mirror of https://github.com/FreshRSS/FreshRSS.git
Add OpenID Connect (#5351)
* Add OIDC * Update documentation. * Update apache conf adding IfModule * Use IfDefine for OIDC in apache conf * Fix non-oidc support * Fix typing * Use IfDefine to enable OIDC * Add OIDC support to all dockerfiles * Re add apache Require option * Fixes and documentation * A few more fixes * A bit more doc * Change type of environment variable * Update readme * Correct apache config for OIDC support. * Fix README formatting * Update oidc control path * Fix oidc endpoint being cached * A bit more review * Simplify ExpiresActive * Add session refresh and improve caching * Allow more different setups * A bit more documentation * A bit more readme --------- Co-authored-by: Aaron Schif <aschif@netdevgroup.com> Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr> Co-authored-by: maTh <math-home@web.de>
This commit is contained in:
parent
15d143989b
commit
58b254f9cb
|
@ -8,6 +8,7 @@ RUN apt-get update && \
|
|||
apt-get install --no-install-recommends -y \
|
||||
ca-certificates cron \
|
||||
apache2 libapache2-mod-php \
|
||||
libapache2-mod-auth-openidc \
|
||||
php-curl php-gmp php-intl php-mbstring php-xml php-zip \
|
||||
php-sqlite3 php-mysql php-pgsql && \
|
||||
rm -rf /var/lib/apt/lists/*
|
||||
|
@ -55,6 +56,7 @@ ENV CRON_MIN ''
|
|||
ENV DATA_PATH ''
|
||||
ENV FRESHRSS_ENV ''
|
||||
ENV LISTEN ''
|
||||
ENV OIDC_ENABLED ''
|
||||
|
||||
ENTRYPOINT ["./Docker/entrypoint.sh"]
|
||||
|
||||
|
@ -62,4 +64,4 @@ EXPOSE 80
|
|||
# hadolint ignore=DL3025
|
||||
CMD ([ -z "$CRON_MIN" ] || cron) && \
|
||||
. /etc/apache2/envvars && \
|
||||
exec apache2 -D FOREGROUND
|
||||
exec apache2 -D FOREGROUND $([ -n "$OIDC_ENABLED" ] && [ "$OIDC_ENABLED" -ne 0 ] && echo '-D OIDC_ENABLED')
|
||||
|
|
|
@ -53,10 +53,11 @@ ENV CRON_MIN ''
|
|||
ENV DATA_PATH ''
|
||||
ENV FRESHRSS_ENV ''
|
||||
ENV LISTEN ''
|
||||
ENV OIDC_ENABLED ''
|
||||
|
||||
ENTRYPOINT ["./Docker/entrypoint.sh"]
|
||||
|
||||
EXPOSE 80
|
||||
# hadolint ignore=DL3025
|
||||
CMD ([ -z "$CRON_MIN" ] || crond -d 6) && \
|
||||
exec httpd -D FOREGROUND
|
||||
exec httpd -D FOREGROUND $([ -n "$OIDC_ENABLED" ] && [ "$OIDC_ENABLED" -ne 0 ] && echo '-D OIDC_ENABLED')
|
||||
|
|
|
@ -6,6 +6,7 @@ RUN echo 'http://dl-cdn.alpinelinux.org/alpine/edge/testing' >> /etc/apk/reposit
|
|||
apk add --no-cache \
|
||||
tzdata \
|
||||
apache2 php82-apache2 \
