I submitted a pull request for these changes to the official docs, but in case there is an issue, this guide should hopefully help out the next person trying to install this. https://github.com/FreshRSS/FreshRSS/pull/5969
The main documentation page is here: https://freshrss.github.io/FreshRSS/en/admins/16_OpenID-Connect.html
At the bottom of this page, they have a step by step guide here: https://freshrss.github.io/FreshRSS/en/admins/16_OpenID-Connect-Authentik.html
the guide could benefit from a few clarifications:
- you must set two callback urls in Authentik:
https://freshrss.example.net/i/oidc
https://freshrss.example.net:443/i/oidc
yes the port number is needed. You may be able to use ONLY the url with port number, but you CAN’T use the url without the port even if you are using the standard HTTPS port (443.
-
OIDC_CLIENT_CRYPTO_KEY is really just a random string, you can generate it from a randome password generator. Not sure if there is a max length or special character restriction
-
OIDC_SCOPES should include email as well as authentik includes that by default with the oAuth provider:
OIDC_SCOPES: openid email profile
-
Not sure how to setup OIDC into an existing installation because you get stuck in a loop. The last step after everything works, is to login to freshrss and under FreshRss - > Settings -> Authentication, you need to change the user to HTTP. But this setting is only available if you have OIDC enabled. But if you enable OIDC and try to login you have to login with a user that already has HTTP enabled. I got it to work because I was setting up a fresh install and so it brought me to the page to create the user, I made one with the same name as my oAuth admin user and then I was able to immediately set it to HTTP in the settings before logging out. Not sure how to get around this on an existing install
-
for OIDC_REMOTE_USER_CLAIM: preferred_username, I’m not sure where the preferred_username actually comes from but setting it to
preferred_usernameactually works in my authentik install.
You must log in or register to comment.
my complete docker compose file. Uses traefik as a reverse proxy and authentik for oAuth:
# ENV File must define: # OIDC_PROVIDER_METADATA_URL -> taken from authentik oAuth Provider Settings page # OIDC_CLIENT_ID -> taken from authentik oAuth Provider Settings page # OIDC_CLIENT_SECRET -> taken from authentik oAuth Provider Settings page # OIDC_CLIENT_CRYPTO_KEY -> randomly generated password version: "2.4" volumes: freshrss-data: name: freshrss-data driver_opts: type: nfs o: addr=192.168.37.25,nolock,soft,rw device: :/zfspool1/dockerData/freshrss/data freshrss-extensions: name: freshrss-extensions driver_opts: type: nfs o: addr=192.168.37.25,nolock,soft,rw device: :/zfspool1/dockerData/freshrss/extensions networks: traefik_proxy: name: traefik_proxy external: true services: freshrss: image: freshrss/freshrss:1.22.1 container_name: freshrss hostname: freshrss networks: traefik_proxy: ipv4_address: 172.18.0.61 restart: unless-stopped logging: options: max-size: 10m volumes: - freshrss-data:/var/www/FreshRSS/data - freshrss-extensions:/var/www/FreshRSS/extensions env_file: - ../stack.env environment: TZ: America/Chicago CRON_MIN: '1,31' TRUSTED_PROXY: 172.18.0.30 #internal docker traefik IP address OIDC_ENABLED: 1 OIDC_X_FORWARDED_HEADERS: X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto OIDC_SCOPES: openid email profile OIDC_REMOTE_USER_CLAIM: preferred_username deploy: resources: limits: cpus: '2' memory: 2G reservations: cpus: '2' memory: 500M labels: - "traefik.enable=true" - "traefik.docker.network=traefik_proxy" - "traefik.http.routers.fressrss.rule=Host(`rss.domain.com`)" - "traefik.http.routers.fressrss.entrypoints=websecure" - "traefik.http.routers.fressrss.tls.certresolver=myresolver" - "traefik.http.routers.fressrss.service=fressrss" - "traefik.http.services.fressrss.loadbalancer.server.port=80"