diff options
| author |  XtremeOwnage <5262735+XtremeOwnageDotCom@users.noreply.github.com>
| 2023-10-25 15:30:14 -0500 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2023-10-25 22:30:14 +0200 |
| commit | a9a7643e715ff5e0afabaafa43433102e2a66780 (patch) | |
| tree | ab2c2124842cbc115258f9376b67ec60f3b354ff /docs | |
| parent | 1db1035ec2bf782d69577a90ae9c3fc8c2501fb2 (diff) | |
Create "Authentik" specific OIDC configuration. (#5746)
* Create 16_OpenID-Connect-Authentik.md
* Local images + text improvements
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/en/admins/16_OpenID-Connect-Authentik.md | 70 | ||||
| -rw-r--r-- | docs/en/admins/16_OpenID-Connect.md | 6 | ||||
| -rw-r--r-- | docs/en/img/admins/authentik-01.png | bin | 0 -> 14856 bytes | |||
| -rw-r--r-- | docs/en/img/admins/authentik-02.png | bin | 0 -> 17216 bytes | |||
| -rw-r--r-- | docs/en/img/admins/authentik-03.png | bin | 0 -> 12914 bytes | |||
| -rw-r--r-- | docs/en/img/admins/authentik-04.png | bin | 0 -> 10965 bytes |
6 files changed, 76 insertions, 0 deletions
diff --git a/docs/en/admins/16_OpenID-Connect-Authentik.md b/docs/en/admins/16_OpenID-Connect-Authentik.md new file mode 100644 index 000000000..eacd64d40 --- /dev/null +++ b/docs/en/admins/16_OpenID-Connect-Authentik.md @@ -0,0 +1,70 @@ +# Setting up Authentik for FreshRSS + +**[authentik](https://goauthentik.io/)** is an open-source Identity Provider compatible with OpenID Connect (OIDC) (see [FreshRSS’ OpenID Connect documentation](16_OpenID-Connect.md)). + +## 1. Create OAuth2/OpenID Provider + +In authentik Web interface: + + + +Click Next. + +Give it a name, and select your desired auth flows (default flows for this example). + + + +Copy the ID / secret for later. + +Set the redirect URIs for FreshRSS: If FreshRSS’ root is `https://freshrss.example.net/`, the proper redirect URI would be `https://freshrss.example.net/i/oidc` + +You will need to choose a signing key. +If you don’t have one, generate one under *System > Certificates*. + + + +After you have created the provider, you will need to create an application for it. + + + +Finally, go to *Providers*, and click on the OIDC provider you created for FreshRSS. + +You will want to copy the `OpenID Configuration URL` value listed. +You will need this in the next step. + +## Step 2. Configure FreshRSS’ environment variables + +Note: this is using a Kubernetes ConfigMap. +However, these are just environment variables mapped into the container. + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: freshrss-config + namespace: freshrss +data: + PGID: "100" + PUID: "65534" + CRON_MIN: "*/15" + OIDC_ENABLED: "1" + # Put your "OpenID Configuration URL" here, from the previous step: + OIDC_PROVIDER_METADATA_URL: https://authentik.example.net/application/o/freshrss/.well-known/openid-configuration + OIDC_REMOTE_USER_CLAIM: preferred_username + # Put your ID here, from the previous step: + OIDC_CLIENT_ID: t48O5c6z2Ia1XXXXXXX + # Put your secret here, from the previous step: + OIDC_CLIENT_SECRET: tDUhtfgxY5mCIZ1M1ItauXXXXX + # TODO: I have no idea what goes here, but a random string seems to work just fine: + OIDC_CLIENT_CRYPTO_KEY: WnoO3kRzXynag2XXXXXXXXXX + OIDC_SCOPES: "openid profile" + # These headers work for Traefik. + # May need to be adjusted depending on your proxy configuration: + OIDC_X_FORWARDED_HEADERS: X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto +``` + +## Step 3. Enable OIDC + +During FreshRSS initial setup, or inside of the authentication settings for FreshRSS, set the authentication method to HTTP. + +See [FreshRSS’ OpenID Connect documentation](16_OpenID-Connect.md) for more information. diff --git a/docs/en/admins/16_OpenID-Connect.md b/docs/en/admins/16_OpenID-Connect.md index e034e4ac9..ac1bbf03d 100644 --- a/docs/en/admins/16_OpenID-Connect.md +++ b/docs/en/admins/16_OpenID-Connect.md @@ -39,3 +39,9 @@ After being properly configured, OIDC support can be activated in FreshRSS. During a new FreshRSS install, the **HTTP Authentication Method** must be picked. After install, the method can be changed in *Administration > Authentication*. Note that this option will be greyed out if Apache is unable to read the `REMOTE_USER` variable. + +## Identity Provider + +See specific instructions for: + +* [authentik](16_OpenID-Connect-Authentik.md) diff --git a/docs/en/img/admins/authentik-01.png b/docs/en/img/admins/authentik-01.png Binary files differnew file mode 100644 index 000000000..b15ac1a5c --- /dev/null +++ b/docs/en/img/admins/authentik-01.png diff --git a/docs/en/img/admins/authentik-02.png b/docs/en/img/admins/authentik-02.png Binary files differnew file mode 100644 index 000000000..cfa3f5270 --- /dev/null +++ b/docs/en/img/admins/authentik-02.png diff --git a/docs/en/img/admins/authentik-03.png b/docs/en/img/admins/authentik-03.png Binary files differnew file mode 100644 index 000000000..4db2e4e7e --- /dev/null +++ b/docs/en/img/admins/authentik-03.png diff --git a/docs/en/img/admins/authentik-04.png b/docs/en/img/admins/authentik-04.png Binary files differnew file mode 100644 index 000000000..cfd3dc236 --- /dev/null +++ b/docs/en/img/admins/authentik-04.png |
