Add OpenID Connect (#5351)

* Add OIDC * Update documentation. * Update apache conf adding IfModule * Use IfDefine for OIDC in apache conf * Fix non-oidc support * Fix typing * Use IfDefine to enable OIDC * Add OIDC support to all dockerfiles * Re add apache Require option * Fixes and documentation * A few more fixes * A bit more doc * Change type of environment variable * Update readme * Correct apache config for OIDC support. * Fix README formatting * Update oidc control path * Fix oidc endpoint being cached * A bit more review * Simplify ExpiresActive * Add session refresh and improve caching * Allow more different setups * A bit more documentation * A bit more readme --------- Co-authored-by: Aaron Schif <aschif@netdevgroup.com> Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr> Co-authored-by: maTh <math-home@web.de>
author: Aaron Schif <aaronschif@gmail.com> 2023-06-12 03:22:46 -0500
committer: GitHub <noreply@github.com> 2023-06-12 10:22:46 +0200
commit: 58b254f9cb923d5d0dfe53df4bca8a0f00bbcf0b (patch)
tree: ccd368d81044a38d1b2713e67f3faff6ada865b9
parent: 15d143989b8ed1f73f1c574b03e03d4f4c820b11 (diff)
13 files changed, 101 insertions, 8 deletions
diff --git a/Docker/Dockerfile b/Docker/Dockerfile
index 211df9aaa..b205b9d9c 100644
--- a/Docker/Dockerfile
+++ b/Docker/Dockerfile
@@ -8,6 +8,7 @@ RUN apt-get update && \
 	apt-get install --no-install-recommends -y \
 	ca-certificates cron \
 	apache2 libapache2-mod-php \
+	libapache2-mod-auth-openidc \
 	php-curl php-gmp php-intl php-mbstring php-xml php-zip \
 	php-sqlite3 php-mysql php-pgsql && \
 	rm -rf /var/lib/apt/lists/*
@@ -55,6 +56,7 @@ ENV CRON_MIN ''
 ENV DATA_PATH ''
 ENV FRESHRSS_ENV ''
 ENV LISTEN ''
+ENV OIDC_ENABLED ''
 
 ENTRYPOINT ["./Docker/entrypoint.sh"]
 
@@ -62,4 +64,4 @@ EXPOSE 80
 # hadolint ignore=DL3025
 CMD ([ -z "$CRON_MIN" ] || cron) && \
 	. /etc/apache2/envvars && \
-	exec apache2 -D FOREGROUND
+	exec apache2 -D FOREGROUND $([ -n "$OIDC_ENABLED" ] && [ "$OIDC_ENABLED" -ne 0 ] && echo '-D OIDC_ENABLED')
diff --git a/Docker/Dockerfile-Alpine b/Docker/Dockerfile-Alpine
index 6aa1d7359..59142384c 100644
--- a/Docker/Dockerfile-Alpine
+++ b/Docker/Dockerfile-Alpine
@@ -53,10 +53,11 @@ ENV CRON_MIN ''
 ENV DATA_PATH ''
 ENV FRESHRSS_ENV ''
 ENV LISTEN ''
+ENV OIDC_ENABLED ''
 
 ENTRYPOINT ["./Docker/entrypoint.sh"]
 
 EXPOSE 80
 # hadolint ignore=DL3025
 CMD ([ -z "$CRON_MIN" ] || crond -d 6) && \
-	exec httpd -D FOREGROUND
+	exec httpd -D FOREGROUND $([ -n "$OIDC_ENABLED" ] && [ "$OIDC_ENABLED" -ne 0 ] && echo '-D OIDC_ENABLED')
diff --git a/Docker/Dockerfile-Newest b/Docker/Dockerfile-Newest
index bee845771..8c2d6eb71 100644
--- a/Docker/Dockerfile-Newest
+++ b/Docker/Dockerfile-Newest
@@ -6,6 +6,7 @@ RUN echo 'http://dl-cdn.alpinelinux.org/alpine/edge/testing' >> /etc/apk/reposit
 	apk add --no-cache \
 	tzdata \
 	apache2 php82-apache2 \
+	apache-mod-auth-openidc \
 	php82 php82-curl php82-gmp php82-intl php82-mbstring php82-xml php82-zip \
 	php82-ctype php82-dom php82-fileinfo php82-iconv php82-json php82-opcache php82-openssl php82-phar php82-session php82-simplexml php82-xmlreader php82-xmlwriter php82-xml php82-tokenizer php82-zlib \
 	php82-pdo_sqlite php82-pdo_mysql php82-pdo_pgsql
@@ -55,10 +56,11 @@ ENV CRON_MIN ''
 ENV DATA_PATH ''
 ENV FRESHRSS_ENV ''
 ENV LISTEN ''
+ENV OIDC_ENABLED ''
 
