Add OpenID Connect (#5351)

* Add OIDC

* Update documentation.

* Update apache conf adding IfModule

* Use IfDefine for OIDC in apache conf

* Fix non-oidc support

* Fix typing

* Use IfDefine to enable OIDC

* Add OIDC support to all dockerfiles

* Re add apache Require option

* Fixes and documentation

* A few more fixes

* A bit more doc

* Change type of environment variable

* Update readme

* Correct apache config for OIDC support.

* Fix README formatting

* Update oidc control path

* Fix oidc endpoint being cached

* A bit more review

* Simplify ExpiresActive

* Add session refresh and improve caching

* Allow more different setups

* A bit more documentation

* A bit more readme

---------

Co-authored-by: Aaron Schif <aschif@netdevgroup.com>
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
Co-authored-by: maTh <math-home@web.de>

1 files changed, 24 insertions, 0 deletions

diff --git a/Docker/FreshRSS.Apache.conf b/Docker/FreshRSS.Apache.conf
index b943f9fa7..e5576ac8f 100644
--- a/Docker/FreshRSS.Apache.conf
+++ b/Docker/FreshRSS.Apache.conf
@@ -10,6 +10,24 @@ AllowEncodedSlashes On
 ServerTokens OS
 TraceEnable Off
 
+<IfDefine OIDC_ENABLED>
+	<IfModule !auth_openidc_module>
+		Error "The auth_openidc_module is not available. Install it or unset environment variable OIDC_ENABLED."
+	</IfModule>
+
+	OIDCProviderMetadataURL ${OIDC_PROVIDER_METADATA_URL}
+	OIDCClientID ${OIDC_CLIENT_ID}
+	OIDCClientSecret ${OIDC_CLIENT_SECRET}
+
+	OIDCRedirectURI /i/oidc/
+	OIDCCryptoPassphrase ${OIDC_CLIENT_CRYPTO_KEY}
+
+	OIDCRemoteUserClaim preferred_username
+	OIDCScope "openid"
+
+	OIDCRefreshAccessTokenBeforeExpiry 30
+</IfDefine>
+
 <Directory />
 	AllowOverride None
 	Options FollowSymLinks
@@ -28,6 +46,12 @@ TraceEnable Off
 </Directory>
 
 <Directory /var/www/FreshRSS/p/i>
+	ExpiresActive Off
+
+	<IfDefine OIDC_ENABLED>
+		AuthType openid-connect
+		Require valid-user
+	</IfDefine>
 	IncludeOptional /var/www/FreshRSS/p/i/.htaccess
 </Directory>