|
||||
apache-mod-auth-openidc \
|
||||
php82 php82-curl php82-gmp php82-intl php82-mbstring php82-xml php82-zip \
|
||||
php82-ctype php82-dom php82-fileinfo php82-iconv php82-json php82-opcache php82-openssl php82-phar php82-session php82-simplexml php82-xmlreader php82-xmlwriter php82-xml php82-tokenizer php82-zlib \
|
||||
php82-pdo_sqlite php82-pdo_mysql php82-pdo_pgsql
|
||||
|
@ -55,10 +56,11 @@ ENV CRON_MIN ''
|
|||
ENV DATA_PATH ''
|
||||
ENV FRESHRSS_ENV ''
|
||||
ENV LISTEN ''
|
||||
ENV OIDC_ENABLED ''
|
||||
|
||||
ENTRYPOINT ["./Docker/entrypoint.sh"]
|
||||
|
||||
EXPOSE 80
|
||||
# hadolint ignore=DL3025
|
||||
CMD ([ -z "$CRON_MIN" ] || crond -d 6) && \
|
||||
exec httpd -D FOREGROUND
|
||||
exec httpd -D FOREGROUND $([ -n "$OIDC_ENABLED" ] && [ "$OIDC_ENABLED" -ne 0 ] && echo '-D OIDC_ENABLED')
|
||||
|
|
|
@ -55,10 +55,11 @@ ENV CRON_MIN ''
|
|||
ENV DATA_PATH ''
|
||||
ENV FRESHRSS_ENV ''
|
||||
ENV LISTEN ''
|
||||
ENV OIDC_ENABLED ''
|
||||
|
||||
ENTRYPOINT ["./Docker/entrypoint.sh"]
|
||||
|
||||
EXPOSE 80
|
||||
# hadolint ignore=DL3025
|
||||
CMD ([ -z "$CRON_MIN" ] || crond -d 6) && \
|
||||
exec httpd -D FOREGROUND
|
||||
exec httpd -D FOREGROUND $([ -n "$OIDC_ENABLED" ] && [ "$OIDC_ENABLED" -ne 0 ] && echo '-D OIDC_ENABLED')
|
||||
|
|
|
@ -14,6 +14,7 @@ RUN apt-get update && \
|
|||
apt-get install --no-install-recommends -y \
|
||||
ca-certificates cron \
|
||||
apache2 libapache2-mod-php \
|
||||
libapache2-mod-auth-openidc \
|
||||
php-curl php-gmp php-intl php-mbstring php-xml php-zip \
|
||||
php-sqlite3 php-mysql php-pgsql && \
|
||||
rm -rf /var/lib/apt/lists/*
|
||||
|
@ -67,6 +68,7 @@ ENV CRON_MIN ''
|
|||
ENV DATA_PATH ''
|
||||
ENV FRESHRSS_ENV ''
|
||||
ENV LISTEN ''
|
||||
ENV OIDC_ENABLED ''
|
||||
|
||||
ENTRYPOINT ["./Docker/entrypoint.sh"]
|
||||
|
||||
|
@ -74,4 +76,4 @@ EXPOSE 80
|
|||
# hadolint ignore=DL3025
|
||||
CMD ([ -z "$CRON_MIN" ] || cron) && \
|
||||
. /etc/apache2/envvars && \
|
||||
exec apache2 -D FOREGROUND
|
||||
exec apache2 -D FOREGROUND $([ -n "$OIDC_ENABLED" ] && [ "$OIDC_ENABLED" -ne 0 ] && echo '-D OIDC_ENABLED')
|
||||
|
|
|
@ -10,6 +10,24 @@ AllowEncodedSlashes On
|
|||
ServerTokens OS
|
||||
TraceEnable Off
|
||||
|
||||
<IfDefine OIDC_ENABLED>
|
||||
<IfModule !auth_openidc_module>
|
||||
Error "The auth_openidc_module is not available. Install it or unset environment variable OIDC_ENABLED."