 ENTRYPOINT ["./Docker/entrypoint.sh"]
 
 EXPOSE 80
 # hadolint ignore=DL3025
 CMD ([ -z "$CRON_MIN" ] || crond -d 6) && \
-	exec httpd -D FOREGROUND
+	exec httpd -D FOREGROUND $([ -n "$OIDC_ENABLED" ] && [ "$OIDC_ENABLED" -ne 0 ] && echo '-D OIDC_ENABLED')
diff --git a/Docker/Dockerfile-Oldest b/Docker/Dockerfile-Oldest
index 11dd34a65..88d02b512 100644
--- a/Docker/Dockerfile-Oldest
+++ b/Docker/Dockerfile-Oldest
@@ -55,10 +55,11 @@ ENV CRON_MIN ''
 ENV DATA_PATH ''
 ENV FRESHRSS_ENV ''
 ENV LISTEN ''
+ENV OIDC_ENABLED ''
 
 ENTRYPOINT ["./Docker/entrypoint.sh"]
 
 EXPOSE 80
 # hadolint ignore=DL3025
 CMD ([ -z "$CRON_MIN" ] || crond -d 6) && \
-	exec httpd -D FOREGROUND
+	exec httpd -D FOREGROUND $([ -n "$OIDC_ENABLED" ] && [ "$OIDC_ENABLED" -ne 0 ] && echo '-D OIDC_ENABLED')
diff --git a/Docker/Dockerfile-QEMU-ARM b/Docker/Dockerfile-QEMU-ARM
index b878399ac..7654a187d 100644
--- a/Docker/Dockerfile-QEMU-ARM
+++ b/Docker/Dockerfile-QEMU-ARM
@@ -14,6 +14,7 @@ RUN apt-get update && \
 	apt-get install --no-install-recommends -y \
 	ca-certificates cron \
 	apache2 libapache2-mod-php \
+	libapache2-mod-auth-openidc \
 	php-curl php-gmp php-intl php-mbstring php-xml php-zip \
 	php-sqlite3 php-mysql php-pgsql && \
 	rm -rf /var/lib/apt/lists/*
@@ -67,6 +68,7 @@ ENV CRON_MIN ''
 ENV DATA_PATH ''
 ENV FRESHRSS_ENV ''
 ENV LISTEN ''
+ENV OIDC_ENABLED ''
 
 ENTRYPOINT ["./Docker/entrypoint.sh"]
 
@@ -74,4 +76,4 @@ EXPOSE 80
 # hadolint ignore=DL3025
 CMD ([ -z "$CRON_MIN" ] || cron) && \
 	. /etc/apache2/envvars && \
-	exec apache2 -D FOREGROUND
+	exec apache2 -D FOREGROUND $([ -n "$OIDC_ENABLED" ] && [ "$OIDC_ENABLED" -ne 0 ] && echo '-D OIDC_ENABLED')
diff --git a/Docker/FreshRSS.Apache.conf b/Docker/FreshRSS.Apache.conf
index b943f9fa7..e5576ac8f 100644
--- a/Docker/FreshRSS.Apache.conf
+++ b/Docker/FreshRSS.Apache.conf
@@ -10,6 +10,24 @@ AllowEncodedSlashes On
 ServerTokens OS
 TraceEnable Off
 
+<IfDefine OIDC_ENABLED>
+	<IfModule !auth_openidc_module>
+		Error "The auth_openidc_module is not available. Install it or unset environment variable OIDC_ENABLED."
+	</IfModule>
+
+	OIDCProviderMetadataURL ${OIDC_PROVIDER_METADATA_URL}
+	OIDCClientID ${OIDC_CLIENT_ID}
+	OIDCClientSecret ${OIDC_CLIENT_SECRET}
+
+	OIDCRedirectURI /i/oidc/
+	OIDCCryptoPassphrase ${OIDC_CLIENT_CRYPTO_KEY}
+
+	OIDCRemoteUserClaim preferred_username
+	OIDCScope "openid"
+
+	OIDCRefreshAccessTokenBeforeExpiry 30
+</IfDefine>
+
 <Directory />
 	AllowOverride None
 	Options FollowSymLinks
@@ -28,6 +46,12 @@ TraceEnable Off
 </Directory>
 
