Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] OIDC: Variable name must not contain ':' #5744

Closed
XtremeOwnageDotCom opened this issue Oct 25, 2023 · 6 comments · Fixed by #5753
Closed

[BUG] OIDC: Variable name must not contain ':' #5744

XtremeOwnageDotCom opened this issue Oct 25, 2023 · 6 comments · Fixed by #5753
Assignees
@Alkarex
Labels
Security 🛡️
Milestone
1.22.1

Comments

@XtremeOwnageDotCom
Copy link
Contributor

XtremeOwnageDotCom commented Oct 25, 2023
edited

Variable being passed:

OIDC_SCOPES: "user:email"

Why this is a bug?

Because scopes are allowed to contain colons.

See https://goauthentik.io/docs/providers/oauth2/

image

Logs:

│ stream logs failed container "freshrss" in pod "freshrss-0" is waiting to start: ContainerCreating for freshrss/freshrss-0 (freshrss)                                                                                                                 │
│ stream logs failed container "freshrss" in pod "freshrss-0" is waiting to start: ContainerCreating for freshrss/freshrss-0 (freshrss)                                                                                                                 │
│ stream logs failed container "freshrss" in pod "freshrss-0" is waiting to start: ContainerCreating for freshrss/freshrss-0 (freshrss)                                                                                                                 │
│ Enabling module auth_openidc.                                                                                                                                                                                                                         │
│ apache2: Syntax error on line 225 of /etc/apache2/apache2.conf: Syntax error on line 44 of /etc/apache2/sites-enabled/FreshRSS.Apache.conf: Variable name must not contain ':'                                                                        │
│ Stream closed EOF for freshrss/freshrss-0 (freshrss)
@XtremeOwnageDotCom
Copy link
Contributor Author

XtremeOwnageDotCom commented Oct 25, 2023
edited

(For, anyone else trying to get OIDC working w/authentik, using email, you can add the user.email, or email scope, which works fine.)

Just- making a ticket, to remove the limitation preventing colons.

@Alkarex Alkarex added this to the 1.22.1 milestone Oct 25, 2023
@Frenzie
Copy link
Member

Frenzie commented Oct 25, 2023

In the referenced Apache config it says they're separated by spaces. Apache will add colons.

@Alkarex Alkarex self-assigned this Oct 26, 2023
Alkarex added a commit to Alkarex/FreshRSS that referenced this issue Oct 26, 2023
@Alkarex
OIDC_SCOPES compatibility colon
db7df42 
fix FreshRSS#5744
@Alkarex Alkarex mentioned this issue Oct 26, 2023
Merged
@Alkarex
Copy link
Member

Alkarex commented Oct 26, 2023

Untested patch #5753
Tests welcome!

Alkarex added a commit that referenced this issue Oct 27, 2023
@Alkarex
OIDC_SCOPES compatibility colon (#5753)
ce6ba58 
fix #5744
@Alkarex
Copy link
Member

Alkarex commented Oct 27, 2023
edited

Please try again with the newest freshrss/freshrss:edge

@XtremeOwnageDotCom
Copy link
Contributor Author

XtremeOwnageDotCom commented Oct 27, 2023
edited

Please try again with the newest freshrss/freshrss:edge

│ stream logs failed container "freshrss" in pod "freshrss-0" is waiting to start: ContainerCreating for freshrss/freshrss-0 (freshrss)                                                                                                                 │
│ stream logs failed container "freshrss" in pod "freshrss-0" is waiting to start: ContainerCreating for freshrss/freshrss-0 (freshrss)                                                                                                                 │
│ stream logs failed container "freshrss" in pod "freshrss-0" is waiting to start: ContainerCreating for freshrss/freshrss-0 (freshrss)                                                                                                                 │
│ stream logs failed container "freshrss" in pod "freshrss-0" is waiting to start: ContainerCreating for freshrss/freshrss-0 (freshrss)                                                                                                                 │
│ Enabling module auth_openidc.                                                                                                                                                                                                                         │
│ [Fri Oct 27 14:04:06.854016 2023] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.57 (Debian) configured -- resuming normal operations                                                                                                               │
│ [Fri Oct 27 14:04:06.854605 2023] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND -D OIDC_ENABLED'                                                                                                                                │
│ 10.100.5.5 - - [27/Oct/2023:14:04:10 +0000] "GET /i/?state=2&order=DESC HTTP/1.1" 302 533 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36"                                       │
│ 10.100.5.5 - eric [27/Oct/2023:14:04:11 +0000] "GET /i/oidc/?code=f7380fd9a7ac48d791bc3c86bb6d191f&state=6QFxCQUDzEuw1yF0TEYo-XTYtZ0 HTTP/1.1" 302 252 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/1 │
│ 18.0.0.0 Safari/537.36"                                                                                                                                                                                                                               │
│ 10.100.5.5 - eric [27/Oct/2023:14:04:14 +0000] "GET /i/?state=2&order=DESC HTTP/1.1" 200 16423 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36"                                  │
│ 10.100.5.5 - - [27/Oct/2023:14:04:14 +0000] "GET /themes/base-theme/frss.css?1698413314 HTTP/1.1" 200 8543 "https://freshrss.kube.xtremeownage.com/i/?state=2&order=DESC" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like  │
│ Gecko) Chrome/118.0.0.0 Safari/537.36"                                                                                                                                                                                                                │
│ 10.100.5.5 - - [27/Oct/2023:14:04:14 +0000] "GET /scripts/main.js?1698413314 HTTP/1.1" 200 13315 "https://freshrss.kube.xtremeownage.com/i/?state=2&order=DESC" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chr │
│ ome/118.0.0.0 Safari/537.36"                                                                                                                                                                                                                          │
│ 10.100.5.5 - - [27/Oct/2023:14:04:14 +0000] "GET /themes/Mapco/mapco.css?1698413314 HTTP/1.1" 200 5254 "https://freshrss.kube.xtremeownage.com/i/?state=2&order=DESC" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Geck │
│ o) Chrome/118.0.0.0 Safari/537.36"                                                                                                                                                                                                                    ```

Using

  OIDC_SCOPES: "openid profile user:email"

Appears everything works as expected.

@Alkarex
Copy link
Member

Alkarex commented Oct 28, 2023

I have made some final minor changes before release of 1.22.1 #5764
Test feedback welcome

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Alkarex Alkarex

Labels
Security 🛡️
Projects
None yet
Milestone
1.22.1
Development

Successfully merging a pull request may close this issue.

OIDC_SCOPES compatibility colon Alkarex/FreshRSS
3 participants
@Frenzie @Alkarex @XtremeOwnageDotCom