OIDC authentication plugin

fox · July 24, 2022, 1:36pm

I’ve been playing with Authelia, this is the result - tt-rss/ttrss-auth-oidc: Authenticates against an OIDC provider (like Authelia) - ttrss-auth-oidc - Tiny Tiny RSS

This is not exactly battle-tested but it seems to work for me.

UPD: one eagle-eyed forum poster noticed an oauth credential in the repo, in case someone else does - don’t worry it’s not active.

sofax · August 15, 2022, 4:06pm

Thanks for the plugin, works for me so far, I’ve only had a small problem with the redirect so far.
For example, I call up https://rss.example.com/tt-rss, log in with Authelia, but after successful login I am redirected to rss.example.com/tt-rss without https and thus run into a timeout.
If I activate the https only mode in the browser, then the whole login and redirection process works.

The browser in my case is LibreWolf.

fox · August 15, 2022, 4:07pm

plugin should ask authelia to redirect based on SELF_URL_PATH, start with checking that.

lonestar · September 12, 2022, 10:50pm

I’m using it successfully with Keycloak (instead of Authelia)

thanks for the plugin.

disconn3ct · October 7, 2022, 6:03pm

Working perfectly with Authentik as well.

koying · November 5, 2022, 12:50pm

The plugin itself seems to work nicely, but I cannot login with admin anymore.
Do I miss something?

This is in my .env:

TTRSS_PLUGINS="auth_internal, auth_oidc, note, nginx_xaccel"
ADMIN_USER_PASS=<my_pass>

fox · November 5, 2022, 2:01pm

you should be able to login with any account either using OIDC or locally, plugin doesn’t stop any other auth methods from working. not sure what to tell you.

koying · November 5, 2022, 4:19pm

Indeed, unrelated to this plugin.
Even with just

TTRSS_PLUGINS="auth_internal"

I cannot login, but without TTRSS_PLUGINS in .env, it works

I definitely miss something

xinput · January 25, 2023, 6:43pm

May I kindly ask hhow you have setup ttrss to work with authentik? I currently try to accomplish the same but I seem to not get it working as expected.
Basically I added a new OIDC provider and attached an application to it in authentik, enabled the plugin in ttrss and configured the .env, but no additional login button appears.

Any help appreciated.

xinput · January 27, 2023, 2:58pm

sorry for double posting.
after digging around for a while I managed to get the additional login button to work but as soon as I press “login with authentik” I recieve an error 500, so it seems my authentik is configured wrongly.
Log of TTRSS stated: Uncaught Jumbojett\OpenIDConnectClientException: The provider authorization_endpoint could not be fetched. Make sure your provider has a well known configuration available

Any Ideas?

EDIT: Got it working. Used the wrong URL.

dugite-code · February 15, 2023, 2:46am

Following up on @xinput’s post and to save others some time.

With Authentik you use the OpenID Configuration Issuer url from the Provider dashboard not the OpenID Configuration URL. So, assuming that you your application name is TT-RSS and your Authentik domain is authentik.tld in, your two urls would be:

TTRSS_AUTH_OIDC_URL=https://authentik.tld/application/o/tt-rss/
TTRSS_AUTH_OIDC_POST_LOGOUT_URL=https://authentik.tld/application/o/tt-rss/end-session/