 <Directory /var/www/FreshRSS/p/i>
+	ExpiresActive Off
+
+	<IfDefine OIDC_ENABLED>
+		AuthType openid-connect
+		Require valid-user
+	</IfDefine>
 	IncludeOptional /var/www/FreshRSS/p/i/.htaccess
 </Directory>
 
diff --git a/Docker/README.md b/Docker/README.md
index 0e8b16c55..1fbc9634c 100644
--- a/Docker/README.md
+++ b/Docker/README.md
@@ -330,6 +330,9 @@ services:
       FRESHRSS_ENV: development
       # Optional advanced parameter controlling the internal Apache listening port
       LISTEN: 0.0.0.0:80
+      # Optional parameter, set to 1 to enable OpenID Connect (only available in our Debian image)
+      # Requires more environment variables. See https://freshrss.github.io/FreshRSS/en/admins/16_OpenID-Connect.html
+      OIDC_ENABLED: 0
       # Optional auto-install parameters (the Web interface install is recommended instead):
       # ⚠️ Parameters below are only used at the very first run (so far).
       # So if changes are made (or in .env file), first delete the service and volumes.
diff --git a/README.fr.md b/README.fr.md
index 68a6a1d31..3f5967ff1 100644
--- a/README.fr.md
+++ b/README.fr.md
@@ -17,7 +17,9 @@ FreshRSS est capable de recevoir des notifications push instantanées depuis les
 
 FreshRSS supporte nativement le moissonnage du Web (Web Scraping) basique, basé sur [XPath](https://www.w3.org/TR/xpath-10/), pour les sites Web sans flux RSS / Atom.
 
-Enfin, il permet l’ajout d’[extensions](#extensions) pour encore plus de personnalisation.
+Plusieurs [méthodes de connexion](https://freshrss.github.io/FreshRSS/en/admins/09_AccessControl.html) sont supportées : formulaire Web (avec un mode anonyme), Authentification HTTP (compatible avec proxy), OpenID Connect.
+
+Enfin, FreshRSS permet l’ajout d’[extensions](#extensions) pour encore plus de personnalisation.
 
 * Site officiel : <https://freshrss.org>
 * Démo : <http://demo.freshrss.org/>
diff --git a/README.md b/README.md
index 05faa4dc3..da2da8123 100644
--- a/README.md
+++ b/README.md
@@ -17,7 +17,9 @@ FreshRSS is able to receive instant push notifications from compatible sources,
 
 FreshRSS natively supports basic Web scraping, based on [XPath](https://www.w3.org/TR/xpath-10/), for Web sites not providing any RSS / Atom feed.
 
-Finally, it supports [extensions](#extensions) for further tuning.
+Different [login methods](https://freshrss.github.io/FreshRSS/en/admins/09_AccessControl.html) are supported: Web form (including an anonymous option), HTTP Authentication (compatible with proxy delegation), OpenID Connect.
+
+Finally, FreshRSS supports [extensions](#extensions) for further tuning.
 
 * Official website: <https://freshrss.org>
 * Demo: <https://demo.freshrss.org/>
diff --git a/app/layout/aside_configure.phtml b/app/layout/aside_configure.phtml
index e179ef121..87fd27c59 100644
--- a/app/layout/aside_configure.phtml
+++ b/app/layout/aside_configure.phtml
@@ -1,3 +1,16 @@
+<?php
+function get_logout_url(): string {
+	if (($_SERVER['AUTH_TYPE'] ?? '') === 'openid-connect') {
+		$url_string = urlencode(Minz_Request::guessBaseUrl());
+		return './oidc/?logout=' . $url_string . '/';
+		# The trailing slash is necessary so that we don’t redirect to http://.
+		# https://bz.apache.org/bugzilla/show_bug.cgi?id=61355#c13
+	} else {
+		return _url('auth', 'logout') ?: '';
+	}
+}
+?>
+
 <nav class="nav nav-list aside" id="aside_feed">
 	<a class="toggle_aside" href="#close"><?= _i('close') ?></a>
 