|
||||
</IfModule>
|
||||
|
||||
OIDCProviderMetadataURL ${OIDC_PROVIDER_METADATA_URL}
|
||||
OIDCClientID ${OIDC_CLIENT_ID}
|
||||
OIDCClientSecret ${OIDC_CLIENT_SECRET}
|
||||
|
||||
OIDCRedirectURI /i/oidc/
|
||||
OIDCCryptoPassphrase ${OIDC_CLIENT_CRYPTO_KEY}
|
||||
|
||||
OIDCRemoteUserClaim preferred_username
|
||||
OIDCScope "openid"
|
||||
|
||||
OIDCRefreshAccessTokenBeforeExpiry 30
|
||||
</IfDefine>
|
||||
|
||||
<Directory />
|
||||
AllowOverride None
|
||||
Options FollowSymLinks
|
||||
|
@ -28,6 +46,12 @@ TraceEnable Off
|
|||
</Directory>
|
||||
|
||||
<Directory /var/www/FreshRSS/p/i>
|
||||
ExpiresActive Off
|
||||
|
||||
<IfDefine OIDC_ENABLED>
|
||||
AuthType openid-connect
|
||||
Require valid-user
|
||||
</IfDefine>
|
||||
IncludeOptional /var/www/FreshRSS/p/i/.htaccess
|
||||
</Directory>
|
||||
|
||||
|
|
|
@ -330,6 +330,9 @@ services:
|
|||
FRESHRSS_ENV: development
|
||||
# Optional advanced parameter controlling the internal Apache listening port
|
||||
LISTEN: 0.0.0.0:80
|
||||
# Optional parameter, set to 1 to enable OpenID Connect (only available in our Debian image)
|
||||
# Requires more environment variables. See https://freshrss.github.io/FreshRSS/en/admins/16_OpenID-Connect.html
|
||||
OIDC_ENABLED: 0
|
||||
# Optional auto-install parameters (the Web interface install is recommended instead):
|
||||
# ⚠️ Parameters below are only used at the very first run (so far).
|
||||
# So if changes are made (or in .env file), first delete the service and volumes.
|
||||
|
|
|
@ -17,7 +17,9 @@ FreshRSS est capable de recevoir des notifications push instantanées depuis les
|
|||
|
||||
FreshRSS supporte nativement le moissonnage du Web (Web Scraping) basique, basé sur [XPath](https://www.w3.org/TR/xpath-10/), pour les sites Web sans flux RSS / Atom.
|
||||
|
||||
Enfin, il permet l’ajout d’[extensions](#extensions) pour encore plus de personnalisation.
|
||||
Plusieurs [méthodes de connexion](https://freshrss.github.io/FreshRSS/en/admins/09_AccessControl.html) sont supportées : formulaire Web (avec un mode anonyme), Authentification HTTP (compatible avec proxy), OpenID Connect.
|
||||
|
||||
Enfin, FreshRSS permet l’ajout d’[extensions](#extensions) pour encore plus de personnalisation.
|
||||
|
||||
* Site officiel : <https://freshrss.org>
|
||||
* Démo : <http://demo.freshrss.org/>
|
||||
|
|
|
@ -17,7 +17,9 @@ FreshRSS is able to receive instant push notifications from compatible sources,
|
|||
|
||||
FreshRSS natively supports basic Web scraping, based on [XPath](https://www.w3.org/TR/xpath-10/), for Web sites not providing any RSS / Atom feed.
|
||||
|
||||
Finally, it supports [extensions](#extensions) for further tuning.
|
||||
Different [login methods](https://freshrss.github.io/FreshRSS/en/admins/09_AccessControl.html) are supported: Web form (including an anonymous option), HTTP Authentication (compatible with proxy delegation), OpenID Connect.
|
||||
|
||||
Finally, FreshRSS supports [extensions](#extensions) for further tuning.
|
||||
|
||||
* Official website: <https://freshrss.org>
|
||||
* Demo: <https://demo.freshrss.org/>
|
||||
|
|
|
@ -1,3 +1,16 @@
|
|||
<?php
|
||||
function get_logout_url(): string {
|
||||
if (($_SERVER['AUTH_TYPE'] ?? '') === 'openid-connect') {
|
||||
$url_string = urlencode(Minz_Request::guessBaseUrl());
|
||||
return './oidc/?logout=' . $url_string . '/';
