Add OpenID Connect (#5351)

* Add OIDC * Update documentation. * Update apache conf adding IfModule * Use IfDefine for OIDC in apache conf * Fix non-oidc support * Fix typing * Use IfDefine to enable OIDC * Add OIDC support to all dockerfiles * Re add apache Require option * Fixes and documentation * A few more fixes * A bit more doc * Change type of environment variable * Update readme * Correct apache config for OIDC support. * Fix README formatting * Update oidc control path * Fix oidc endpoint being cached * A bit more review * Simplify ExpiresActive * Add session refresh and improve caching * Allow more different setups * A bit more documentation * A bit more readme --------- Co-authored-by: Aaron Schif <aschif@netdevgroup.com> Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr> Co-authored-by: maTh <math-home@web.de>
author: Aaron Schif <aaronschif@gmail.com> 2023-06-12 03:22:46 -0500
committer: GitHub <noreply@github.com> 2023-06-12 10:22:46 +0200
commit: 58b254f9cb923d5d0dfe53df4bca8a0f00bbcf0b (patch)
tree: ccd368d81044a38d1b2713e67f3faff6ada865b9 /Docker
parent: 15d143989b8ed1f73f1c574b03e03d4f4c820b11 (diff)
7 files changed, 40 insertions, 5 deletions
diff --git a/Docker/Dockerfile b/Docker/Dockerfile
index 211df9aaa..b205b9d9c 100644
--- a/Docker/Dockerfile
+++ b/Docker/Dockerfile
@@ -8,6 +8,7 @@ RUN apt-get update && \
 	apt-get install --no-install-recommends -y \
 	ca-certificates cron \
 	apache2 libapache2-mod-php \
+	libapache2-mod-auth-openidc \
 	php-curl php-gmp php-intl php-mbstring php-xml php-zip \
 	php-sqlite3 php-mysql php-pgsql && \
 	rm -rf /var/lib/apt/lists/*
@@ -55,6 +56,7 @@ ENV CRON_MIN ''
 ENV DATA_PATH ''
 ENV FRESHRSS_ENV ''
 ENV LISTEN ''
+ENV OIDC_ENABLED ''
 
 ENTRYPOINT ["./Docker/entrypoint.sh"]
 
@@ -62,4 +64,4 @@ EXPOSE 80
 # hadolint ignore=DL3025
 CMD ([ -z "$CRON_MIN" ] || cron) && \
 	. /etc/apache2/envvars && \
-	exec apache2 -D FOREGROUND
+	exec apache2 -D FOREGROUND $([ -n "$OIDC_ENABLED" ] && [ "$OIDC_ENABLED" -ne 0 ] && echo '-D OIDC_ENABLED')
diff --git a/Docker/Dockerfile-Alpine b/Docker/Dockerfile-Alpine
index 6aa1d7359..59142384c 100644
--- a/Docker/Dockerfile-Alpine
+++ b/Docker/Dockerfile-Alpine
@@ -53,10 +53,11 @@ ENV CRON_MIN ''
 ENV DATA_PATH ''
 ENV FRESHRSS_ENV ''
 ENV LISTEN ''
+ENV OIDC_ENABLED ''
 
 ENTRYPOINT ["./Docker/entrypoint.sh"]
 
 EXPOSE 80
 # hadolint ignore=DL3025
 CMD ([ -z "$CRON_MIN" ] || crond -d 6) && \
-	exec httpd -D FOREGROUND
+	exec httpd -D FOREGROUND $([ -n "$OIDC_ENABLED" ] && [ "$OIDC_ENABLED" -ne 0 ] && echo '-D OIDC_ENABLED')
diff --git a/Docker/Dockerfile-Newest b/Docker/Dockerfile-Newest
index bee845771..8c2d6eb71 100644
--- a/Docker/Dockerfile-Newest
+++ b/Docker/Dockerfile-Newest
@@ -6,6 +6,7 @@ RUN echo 'http://dl-cdn.alpinelinux.org/alpine/edge/testing' >> /etc/apk/reposit
 	apk add --no-cache \
 	tzdata \
 	apache2 php82-apache2 \
+	apache-mod-auth-openidc \
 	php82 php82-curl php82-gmp php82-intl php82-mbstring php82-xml php82-zip \
 	php82-ctype php82-dom php82-fileinfo php82-iconv php82-json php82-opcache php82-openssl php82-phar php82-session php82-simplexml php82-xmlreader php82-xmlwriter php82-xml php82-tokenizer php82-zlib \
 	php82-pdo_sqlite php82-pdo_mysql php82-pdo_pgsql
@@ -55,10 +56,11 @@ ENV CRON_MIN ''
 ENV DATA_PATH ''
 ENV FRESHRSS_ENV ''
 ENV LISTEN ''
+ENV OIDC_ENABLED ''
 
 ENTRYPOINT ["./Docker/entrypoint.sh"]
 
 EXPOSE 80
 # hadolint ignore=DL3025
 CMD ([ -z "$CRON_MIN" ] || crond -d 6) && \
-	exec httpd -D FOREGROUND
+	exec httpd -D FOREGROUND $([ -n "$OIDC_ENABLED" ] && [ "$OIDC_ENABLED" -ne 0 ] && echo '-D OIDC_ENABLED')
diff --git a/Docker/Dockerfile-Oldest b/Docker/Dockerfile-Oldest
index 11dd34a65..88d02b512 100644
--- a/Docker/Dockerfile-Oldest
+++ b/Docker/Dockerfile-Oldest
@@ -55,10 +55,11 @@ ENV CRON_MIN ''
 ENV DATA_PATH ''
 ENV FRESHRSS_ENV ''
 ENV LISTEN ''
+ENV OIDC_ENABLED ''
 
