From a9a7643e715ff5e0afabaafa43433102e2a66780 Mon Sep 17 00:00:00 2001
From: XtremeOwnage <5262735+XtremeOwnageDotCom@users.noreply.github.com>
Date: Wed, 25 Oct 2023 15:30:14 -0500
Subject: Create "Authentik" specific OIDC configuration. (#5746)

* Create 16_OpenID-Connect-Authentik.md

* Local images + text improvements

---------

Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
---
 docs/en/admins/16_OpenID-Connect-Authentik.md |  70 ++++++++++++++++++++++++++
 docs/en/admins/16_OpenID-Connect.md           |   6 +++
 docs/en/img/admins/authentik-01.png           | Bin 0 -> 14856 bytes
 docs/en/img/admins/authentik-02.png           | Bin 0 -> 17216 bytes
 docs/en/img/admins/authentik-03.png           | Bin 0 -> 12914 bytes
 docs/en/img/admins/authentik-04.png           | Bin 0 -> 10965 bytes
 6 files changed, 76 insertions(+)
 create mode 100644 docs/en/admins/16_OpenID-Connect-Authentik.md
 create mode 100644 docs/en/img/admins/authentik-01.png
 create mode 100644 docs/en/img/admins/authentik-02.png
 create mode 100644 docs/en/img/admins/authentik-03.png
 create mode 100644 docs/en/img/admins/authentik-04.png

(limited to 'docs')

diff --git a/docs/en/admins/16_OpenID-Connect-Authentik.md b/docs/en/admins/16_OpenID-Connect-Authentik.md
new file mode 100644
index 000000000..eacd64d40
--- /dev/null
+++ b/docs/en/admins/16_OpenID-Connect-Authentik.md
@@ -0,0 +1,70 @@
+# Setting up Authentik for FreshRSS
+
+**[authentik](https://goauthentik.io/)** is an open-source Identity Provider compatible with OpenID Connect (OIDC) (see [FreshRSS’ OpenID Connect documentation](16_OpenID-Connect.md)).
+
+## 1. Create OAuth2/OpenID Provider
+
+In authentik Web interface:
+
+![authentik-new-provider-type](../img/admins/authentik-01.png)
+
+Click Next.
+
+Give it a name, and select your desired auth flows (default flows for this example).
+
+![authentik-new-provider-create](../img/admins/authentik-02.png)
+
+Copy the ID / secret for later.
+
+Set the redirect URIs for FreshRSS: If FreshRSS’ root is `https://freshrss.example.net/`, the proper redirect URI would be `https://freshrss.example.net/i/oidc`
+
+You will need to choose a signing key.
+If you don’t have one, generate one under *System > Certificates*.
+
+![authentik-new-provider-secrets](../img/admins/authentik-03.png)
+
+After you have created the provider, you will need to create an application for it.
+
+![authentik-create-application](../img/admins/authentik-04.png)
+
+Finally, go to *Providers*, and click on the OIDC provider you created for FreshRSS.
+
+You will want to copy the `OpenID Configuration URL` value listed.
+You will need this in the next step.
+
+## Step 2. Configure FreshRSS’ environment variables
+
+Note: this is using a Kubernetes ConfigMap.
+However, these are just environment variables mapped into the container.
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: freshrss-config
+  namespace: freshrss
+data:
+  PGID: "100"
+  PUID: "65534"
+  CRON_MIN: "*/15"
+  OIDC_ENABLED: "1"
+  # Put your "OpenID Configuration URL" here, from the previous step:
+  OIDC_PROVIDER_METADATA_URL: https://authentik.example.net/application/o/freshrss/.well-known/openid-configuration
+  OIDC_REMOTE_USER_CLAIM: preferred_username
+  # Put your ID here, from the previous step:
+  OIDC_CLIENT_ID: t48O5c6z2Ia1XXXXXXX
+  # Put your secret here, from the previous step:
+  OIDC_CLIENT_SECRET: tDUhtfgxY5mCIZ1M1ItauXXXXX
+  # TODO: I have no idea what goes here, but a random string seems to work just fine:
+  OIDC_CLIENT_CRYPTO_KEY: WnoO3kRzXynag2XXXXXXXXXX
+  OIDC_SCOPES: "openid profile"
+  # These headers work for Traefik.
+  # May need to be adjusted depending on your proxy configuration:
+  OIDC_X_FORWARDED_HEADERS: X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto
+```
+
+## Step 3. Enable OIDC
+
+During FreshRSS initial setup, or inside of the authentication settings for FreshRSS, set the authentication method to HTTP.
+
+See [FreshRSS’ OpenID Connect documentation](16_OpenID-Connect.md) for more information.
diff --git a/docs/en/admins/16_OpenID-Connect.md b/docs/en/admins/16_OpenID-Connect.md
index e034e4ac9..ac1bbf03d 100644
--- a/docs/en/admins/16_OpenID-Connect.md
+++ b/docs/en/admins/16_OpenID-Connect.md
@@ -39,3 +39,9 @@ After being properly configured, OIDC support can be activated in FreshRSS.
 During a new FreshRSS install, the **HTTP Authentication Method** must be picked.
 
 After install, the method can be changed in *Administration > Authentication*. Note that this option will be greyed out if Apache is unable to read the `REMOTE_USER` variable.
+
+## Identity Provider
+
+See specific instructions for:
+
+* [authentik](16_OpenID-Connect-Authentik.md)
diff --git a/docs/en/img/admins/authentik-01.png b/docs/en/img/admins/authentik-01.png
new file mode 100644
index 000000000..b15ac1a5c
Binary files /dev/null and b/docs/en/img/admins/authentik-01.png differ
diff --git a/docs/en/img/admins/authentik-02.png b/docs/en/img/admins/authentik-02.png
new file mode 100644
index 000000000..cfa3f5270
Binary files /dev/null and b/docs/en/img/admins/authentik-02.png differ
diff --git a/docs/en/img/admins/authentik-03.png b/docs/en/img/admins/authentik-03.png
new file mode 100644
index 000000000..4db2e4e7e
Binary files /dev/null and b/docs/en/img/admins/authentik-03.png differ
diff --git a/docs/en/img/admins/authentik-04.png b/docs/en/img/admins/authentik-04.png
new file mode 100644
index 000000000..cfd3dc236
Binary files /dev/null and b/docs/en/img/admins/authentik-04.png differ
-- 
cgit v1.2.3