Authelia OIDC configuration for Harbor

[sy6sy2]

It was a pain for me to have Authelia and Harbor working together correctly. This is why I want to share my working configuration and also have feedback from other users in the same situation.
If you don't want the full story, go back at the end of this post to see my working configuration.

I am not an OIDC expert so correct me if I'm wrong somewhere.

Since the beginning I had this warning message in harbor:

harbor-core  | 2025-09-17T11:40:09Z [WARNING] [/pkg/oidc/helper.go:390]: OIDC. Failed to recover Username from claim. Claim 'preferred_username' is invalid or not a string
harbor-core  | 2025-09-17T11:40:09Z [WARNING] [/pkg/oidc/helper.go:417]: Unable to get groups from claims, claims: map[amr:[pwd kba] at_hash:REWRCmclGkhRi20p-dfgUg aud:[harbor] auth_time:1.758109205e+09 azp:harbor exp:1.758116409e+09 iat:1.758109209e+09 iss:https://authelia.XXXXXXXXX.org jti:7a959327-0c9d-4e67-9dc3-0b08e1a5f668 sub:3e2cb9a9-2c49-45ac-8e43-9ca55222a303], groups claims key: groups

With debug log level I was able to obtain the JWT send by Authelia and I was able to decode it, and, in fact, preferred_username and groups fields are not present in the token.
It seems to be the default behavior of Authelia, and, after some internet research, it seems that the classic way to do for a client is to use the /userinfo endpoint to obtain these fields. But Harbor seems to expect them in the Id token.

So we need to explicitly ask Authelia to add these fields in the ID token, and it seems to work.

You will find bellow my current configuration for Harbor v2.13.1 and Authelia v4.39.7.

Authelia partial config:

identity_providers:
  oidc:
    claims_policies:
      legacy:
        id_token:
          - preferred_username
          - name
          - email
          - groups
    clients:
      - client_id: 'harbor'
        client_name: 'Harbor'
        client_secret: 'SECRET'
        public: false
        authorization_policy: 'harbor_policy'
        pkce_challenge_method: ''
        redirect_uris:
          - 'https://registry.XXXXX.org/c/oidc/callback'
        response_types:
          - 'code'
        grant_types:
          - 'refresh_token'
          - 'authorization_code'
        scopes:
          - 'openid'
          - 'profile'
          - 'groups'
          - 'email'
          - 'offline_access'
        userinfo_signed_response_alg: 'none'
        access_token_signed_response_alg: 'none'
        pre_configured_consent_duration: '4 week'
        token_endpoint_auth_method: 'client_secret_basic'
        id_token_signed_response_alg: 'RS256'
        claims_policy: legacy

Harbor OIDC config: