Configure FresshRSS With OIDC Auth
Summary
FreshRSS has relatively good documentation but I did find a couple things confusing when attempting to add OIDC authentication via Keycloak. As a result the below set of steps should guide other in setting up their instance.
Deployment
Versions
- FreshRSS: 1.23.1
- Apache version, Alpine does not work with OIDC auth at this time
- Keycloak: 21.1.2
Setup Keycloak OIDC
In the realm you intend on using, create a new OIDC client.
General Settings
| Key | Value | Example |
|---|---|---|
| Client Type | OpenID Connect | N/A |
| Client ID | Can be anything | https://<my domain>/i/oidc/ |
| Name | Can be anything | FreshRSS |
Capability config
Only one setting needs to be changed, enable “Client authentication”.
Login settings
| Key | Value | Example |
|---|---|---|
| Root URL | Leave empty | |
| Home URL | Home URL of FreshRSS instance | https://freshrss.init6.sh |
| Valid redirect URIs | https://<my domain>:<my port>/i/oidc/ | https://freshrss.init6:443.sh/i/oidc/ |
| Valid post logout redirect URIs | Leave empty | |
| Web origins | Leave empty |
This URL MUST contain the port used by your FreshRSS instance. If this is omitted you will receive and invalid redirect warning.
Obtain client credentials
After submitting the client above a client secret will be generated, this will be needed for FreshRSS. You can collect it by selecting the newly created client –> Credentials –> Client Secret.
Deploy FreshRSS
Set FreshRSS ENV vars
Below is a stripped down FreshRSS deployment config, the environment vars below are what are needed to get things rolling, do note this is obviously not a secure way to handle secrets in Kubernetes but that is not the point of this post. Handle you secrets appropriately.
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/name: freshrss
name: freshrss
spec:
selector:
matchLabels:
app.kubernetes.io/name: freshrss
template:
metadata:
labels:
app.kubernetes.io/name: freshrss
spec:
containers:
- name: freshrss
image: docker.io/freshrss/freshrss:1.20.1
imagePullPolicy: Always
env:
- name: OIDC_ENABLED
value: "1"
- name: OIDC_PROVIDER_METADATA_URL
value: "https://<hostname>/realms/<realm name>/.well-known/openid-configuration"
- name: OIDC_CLIENT_ID
value: "https://<freshrss host>/i/oidc/"
- name: OIDC_CLIENT_SECRET
value: "<client secret found in previous step>"
- name: OIDC_CLIENT_CRYPTO_KEY
value: "<any random encryption string>"
- name: OIDC_SCOPES
value: "openid email profile"
- name: OIDC_X_FORWARDED_HEADERS
value: "X-Forwarded-Port X-Forwarded-Proto X-Forwarded-Host"
Setup FreshRSS
After FreshRSS has been deployed you will need to run through the installation process. After setting up the database you will be taken to the final step. You will know all settings are correct when two conditions are met:
You will notice the greyed out user is your username on Keycloak, if it is not, the OIDC process failed. The authentication method should also now allow you to select HTTP. If you can not select HTTP auth, OIDC has failed. Fill out the username, and select HTTP auth, but skip passing in a password. Like below:
At this point you are done, ODIC authentication should be working. However if you like to use an external application like Fluent Reader
Setup external application
To access the Fever API, it needs to be enabled from the Authentication section in Administration. See below:
Now move up to your users Profile section and input an API password:
You are now all good to go, the Fever API can now be accessed at https://<freshrss host>/api/fever.php
Sources
- https://freshrss.github.io/FreshRSS/en/admins/16_OpenID-Connect.html
- https://goauthentik.io/integrations/services/freshrss/