 ENTRYPOINT ["./Docker/entrypoint.sh"]
 
 EXPOSE 80
 # hadolint ignore=DL3025
 CMD ([ -z "$CRON_MIN" ] || crond -d 6) && \
-	exec httpd -D FOREGROUND
+	exec httpd -D FOREGROUND $([ -n "$OIDC_ENABLED" ] && [ "$OIDC_ENABLED" -ne 0 ] && echo '-D OIDC_ENABLED')
diff --git a/Docker/Dockerfile-QEMU-ARM b/Docker/Dockerfile-QEMU-ARM
index b878399ac..7654a187d 100644
--- a/Docker/Dockerfile-QEMU-ARM
+++ b/Docker/Dockerfile-QEMU-ARM
@@ -14,6 +14,7 @@ RUN apt-get update && \
 	apt-get install --no-install-recommends -y \
 	ca-certificates cron \
 	apache2 libapache2-mod-php \
+	libapache2-mod-auth-openidc \
 	php-curl php-gmp php-intl php-mbstring php-xml php-zip \
 	php-sqlite3 php-mysql php-pgsql && \
 	rm -rf /var/lib/apt/lists/*
@@ -67,6 +68,7 @@ ENV CRON_MIN ''
 ENV DATA_PATH ''
 ENV FRESHRSS_ENV ''
 ENV LISTEN ''
+ENV OIDC_ENABLED ''
 
 ENTRYPOINT ["./Docker/entrypoint.sh"]
 
@@ -74,4 +76,4 @@ EXPOSE 80
 # hadolint ignore=DL3025
 CMD ([ -z "$CRON_MIN" ] || cron) && \
 	. /etc/apache2/envvars && \
-	exec apache2 -D FOREGROUND
+	exec apache2 -D FOREGROUND $([ -n "$OIDC_ENABLED" ] && [ "$OIDC_ENABLED" -ne 0 ] && echo '-D OIDC_ENABLED')
diff --git a/Docker/FreshRSS.Apache.conf b/Docker/FreshRSS.Apache.conf
index b943f9fa7..e5576ac8f 100644
--- a/Docker/FreshRSS.Apache.conf
+++ b/Docker/FreshRSS.Apache.conf
@@ -10,6 +10,24 @@ AllowEncodedSlashes On
 ServerTokens OS
 TraceEnable Off
 
+<IfDefine OIDC_ENABLED>
+	<IfModule !auth_openidc_module>
+		Error "The auth_openidc_module is not available. Install it or unset environment variable OIDC_ENABLED."
+	</IfModule>
+
+	OIDCProviderMetadataURL ${OIDC_PROVIDER_METADATA_URL}
+	OIDCClientID ${OIDC_CLIENT_ID}
+	OIDCClientSecret ${OIDC_CLIENT_SECRET}
+
+	OIDCRedirectURI /i/oidc/
+	OIDCCryptoPassphrase ${OIDC_CLIENT_CRYPTO_KEY}
+
+	OIDCRemoteUserClaim preferred_username
+	OIDCScope "openid"
+
+	OIDCRefreshAccessTokenBeforeExpiry 30
+</IfDefine>
+
 <Directory />
 	AllowOverride None
 	Options FollowSymLinks
@@ -28,6 +46,12 @@ TraceEnable Off
 </Directory>
 
 <Directory /var/www/FreshRSS/p/i>
+	ExpiresActive Off
+
+	<IfDefine OIDC_ENABLED>
+		AuthType openid-connect
+		Require valid-user
+	</IfDefine>
 	IncludeOptional /var/www/FreshRSS/p/i/.htaccess
 </Directory>
 
diff --git a/Docker/README.md b/Docker/README.md
index 0e8b16c55..1fbc9634c 100644
--- a/Docker/README.md
+++ b/Docker/README.md
@@ -330,6 +330,9 @@ services:
       FRESHRSS_ENV: development
       # Optional advanced parameter controlling the internal Apache listening port
       LISTEN: 0.0.0.0:80
+      # Optional parameter, set to 1 to enable OpenID Connect (only available in our Debian image)
+      # Requires more environment variables. See https://freshrss.github.io/FreshRSS/en/admins/16_OpenID-Connect.html
+      OIDC_ENABLED: 0
       # Optional auto-install parameters (the Web interface install is recommended instead):
       # ⚠️ Parameters below are only used at the very first run (so far).
       # So if changes are made (or in .env file), first delete the service and volumes.
author	Aaron Schif <aaronschif@gmail.com>	2023-06-12 03:22:46 -0500
committer	GitHub <noreply@github.com>	2023-06-12 10:22:46 +0200
commit	58b254f9cb923d5d0dfe53df4bca8a0f00bbcf0b (patch)
tree	ccd368d81044a38d1b2713e67f3faff6ada865b9 /Docker
parent	15d143989b8ed1f73f1c574b03e03d4f4c820b11 (diff)