Struggling with OIDC (Authelia & Traefik) #5684

arcoast · 2023-10-03T21:24:30Z

arcoast
Oct 3, 2023

Hi,

Wondering if anyone can help me?

I'm installing FreshRSS with docker and a mariadb database, can get it working beautifully with web based auth (which I used to test FreshRSS itself) behind traefik, but I'm very keen on adding OIDC which I already have implemented with Authelia and successfully working with other applications (gitea, immich, nextcloud, podfetch, synapse)

FreshRSS is being served on https://freshrss.domain.com
Authelia is being served on https://login.domain.com

My docker-compose.yml

networks:
    freshrss:
        external: false
        name: freshrss
        
services:
    freshrss:
        image: freshrss/freshrss:edge
        container_name: freshrss
        networks:
            - freshrss
            - traefik
        ports:
            - 8003:80
        environment:
            - TZ=${TZ}
            - PUID=${PUID}
            - PGID=${PGID}
            - CRON_MIN=${CRON_MIN}
            - OIDC_ENABLED=${OIDC_ENABLED}
            - OIDC_PROVIDER_METADATA_URL=${OIDC_PROVIDER_METADATA_URL}
            - OIDC_CLIENT_ID=${OIDC_CLIENT_ID}
            - OIDC_CLIENT_SECRET=${OIDC_CLIENT_SECRET}
            # - OIDC_CLIENT_CRYPTO_KEY=${OIDC_CLIENT_CRYPTO_KEY}
            - OIDC_REMOTE_USER_CLAIM=${OIDC_REMOTE_USER_CLAIM}
            - OIDC_SCOPES=${OIDC_SCOPES}
            - OIDC_X_FORWARDED_HEADERS=${OIDC_X_FORWARDED_HEADERS}
        volumes:
            - ${CONFIG}/freshrss/.htaccess:/var/www/FreshRSS/p/i/.htaccess
            - ${CONFIG}/freshrss/.htpasswd:/var/www/FreshRSS/data/.htpasswd
            - ${CONFIG}/freshrss/freshrss/data:/var/www/FreshRSS/data
            - ${CONFIG}/freshrss/freshrss/extensions:/var/www/FreshRSS/extensions
        restart: unless-stopped
        labels:
            - "traefik.enable=true"
            - "traefik.docker.network=traefik"
            - "traefik.http.services.freshrss.loadbalancer.server.port=80"
            - "traefik.http.routers.freshrss.entrypoints=https"
            - "traefik.http.routers.freshrss.rule=Host(`freshrss.${TRAEFIK_DOMAIN}`)"
            - "traefik.http.routers.freshrss.middlewares=authelia@file, securityHeaders@file"

    freshrss-mariadb:
        image: lscr.io/linuxserver/mariadb
        container_name: freshrss-mariadb
        networks:
            - freshrss
#        ports:
#            - 3306:3306
        environment:
            - TZ=${TZ}
            - PUID=${PUID}
            - PGID=${PGID}
            - MYSQL_ROOT_PASSWORD=${FRESHRSS_MARIADB_ROOT_PASS}
            - MYSQL_USER=${FRESHRSS_MARIADB_USER}
            - MYSQL_PASSWORD=${FRESHRSS_MARIADB_PASS}
            - MYSQL_DATABASE=${FRESHRSS_MARIADB_DB_NAME}
        volumes:
            - ${CONFIG}/freshrss/freshrss-mariadb:/config
        restart: unless-stopped

My .env

FRESHRSS_MARIADB_ROOT_PASS=rootpassword
FRESHRSS_MARIADB_USER=freshrss
FRESHRSS_MARIADB_PASS=password
FRESHRSS_MARIADB_DB_NAME=freshrss
CRON_MIN=13,43
OIDC_ENABLED=1
OIDC_PROVIDER_METADATA_URL=https://login.DOMAIN.COM/.well-known/openid-configuration
OIDC_CLIENT_ID=freshrss
OIDC_CLIENT_SECRET=autheliaclientsecret
OIDC_CLIENT_CRYPTO_KEY=
OIDC_REMOTE_USER_CLAIM=preferred_username
OIDC_SCOPES=openid groups email profile
OIDC_X_FORWARDED_HEADERS="X-Forwarded-Host X-Forwarded-Proto"

Reading the docs I need to setup FreshRSS with http based auth first so I've volume mounted both:

.htaccess
.htpasswd

and can successfully use http auth to login, the contents of each file are:

.htaccess

AuthUserFile /var/www/FreshRSS/data/.htpasswd
AuthName "FreshRSS"
AuthType Basic
Require valid-user

.htpasswd (username admin password password)

admin:{SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=

However once I've completed the initial setup, logged in as admin with http-auth I cannot see any option in the webui to change the auth to OIDC.

I'm clearly doing something wrong but I don't know what and would really appreciate a second pair of eyes and any suggestions anyone could be kind enough to give.

For reference, here's how I currently have the Authelia OIDC client config:

      - id: freshrss
        description: FreshRSS
        secret: $pbkdf2-sha512xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        public: false
        authorization_policy: one_factor
        redirect_uris:
          - https://freshrss.DOMAIN.COM/i/oidc/
        scopes:
          - openid
          - groups
          - email
          - profile
        userinfo_signed_response_alg: none

Answered by otaconix

Oct 4, 2023

Could you try removing the mount for .htaccess? It's probably overriding the configuration that makes OIDC work: https://github.com/FreshRSS/FreshRSS/blob/edge/Docker/FreshRSS.Apache.conf#L76-L84

PS: do you have a suggestion on how we could improve the documentation to prevent others from running into the same issue (assuming this is indeed the issue)?

