diff options
| author | pando85 <pando855@gmail.com> | 2024-08-25 19:57:30 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-08-25 19:57:30 +0200 |
| commit | 82593f59684aa143bc02053aaa891496a8739861 (patch) | |
| tree | f2605680938b83917742a9c069418ea4b079fb64 | |
| parent | 19e1cb470e9cc531ab68681ecf1b33c3146e5934 (diff) | |
| download | freshrss-82593f59684aa143bc02053aaa891496a8739861.tar.gz freshrss-82593f59684aa143bc02053aaa891496a8739861.zip | |
Fix OIDC session params definition (#6730)
* Fix OIDC session params definition
- standardize environment variable names
- group all in the same configuration file
- use mod_auth_openidc default values
- fix `OIDCSessionMaxDuration` because it was not set with the previous
code
- add documentation
* Add double quoting to prevent globbing and word splitting
* Revert line deleted by mistake
| -rw-r--r-- | Docker/FreshRSS.Apache.conf | 6 | ||||
| -rwxr-xr-x | Docker/entrypoint.sh | 7 | ||||
| -rw-r--r-- | docs/en/admins/16_OpenID-Connect.md | 4 |
3 files changed, 14 insertions, 3 deletions
diff --git a/Docker/FreshRSS.Apache.conf b/Docker/FreshRSS.Apache.conf index 253f53614..86ea27915 100644 --- a/Docker/FreshRSS.Apache.conf +++ b/Docker/FreshRSS.Apache.conf @@ -31,6 +31,10 @@ CustomLog "|/var/www/FreshRSS/cli/sensitive-log.sh" combined_proxy OIDCClientID ${OIDC_CLIENT_ID} OIDCClientSecret ${OIDC_CLIENT_SECRET} + OIDCSessionInactivityTimeout ${OIDC_SESSION_INACTIVITY_TIMEOUT} + OIDCSessionMaxDuration ${OIDC_SESSION_MAX_DURATION} + OIDCSessionType ${OIDC_SESSION_TYPE} + OIDCRedirectURI /i/oidc/ OIDCCryptoPassphrase ${OIDC_CLIENT_CRYPTO_KEY} @@ -53,7 +57,7 @@ CustomLog "|/var/www/FreshRSS/cli/sensitive-log.sh" combined_proxy OIDCXForwardedHeaders ${OIDC_X_FORWARDED_HEADERS} </IfDefine> - # Can be overridden e.g. in /var/www/FreshRSS/p/i/.htaccess + # Can be overridden e.g. in /var/www/FreshRSS/p/i/.htaccess OIDCRefreshAccessTokenBeforeExpiry 30 </IfDefine> diff --git a/Docker/entrypoint.sh b/Docker/entrypoint.sh index 8784247cd..bf250840a 100755 --- a/Docker/entrypoint.sh +++ b/Docker/entrypoint.sh @@ -22,6 +22,11 @@ if [ -n "$TRUSTED_PROXY" ]; then fi if [ -n "$OIDC_ENABLED" ] && [ "$OIDC_ENABLED" -ne 0 ]; then + # Default values + export OIDC_SESSION_INACTIVITY_TIMEOUT="${OIDC_SESSION_INACTIVITY_TIMEOUT:-300}" + export OIDC_SESSION_MAX_DURATION="${OIDC_SESSION_MAX_DURATION:-27200}" + export OIDC_SESSION_TYPE="${OIDC_SESSION_TYPE:-server-cache}" + # Debian (which a2enmod >/dev/null && a2enmod -q auth_openidc) || # Alpine @@ -31,8 +36,6 @@ if [ -n "$OIDC_ENABLED" ] && [ "$OIDC_ENABLED" -ne 0 ]; then OIDC_SCOPES=$(echo "$OIDC_SCOPES" | tr ':' ' ') export OIDC_SCOPES fi - find /etc/apache2/*/ -type f -name '*openidc.conf' -exec sed -r -i "/^#?OIDCSessionInactivityTimeout/s/^.*/OIDCSessionInactivityTimeout ${OIDCSessionInactivityTimeout:-86400}/" {} \; - find /etc/apache2/*/ -type f -name '*openidc.conf' -exec sed -r -i "/^#?OIDCSessionMaxDuration/s/^.*/OIDCSessionMaxDuration ${OIDCSessionMaxDuration:-2592000}/" {} \; fi if [ -n "$CRON_MIN" ]; then diff --git a/docs/en/admins/16_OpenID-Connect.md b/docs/en/admins/16_OpenID-Connect.md index ee5be0c9c..e1f267f62 100644 --- a/docs/en/admins/16_OpenID-Connect.md +++ b/docs/en/admins/16_OpenID-Connect.md @@ -25,6 +25,9 @@ OIDC support in Docker is activated by the presence of a non-empty non-zero `OID * `OIDC_REMOTE_USER_CLAIM`: The claim to use as the username within FreshRSS. Defaults to `preferred_username`. Depending on what you choose here, and your identity provider, you’ll need to adjust the scopes you request so that this claim will be accessible. Refer to your identity provider’s documentation. * `OIDC_SCOPES`: The OIDC scopes to request separated by an empty space. Defaults to `openid`. As mentioned previously, make sure the scopes you pick contain whatever `OIDC_REMOTE_USER_CLAIM` you chose. For example, Authelia would require setting this value to `openid profile` to make `preferred_username` accessible. * `OIDC_X_FORWARDED_HEADERS`: Optional, but required when running FreshRSS behind a reverse proxy so that the OIDC module can determine what hostname, port and protocol were used to access FreshRSS, in order to generate a return URL for the OIDC authorization flow. Must be one or more of `Forwarded`, `X-Forwarded-Host`, `X-Forwarded-Port` or `X-Forwarded-Proto` (separate multiple values with a space). See [mod_auth_openidc’s documentation for details](https://github.com/OpenIDC/mod_auth_openidc/blob/72c9f479c2d228477ff0a9518964f61879c83fb6/auth_openidc.conf#L1041-L1048). +* `OIDC_SESSION_INACTIVITY_TIMEOUT`: Optional. Interval in seconds after which the session will be invalidated when no interaction has occurred. When not defined, the default is 300 seconds. +* `OIDC_SESSION_MAX_DURATION`: Optional. Maximum duration of the application session. When not defined the default is 8 hours (3600 * 8 seconds). When set to 0, the session duration will be set equal to the expiry time of the ID token. +* `OIDC_SESSION_TYPE`: Optional. OpenID Connect session storage type. See [mod_auth_openidc’s documentation for details](https://github.com/OpenIDC/mod_auth_openidc/blob/72c9f479c2d228477ff0a9518964f61879c83fb6/auth_openidc.conf#L587-L596). You may add additional custom configuration in a new `./FreshRSS/p/i/.htaccess` file. @@ -45,3 +48,4 @@ After install, the method can be changed in *Administration > Authentication*. N See specific instructions for: * Authentik : [here](16_OpenID-Connect-Authentik.md) or [here](https://goauthentik.io/integrations/services/freshrss/) + |