OpenID, you will need to setup a authentication provider. This requires a bit of extra setup. Follow [these instructions](https://developers.google.com/identity/openid-connect/openid-connect) to setup an OpenID service through google.
In order to setup OpenID, you will need to setup a authentication provider. This requires a bit of extra setup. Follow [these instructions](https://developers.google.com/identity/openid-connect/openid-connect) to setup an OpenID service through google. The Redirect URL of Trilium is `https://<your-trilium-domain>/callback`.
1. Set the `oauthBaseUrl`, `oauthClientId` and `oauthClientSecret` in the `config.ini` file (check <a class="reference-link" href="../../Advanced%20Usage/Configuration%20(config.ini%20or%20e.md">Configuration (config.ini or environment variables)</a> for more information).
1. You can also setup through environment variables (`TRILIUM_OAUTH_BASE_URL`, `TRILIUM_OAUTH_CLIENT_ID` and `TRILIUM_OAUTH_CLIENT_SECRET`).
2. `oauthBaseUrl` should be the link of your Trilium instance server, for example, `https://<your-trilium-domain>`.
2. Restart the server
3. Go to "Menu" -> "Options" -> "MFA"
4. Click the “Enable Multi-Factor Authentication” checkbox if not checked
@@ -45,4 +46,15 @@ In order to setup OpenID, you will need to setup a authentication provider. This
6. Refresh the page and login through OpenID provider
> [!NOTE]
> The default OAuth issuer is Google. To use other services such as Authentik or Auth0, you can configure the settings via `oauthIssuerBaseUrl`, `oauthIssuerName`, and `oauthIssuerIcon` in the `config.ini` file. Alternatively, these values can be set using environment variables: `TRILIUM_OAUTH_ISSUER_BASE_URL`, `TRILIUM_OAUTH_ISSUER_NAME`, and `TRILIUM_OAUTH_ISSUER_ICON`. `oauthIssuerName` and `oauthIssuerIcon` are required for displaying correct issuer information at the Login page.
> The default OAuth issuer is Google. To use other services such as Authentik or Auth0, you can configure the settings via `oauthIssuerBaseUrl`, `oauthIssuerName`, and `oauthIssuerIcon` in the `config.ini` file. Alternatively, these values can be set using environment variables: `TRILIUM_OAUTH_ISSUER_BASE_URL`, `TRILIUM_OAUTH_ISSUER_NAME`, and `TRILIUM_OAUTH_ISSUER_ICON`. `oauthIssuerName` and `oauthIssuerIcon` are required for displaying correct issuer information at the Login page.
#### Authentik
If you dont already have a running Authentik instance, please follow [these instructions](https://docs.goauthentik.io/docs/install-config/install/docker-compose) to set one up.
1. In the Authentik admin dashboard, create a new OAuth2 application by following [these steps](https://docs.goauthentik.io/docs/add-secure-apps/providers/oauth2/create-oauth2-provider). Make sure to set the Redirect URL to: `https://<your-trilium-domain>/callback`.
2. In your config.ini file, set the relevant OAuth variables:
1. `oauthIssuerBaseUrl` → Use the `OpenID Configuration Issuer` URL from your application's overview page.
2. `oauthIssuerName` and `oauthIssuerIcon` → Set these to customize the name and icon displayed on the login page. If omitted, Googles name and icon will be shown by default.
3. Apply the changes by restarting your server.
4. Proceed with the remaining steps starting from Step 3 in the OpenID section.