@@ -9,7 +22,7 @@
 					<a href="<?= _url('user', 'profile') ?>"><?= _t('gen.menu.user_profile') ?></a>
 				</li>
 				<li class="item">
-					<a class="signout" href="<?= _url('auth', 'logout') ?>">
+					<a class="signout" href="<?= get_logout_url() ?>">
 						<?php
 						echo _t('gen.auth.logout'); ?> <?= _i('logout') ?></a>
 				</li>
diff --git a/docs/en/admins/01_Index.md b/docs/en/admins/01_Index.md
index 8bf07c021..a7aa01140 100644
--- a/docs/en/admins/01_Index.md
+++ b/docs/en/admins/01_Index.md
@@ -20,6 +20,7 @@ Learn how to install, update, and backup FreshRSS, as well as how to use the com
 * [Updating on Debian 9/Ubuntu 16.04](07_LinuxUpdate.md)
 * [Setting Up Automatic Feed Updating](08_FeedUpdates.md)
 * [Access Control](09_AccessControl.md)
+* [OpenID Connect](16_OpenID-Connect.md)
 * [Apache/Nginx configuration files](10_ServerConfig.md)
 * [Database configuration](DatabaseConfig.md)
 * [Using the command line interface (CLI)](https://github.com/FreshRSS/FreshRSS/tree/edge/cli)
diff --git a/docs/en/admins/09_AccessControl.md b/docs/en/admins/09_AccessControl.md
index 4bd4dc8b5..870d3a6ad 100644
--- a/docs/en/admins/09_AccessControl.md
+++ b/docs/en/admins/09_AccessControl.md
@@ -37,6 +37,10 @@ WARNING: FreshRSS will trust any IP configured in the `trusted_sources` option,
 Not using authentication on your server is dangerous, as anyone with access to your server would be able to make changes as an admin.
 It is never advisable to not use any form of authentication, but **never** chose this option on a server that is able to be accessed outside of your home network.
 
+## OpenID Connect
+
+* See [dedicated section](16_OpenID-Connect.md).
+
 ## Hints
 
 You can switch your authentication method at any time by editing the `./data/config.php` file, on the line that begins `'auth_type'`.
diff --git a/docs/en/admins/16_OpenID-Connect.md b/docs/en/admins/16_OpenID-Connect.md
new file mode 100644
index 000000000..16adb4532
--- /dev/null
+++ b/docs/en/admins/16_OpenID-Connect.md
@@ -0,0 +1,36 @@
+# OpenID Connect (OIDC)
+
+See: [What is OpenID Connect?](https://openid.net/connect/).
+
+This is one of the [access control methods](09_AccessControl.md) supported by FreshRSS.
+
+OIDC support is provided by [mod_auth_openidc](https://github.com/OpenIDC/mod_auth_openidc).
+Additional documentation can be found in that project.
+
+## Using Docker
+
+OIDC support in Docker is activated by the presence of a non-empty non-zero `OIDC_ENABLED` environment variable.
+
+> ℹ️ Only available in our Debian image.
+
+## The config is done with these environment variables
+
+* `OIDC_ENABLED`: Activates OIDC support.
+* `OIDC_PROVIDER_METADATA_URL`: The config URL. Usually looks like: `<issuer>/.well-known/openid-configuration`
+* `OIDC_CLIENT_ID`: The OIDC client id from your issuer.
+* `OIDC_CLIENT_SECRET`: The OIDC client secret issuer.
+* `OIDC_CLIENT_CRYPTO_KEY`: An opaque key used for internal encryption.
+
+You may add additional custom configuration in a new `./FreshRSS/p/i/.htaccess` file.
+
+## Using own Apache installation
+
+See our reference [Apache configuration](https://github.com/FreshRSS/FreshRSS/blob/edge/Docker/FreshRSS.Apache.conf) for more information.
+
+## Setup
+
+After being properly configured, OIDC support can be activated in FreshRSS.
+
+During a new FreshRSS install, the **HTTP Authentication Method** must be picked.
+
+After install, the method can be changed in *Administration > Authentication*.
author	Aaron Schif <aaronschif@gmail.com>	2023-06-12 03:22:46 -0500
committer	GitHub <noreply@github.com>	2023-06-12 10:22:46 +0200
commit	58b254f9cb923d5d0dfe53df4bca8a0f00bbcf0b (patch)
tree	ccd368d81044a38d1b2713e67f3faff6ada865b9
parent	15d143989b8ed1f73f1c574b03e03d4f4c820b11 (diff)