|
||||
# The trailing slash is necessary so that we don’t redirect to http://.
|
||||
# https://bz.apache.org/bugzilla/show_bug.cgi?id=61355#c13
|
||||
} else {
|
||||
return _url('auth', 'logout') ?: '';
|
||||
}
|
||||
}
|
||||
?>
|
||||
|
||||
<nav class="nav nav-list aside" id="aside_feed">
|
||||
<a class="toggle_aside" href="#close"><?= _i('close') ?></a>
|
||||
|
||||
|
@ -9,7 +22,7 @@
|
|||
<a href="<?= _url('user', 'profile') ?>"><?= _t('gen.menu.user_profile') ?></a>
|
||||
</li>
|
||||
<li class="item">
|
||||
<a class="signout" href="<?= _url('auth', 'logout') ?>">
|
||||
<a class="signout" href="<?= get_logout_url() ?>">
|
||||
<?php
|
||||
echo _t('gen.auth.logout'); ?> <?= _i('logout') ?></a>
|
||||
</li>
|
||||
|
|
|
@ -20,6 +20,7 @@ Learn how to install, update, and backup FreshRSS, as well as how to use the com
|
|||
* [Updating on Debian 9/Ubuntu 16.04](07_LinuxUpdate.md)
|
||||
* [Setting Up Automatic Feed Updating](08_FeedUpdates.md)
|
||||
* [Access Control](09_AccessControl.md)
|
||||
* [OpenID Connect](16_OpenID-Connect.md)
|
||||
* [Apache/Nginx configuration files](10_ServerConfig.md)
|
||||
* [Database configuration](DatabaseConfig.md)
|
||||
* [Using the command line interface (CLI)](https://github.com/FreshRSS/FreshRSS/tree/edge/cli)
|
||||
|
|
|
@ -37,6 +37,10 @@ WARNING: FreshRSS will trust any IP configured in the `trusted_sources` option,
|
|||
Not using authentication on your server is dangerous, as anyone with access to your server would be able to make changes as an admin.
|
||||
It is never advisable to not use any form of authentication, but **never** chose this option on a server that is able to be accessed outside of your home network.
|
||||
|
||||
## OpenID Connect
|
||||
|
||||
* See [dedicated section](16_OpenID-Connect.md).
|
||||
|
||||
## Hints
|
||||
|
||||
You can switch your authentication method at any time by editing the `./data/config.php` file, on the line that begins `'auth_type'`.
|
||||
|
|
|
@ -0,0 +1,36 @@
|
|||
# OpenID Connect (OIDC)
|
||||
|
||||
See: [What is OpenID Connect?](https://openid.net/connect/).
|
||||
|
||||
This is one of the [access control methods](09_AccessControl.md) supported by FreshRSS.
|
||||
|
||||
OIDC support is provided by [mod_auth_openidc](https://github.com/OpenIDC/mod_auth_openidc).
|
||||
Additional documentation can be found in that project.
|
||||
|
||||
## Using Docker
|
||||
|
||||
OIDC support in Docker is activated by the presence of a non-empty non-zero `OIDC_ENABLED` environment variable.
|
||||
|
||||
> ℹ️ Only available in our Debian image.
|
||||
|
||||
## The config is done with these environment variables
|
||||
|
||||
* `OIDC_ENABLED`: Activates OIDC support.
|
||||
* `OIDC_PROVIDER_METADATA_URL`: The config URL. Usually looks like: `<issuer>/.well-known/openid-configuration`
|
||||
* `OIDC_CLIENT_ID`: The OIDC client id from your issuer.
|
||||
* `OIDC_CLIENT_SECRET`: The OIDC client secret issuer.
|
||||
* `OIDC_CLIENT_CRYPTO_KEY`: An opaque key used for internal encryption.
|
||||
|
||||
You may add additional custom configuration in a new `./FreshRSS/p/i/.htaccess` file.
|
||||
|
||||
## Using own Apache installation
|
||||
|
||||
See our reference [Apache configuration](https://github.com/FreshRSS/FreshRSS/blob/edge/Docker/FreshRSS.Apache.conf) for more information.
|
||||
|
||||
## Setup
|
||||
|
||||
After being properly configured, OIDC support can be activated in FreshRSS.
|
||||
|
||||
During a new FreshRSS install, the **HTTP Authentication Method** must be picked.
|
||||
|
||||
After install, the method can be changed in *Administration > Authentication*.
|
Loading…
Reference in New Issue