Add OpenID Connect (#5351)

* Add OIDC

* Update documentation.

* Update apache conf adding IfModule

* Use IfDefine for OIDC in apache conf

* Fix non-oidc support

* Fix typing

* Use IfDefine to enable OIDC

* Add OIDC support to all dockerfiles

* Re add apache Require option

* Fixes and documentation

* A few more fixes

* A bit more doc

* Change type of environment variable

* Update readme

* Correct apache config for OIDC support.

* Fix README formatting

* Update oidc control path

* Fix oidc endpoint being cached

* A bit more review

* Simplify ExpiresActive

* Add session refresh and improve caching

* Allow more different setups

* A bit more documentation

* A bit more readme

---------

Co-authored-by: Aaron Schif <aschif@netdevgroup.com>
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
Co-authored-by: maTh <math-home@web.de>

Docker/Dockerfile

@@ -8,6 +8,7 @@ RUN apt-get update && \
 	apt-get install --no-install-recommends -y \
 	ca-certificates cron \
 	apache2 libapache2-mod-php \
+	libapache2-mod-auth-openidc \
 	php-curl php-gmp php-intl php-mbstring php-xml php-zip \
 	php-sqlite3 php-mysql php-pgsql && \
 	rm -rf /var/lib/apt/lists/*
@@ -55,6 +56,7 @@ ENV CRON_MIN ''
 ENV DATA_PATH ''
 ENV FRESHRSS_ENV ''
 ENV LISTEN ''
+ENV OIDC_ENABLED ''
 
 ENTRYPOINT ["./Docker/entrypoint.sh"]
 
@@ -62,4 +64,4 @@ EXPOSE 80
 # hadolint ignore=DL3025
 CMD ([ -z "$CRON_MIN" ] || cron) && \
 	. /etc/apache2/envvars && \
-	exec apache2 -D FOREGROUND
+	exec apache2 -D FOREGROUND $([ -n "$OIDC_ENABLED" ] && [ "$OIDC_ENABLED" -ne 0 ] && echo '-D OIDC_ENABLED')

Docker/Dockerfile-Alpine

@@ -53,10 +53,11 @@ ENV CRON_MIN ''
 ENV DATA_PATH ''
 ENV FRESHRSS_ENV ''
 ENV LISTEN ''
+ENV OIDC_ENABLED ''
 
 ENTRYPOINT ["./Docker/entrypoint.sh"]
 
 EXPOSE 80
 # hadolint ignore=DL3025
 CMD ([ -z "$CRON_MIN" ] || crond -d 6) && \
-	exec httpd -D FOREGROUND
+	exec httpd -D FOREGROUND $([ -n "$OIDC_ENABLED" ] && [ "$OIDC_ENABLED" -ne 0 ] && echo '-D OIDC_ENABLED')

Docker/Dockerfile-Newest

@@ -6,6 +6,7 @@ RUN echo 'http://dl-cdn.alpinelinux.org/alpine/edge/testing' >> /etc/apk/reposit
 	apk add --no-cache \
 	tzdata \
 	apache2 php82-apache2 \
+	apache-mod-auth-openidc \
 	php82 php82-curl php82-gmp php82-intl php82-mbstring php82-xml php82-zip \
 	php82-ctype php82-dom php82-fileinfo php82-iconv php82-json php82-opcache php82-openssl php82-phar php82-session php82-simplexml php82-xmlreader php82-xmlwriter php82-xml php82-tokenizer php82-zlib \
 	php82-pdo_sqlite php82-pdo_mysql php82-pdo_pgsql
@@ -55,10 +56,11 @@ ENV CRON_MIN ''
 ENV DATA_PATH ''
 ENV FRESHRSS_ENV ''
 ENV LISTEN ''
+ENV OIDC_ENABLED ''
 
 ENTRYPOINT ["./Docker/entrypoint.sh"]
 
 EXPOSE 80
 # hadolint ignore=DL3025
 CMD ([ -z "$CRON_MIN" ] || crond -d 6) && \
-	exec httpd -D FOREGROUND
+	exec httpd -D FOREGROUND $([ -n "$OIDC_ENABLED" ] && [ "$OIDC_ENABLED" -ne 0 ] && echo '-D OIDC_ENABLED')

Docker/Dockerfile-Oldest

@@ -55,10 +55,11 @@ ENV CRON_MIN ''
 ENV DATA_PATH ''
 ENV FRESHRSS_ENV ''
 ENV LISTEN ''
+ENV OIDC_ENABLED ''
 
 ENTRYPOINT ["./Docker/entrypoint.sh"]
 