View full answer

Alkarex · 2023-10-04T06:48:37Z

Alkarex
Oct 4, 2023
Maintainer

Maybe @belidzs or @otaconix could have some tips

0 replies

otaconix · 2023-10-04T07:18:26Z

otaconix
Oct 4, 2023

Could you try removing the mount for .htaccess? It's probably overriding the configuration that makes OIDC work: https://github.com/FreshRSS/FreshRSS/blob/edge/Docker/FreshRSS.Apache.conf#L76-L84

PS: do you have a suggestion on how we could improve the documentation to prevent others from running into the same issue (assuming this is indeed the issue)?

0 replies

arcoast · 2023-10-04T09:13:37Z

arcoast
Oct 4, 2023
Author

@otaconix Just tried that and it's working, thanks.

As regards suggestions, I agree the method to get OIDC working is a bit opaque. Ideally there shouldn't be a need to use the http auth method at all, I'm fairly new to OIDC and need to investigate scopes and how to implement them as currently whilst I can login with Authelia to FreshRSS I'm not an admin, and as far as I can tell there's no way to login as my admin user that I created with http aut (which is to be expected)

Let me have a think about it and see if I can get scopes working and I'll write something up for the docs.

7 replies

arcoast Oct 4, 2023
Author

OK setting ADMIN_EMAIL works for me, that makes more sense now. The Email address isn't populated in the webui, but I think that's just cosmetic.

I get what they docs are saying now, in a fresh install, last step, create the user (that you've just logged in as using OIDC) and set it to http-auth.

I was setting up my initial user with http-auth and then activating all the OIDC stuff.

otaconix Oct 4, 2023

EDIT: I just now see that you came to the same conclusion. I'll keep this reply anyway, maybe it'll be useful to someone.

My apologies, I was a little wrong in my earlier reply. The way you'd set up a new instance is by having all the OIDC environment variables set, then opening the web interface, which will immediately try to log you in. Once you're logged in, you go through the setup wizard, and where it asks you for the default user and authentication method (currently the title of the wizard step is "step 4"), you enter some name for the default user (pick whatever random value, it won't be used as long as you have OIDC enabled), and select the HTTP authentication method. If all is setup correctly, it should show you your current username (it should look like HTTP (for advanced users with HTTPS) (REMOTE_USER='username_here').

Then you complete the installation, and you're all set: you're logged in, and you're the instance administrator.

ShaddyDC Dec 31, 2024

This answer helped me a lot! It is worth noting that I only got the initial user to be admin if I actually put in the corresponding oidc user as the default user, eg [email protected], instead of something random. I think that information is worth adding to the docs.

Ie, 1. have fresh instance, 2. run with oidc env vars, 3. run through setup wizard, 4. put in the correct default user (with random password), 5. select HTTP authenticaion method, 6. profit
It took me some time to get it working. My original attempts always ended up without access to any admin account at all. ADMIN_EMAIL did not help.

Alkarex Jan 1, 2025
Maintainer

@ShaddyDC Updates to our documentation welcome :-)

ShaddyDC Jan 4, 2025

@Alkarex I made a PR: #7174

arcoast · 2023-10-04T12:26:19Z

arcoast
Oct 4, 2023
Author

One last question, what is the purpose of the OIDC_CLIENT_CRYPTO_KEY? I haven't set a variable for it, and everything is working. But wondering what it actually encrypts? My client secret is for the communication with Authelia as far as I understand it.

2 replies

mark-monteiro Oct 30, 2023

This is what the documentation in mod_auth_openidc says:

configure a random password in OIDCCryptoPassphrase for session/state encryption purposes

Seems like it's just supposed to be a random password that is used internally

Alkarex Oct 30, 2023
Maintainer

Updates to our documentation welcome :-)

Uh oh!

Struggling with OIDC (Authelia & Traefik) #5684

Uh oh!

arcoast Oct 3, 2023

Replies: 4 comments · 9 replies

Uh oh!

Alkarex Oct 4, 2023 Maintainer

Uh oh!

Uh oh!

otaconix Oct 4, 2023

Uh oh!

arcoast Oct 4, 2023 Author

Uh oh!

arcoast Oct 4, 2023 Author

Uh oh!

Uh oh!

otaconix Oct 4, 2023

Uh oh!

ShaddyDC Dec 31, 2024

Uh oh!

Alkarex Jan 1, 2025 Maintainer

Uh oh!

ShaddyDC Jan 4, 2025

Uh oh!

arcoast Oct 4, 2023 Author

Uh oh!

mark-monteiro Oct 30, 2023

Uh oh!

Alkarex Oct 30, 2023 Maintainer

arcoast
Oct 3, 2023

Replies: 4 comments 9 replies

Alkarex
Oct 4, 2023
Maintainer

otaconix
Oct 4, 2023

arcoast
Oct 4, 2023
Author

arcoast Oct 4, 2023
Author

Alkarex Jan 1, 2025
Maintainer

arcoast
Oct 4, 2023
Author

Alkarex Oct 30, 2023
Maintainer