 EXPOSE 80
 # hadolint ignore=DL3025
 CMD ([ -z "$CRON_MIN" ] || crond -d 6) && \
-	exec httpd -D FOREGROUND
+	exec httpd -D FOREGROUND $([ -n "$OIDC_ENABLED" ] && [ "$OIDC_ENABLED" -ne 0 ] && echo '-D OIDC_ENABLED')

Docker/Dockerfile-QEMU-ARM

@@ -14,6 +14,7 @@ RUN apt-get update && \
 	apt-get install --no-install-recommends -y \
 	ca-certificates cron \
 	apache2 libapache2-mod-php \
+	libapache2-mod-auth-openidc \
 	php-curl php-gmp php-intl php-mbstring php-xml php-zip \
 	php-sqlite3 php-mysql php-pgsql && \
 	rm -rf /var/lib/apt/lists/*
@@ -67,6 +68,7 @@ ENV CRON_MIN ''
 ENV DATA_PATH ''
 ENV FRESHRSS_ENV ''
 ENV LISTEN ''
+ENV OIDC_ENABLED ''
 
 ENTRYPOINT ["./Docker/entrypoint.sh"]
 
@@ -74,4 +76,4 @@ EXPOSE 80
 # hadolint ignore=DL3025
 CMD ([ -z "$CRON_MIN" ] || cron) && \
 	. /etc/apache2/envvars && \
-	exec apache2 -D FOREGROUND
+	exec apache2 -D FOREGROUND $([ -n "$OIDC_ENABLED" ] && [ "$OIDC_ENABLED" -ne 0 ] && echo '-D OIDC_ENABLED')

Docker/FreshRSS.Apache.conf

@@ -10,6 +10,24 @@ AllowEncodedSlashes On
 ServerTokens OS
 TraceEnable Off
 
+<IfDefine OIDC_ENABLED>
+	<IfModule !auth_openidc_module>
+		Error "The auth_openidc_module is not available. Install it or unset environment variable OIDC_ENABLED."
+	</IfModule>
+
+	OIDCProviderMetadataURL ${OIDC_PROVIDER_METADATA_URL}
+	OIDCClientID ${OIDC_CLIENT_ID}
+	OIDCClientSecret ${OIDC_CLIENT_SECRET}
+
+	OIDCRedirectURI /i/oidc/
+	OIDCCryptoPassphrase ${OIDC_CLIENT_CRYPTO_KEY}
+
+	OIDCRemoteUserClaim preferred_username
+	OIDCScope "openid"
+
+	OIDCRefreshAccessTokenBeforeExpiry 30
+</IfDefine>
+
 <Directory />
 	AllowOverride None
 	Options FollowSymLinks
@@ -28,6 +46,12 @@ TraceEnable Off
 </Directory>
 
 <Directory /var/www/FreshRSS/p/i>
+	ExpiresActive Off
+
+	<IfDefine OIDC_ENABLED>
+		AuthType openid-connect
+		Require valid-user
+	</IfDefine>
 	IncludeOptional /var/www/FreshRSS/p/i/.htaccess
 </Directory>
 

Docker/README.md

@@ -330,6 +330,9 @@ services:
       FRESHRSS_ENV: development
       # Optional advanced parameter controlling the internal Apache listening port
       LISTEN: 0.0.0.0:80
+      # Optional parameter, set to 1 to enable OpenID Connect (only available in our Debian image)
+      # Requires more environment variables. See https://freshrss.github.io/FreshRSS/en/admins/16_OpenID-Connect.html
+      OIDC_ENABLED: 0
       # Optional auto-install parameters (the Web interface install is recommended instead):
       # ⚠️ Parameters below are only used at the very first run (so far).
       # So if changes are made (or in .env file), first delete the service and volumes.

README.fr.md

@@ -17,7 +17,9 @@ FreshRSS est capable de recevoir des notifications push instantanées depuis les
 
 FreshRSS supporte nativement le moissonnage du Web (Web Scraping) basique, basé sur [XPath](https://www.w3.org/TR/xpath-10/), pour les sites Web sans flux RSS / Atom.
 
-Enfin, il permet l’ajout d’[extensions](#extensions) pour encore plus de personnalisation.
+Plusieurs [méthodes de connexion](https://freshrss.github.io/FreshRSS/en/admins/09_AccessControl.html) sont supportées : formulaire Web (avec un mode anonyme), Authentification HTTP (compatible avec proxy), OpenID Connect.
+
+Enfin, FreshRSS permet l’ajout d’[extensions](#extensions) pour encore plus de personnalisation.
 
 * Site officiel : <https://freshrss.org>
 * Démo : <http://demo.freshrss.org/>

README.md

@@ -17,7 +17,9 @@ FreshRSS is able to receive instant push notifications from compatible sources,
 
 FreshRSS natively supports basic Web scraping, based on [XPath](https://www.w3.org/TR/xpath-10/), for Web sites not providing any RSS / Atom feed.
 
-Finally, it supports [extensions](#extensions) for further tuning.
+Different [login methods](https://freshrss.github.io/FreshRSS/en/admins/09_AccessControl.html) are supported: Web form (including an anonymous option), HTTP Authentication (compatible with proxy delegation), OpenID Connect.
+
+Finally, FreshRSS supports [extensions](#extensions) for further tuning.
 
 * Official website: <https://freshrss.org>
 * Demo: <https://demo.freshrss.org/>

app/layout/aside_configure.phtml

@@ -1,3 +1,16 @@
+<?php
+function get_logout_url(): string {
+	if (($_SERVER['AUTH_TYPE'] ?? '') === 'openid-connect') {
+		$url_string = urlencode(Minz_Request::guessBaseUrl());
+		return './oidc/?logout=' . $url_string . '/';
+		# The trailing slash is necessary so that we don’t redirect to http://.
+		# https://bz.apache.org/bugzilla/show_bug.cgi?id=61355#c13
+	} else {
+		return _url('auth', 'logout') ?: '';
+	}
+}
+?>
+
 <nav class="nav nav-list aside" id="aside_feed">
 	<a class="toggle_aside" href="#close"><?= _i('close') ?></a>
 
@@ -9,7 +22,7 @@
 					<a href="<?= _url('user', 'profile') ?>"><?= _t('gen.menu.user_profile') ?></a>
 				</li>
 				<li class="item">
-					<a class="signout" href="<?= _url('auth', 'logout') ?>">
+					<a class="signout" href="<?= get_logout_url() ?>">
 						<?php
 						echo _t('gen.auth.logout'); ?> <?= _i('logout') ?></a>
 				</li>

docs/en/admins/01_Index.md

@@ -20,6 +20,7 @@ Learn how to install, update, and backup FreshRSS, as well as how to use the com
 * [Updating on Debian 9/Ubuntu 16.04](07_LinuxUpdate.md)
 * [Setting Up Automatic Feed Updating](08_FeedUpdates.md)
 * [Access Control](09_AccessControl.md)
+* [OpenID Connect](16_OpenID-Connect.md)
 * [Apache/Nginx configuration files](10_ServerConfig.md)
 * [Database configuration](DatabaseConfig.md)
 * [Using the command line interface (CLI)](https://github.com/FreshRSS/FreshRSS/tree/edge/cli)

docs/en/admins/09_AccessControl.md

@@ -37,6 +37,10 @@ WARNING: FreshRSS will trust any IP configured in the `trusted_sources` option,
 Not using authentication on your server is dangerous, as anyone with access to your server would be able to make changes as an admin.
 It is never advisable to not use any form of authentication, but **never** chose this option on a server that is able to be accessed outside of your home network.
 
+## OpenID Connect
+
+* See [dedicated section](16_OpenID-Connect.md).
+
 ## Hints
 
 You can switch your authentication method at any time by editing the `./data/config.php` file, on the line that begins `'auth_type'`.

docs/en/admins/16_OpenID-Connect.md

@@ -0,0 +1,36 @@
+# OpenID Connect (OIDC)
+
+See: [What is OpenID Connect?](https://openid.net/connect/).
+
+This is one of the [access control methods](09_AccessControl.md) supported by FreshRSS.
+
+OIDC support is provided by [mod_auth_openidc](https://github.com/OpenIDC/mod_auth_openidc).
+Additional documentation can be found in that project.
+
+## Using Docker
+
+OIDC support in Docker is activated by the presence of a non-empty non-zero `OIDC_ENABLED` environment variable.
+
+> ℹ️ Only available in our Debian image.
+
+## The config is done with these environment variables
+
+* `OIDC_ENABLED`: Activates OIDC support.
+* `OIDC_PROVIDER_METADATA_URL`: The config URL. Usually looks like: `<issuer>/.well-known/openid-configuration`
+* `OIDC_CLIENT_ID`: The OIDC client id from your issuer.
+* `OIDC_CLIENT_SECRET`: The OIDC client secret issuer.
+* `OIDC_CLIENT_CRYPTO_KEY`: An opaque key used for internal encryption.
+
+You may add additional custom configuration in a new `./FreshRSS/p/i/.htaccess` file.
+
+## Using own Apache installation
+
+See our reference [Apache configuration](https://github.com/FreshRSS/FreshRSS/blob/edge/Docker/FreshRSS.Apache.conf) for more information.
+
+## Setup
+
+After being properly configured, OIDC support can be activated in FreshRSS.
+
+During a new FreshRSS install, the **HTTP Authentication Method** must be picked.
+
+After install, the method can be changed in *Administration > Authentication*.