OIDC / oAuth expiry variable to prevent logging in every day

[laxmanpradhan]

Problem:

• FreshRss doesn't seem to hang onto the authentication token for very long and requires repeat login with oAuth every day
• Most apps would allow you to specify this or at least set it longer be default
• Setting the expiry time in Authentik to 30d does not affect this
• Setting the expiration time in the FreshRss admin settings to the max value also doesn't change this
• Having to login with my SSO password every since day is not very good UX, no other app requires this

Background:

• I've been using the oAuth with Authentik for quite some time now (I helped clarify the docs on how to do this setup Authentik oAuth setup documentation updates #5969 ). I have several other services that use oAuth. Each of these will remain logged in for days with no issue. (immich, linkwarden, seafile all use oAuth via my Authentik setup and have no problem staying logged in for days, maybe forever)
• Authentik has a setting to change the expiry in the provider screen, and I have set it to "days=30" which has not made any difference
• On the Authentik side, there is really nothing different than any other oAuth provider I have setup. Once logged in it works perfectly, it just requires re-login all the time.
• This happens on my computer when accessing it via browser and also on mobile when accessing through browser

Technical:

• I have freshrss/freshrss:1.23.1 running in docker
• I have persistent volumes for /data and /extensions

Solution:

• I don't think this issue is on the Authentik side, I think FreshRss is not saving the authentication token or has a setting somewhere to delete it after a certain amount of time
• some sort of expiry option in FreshRss or at least setting the default expiry to 30d would be reasonable

[Alkarex]

Hello,
We support OIDC via this Apache module: https://github.com/OpenIDC/mod_auth_openidc/
Help welcome to find out how to do it.
For reference: https://freshrss.github.io/FreshRSS/en/admins/16_OpenID-Connect.html

[laxmanpradhan]

Thanks! I'm experimenting with the solution listed here:

https://stackoverflow.com/questions/31975594/how-to-set-session-expiry-time-for-mod-auth-openidc

and the full list of sessions options here:
https://github.com/OpenIDC/mod_auth_openidc/blob/master/auth_openidc.conf#L529

I'm experimenting with adding these to FreshRSS.Apache.conf:

OIDCSessionInactivityTimeout 0
OIDCSessionMaxDuration  0
OIDCSessionType client-cookie:persistent

I've done this by mounting /var/www/FreshRSS/Docker/FreshRSS.Apache.conf as a file mount from the host to the docker container so I can modify it. Otherwise, this file is ephemeral and not part of the normal persistent /data folder mount for freshrss. Assuming this works, the solution would be:

1. Choose sane defaults and anyone who want to customize it can mount this file from the docker host like I did
2. create environmental variables that can be passed into this file from docker compose to set these values

I'll report back on the above settings to see how they work over the next few days.

[laxmanpradhan]

ok, I've tried all kinds of different combinations. Setting the numbers to 0, setting then high to 999999. I've set the session type to server-side and client-cookie. I don't think any change to this file has made any difference.

I don't thing my changes are actually doing anything. The file seems to be mounted into the correct location (FreshRSS.Apache.conf):

Is there some way to tell if apache is getting the values to using them? There are no logs in /var/logs/apache (3 empty files). I change the file and restart the docker container. Is there something else that needs to be changed?

I suspect I'm missing a step to get these values to actually be used.

I've added these values:

OIDCSessionInactivityTimeout 999999
OIDCSessionType client-cookie:persistent:store_id_token
OIDCSessionMaxDuration 999999
OIDCRefreshAccessTokenBeforeExpiry 999999

This is the file itself:

ServerName freshrss.localhost
Listen 80
DocumentRoot /var/www/FreshRSS/p/
AllowEncodedSlashes On
ServerTokens OS
TraceEnable Off
ErrorLog /dev/stderr

# For logging the original user-agent IP instead of proxy IPs:
<IfModule mod_remoteip.c>
	# Can be disabled by setting the TRUSTED_PROXY environment variable to 0:
	RemoteIPHeader X-Forwarded-For
	# Can be overridden by the TRUSTED_PROXY environment variable:
	RemoteIPInternalProxy 10.0.0.1/8 172.16.0.1/12 192.168.0.1/16
</IfModule>

LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined_proxy
CustomLog "|/var/www/FreshRSS/cli/sensitive-log.sh" combined_proxy

<IfDefine OIDC_ENABLED>
	<IfModule !auth_openidc_module>
		Error "The auth_openidc_module is not available. Install it or unset environment variable OIDC_ENABLED."
	</IfModule>

	# Workaround to be able to check whether an environment variable is set
	# See: https://serverfault.com/questions/1022233/using-ifdefine-with-environment-variables/1022234#1022234
	Define VStart "${"
	Define VEnd "}"

	# Interval in seconds after which the session will be invalidated when no interaction has occurred.
	# When not defined, the default is 300 seconds.
	OIDCSessionInactivityTimeout 999999

	# OpenID Connect session storage type.
	# "server-cache" server-side caching storage.
	# "client-cookie" uses browser-side sessions stored in a cookie; see also OIDCSessionCookieChunkSize next
	# A suffix ":persistent" can be added if you want to use a persistent cookie that survives browser restarts
	# instead of a session cookie that is tied to the lifetime of the browser session.
	# The "expires" value of the persistent cookie is controlled by the OIDCSessionInactivityTimeout setting.
	# A suffix ":store_id_token" can be added to "client-cookie" if you want the id_token to be stored
	# in the session to be used as id_token_hint in a logout request to the OP later.
	# When not defined the default "server-cache" is used.
	OIDCSessionType client-cookie:persistent:store_id_token

	# Maximum duration of the application session
	# When not defined the default is 8 hours (3600 * 8 seconds).
	# When set to 0, the session duration will be set equal to the expiry time of the ID token.
	# NB: this can be overridden on a per-OP basis in the .conf file using the key: session_max_duration
	OIDCSessionMaxDuration 999999

	OIDCProviderMetadataURL ${OIDC_PROVIDER_METADATA_URL}
	OIDCClientID ${OIDC_CLIENT_ID}
	OIDCClientSecret ${OIDC_CLIENT_SECRET}

	OIDCRedirectURI /i/oidc/
	OIDCCryptoPassphrase ${OIDC_CLIENT_CRYPTO_KEY}

	Define "Test_${OIDC_REMOTE_USER_CLAIM}"
	<IfDefine Test_${VStart}OIDC_REMOTE_USER_CLAIM${VEnd}>
		OIDCRemoteUserClaim preferred_username
	</IfDefine>
	<IfDefine !Test_${VStart}OIDC_REMOTE_USER_CLAIM${VEnd}>
		OIDCRemoteUserClaim "${OIDC_REMOTE_USER_CLAIM}"
	</IfDefine>
	Define "Test_${OIDC_SCOPES}"
	<IfDefine Test_${VStart}OIDC_SCOPES${VEnd}>
		OIDCScope openid
	</IfDefine>
	<IfDefine !Test_${VStart}OIDC_SCOPES${VEnd}>
		OIDCScope "${OIDC_SCOPES}"
	</IfDefine>
	Define "Test_${OIDC_X_FORWARDED_HEADERS}"
	<IfDefine !Test_${VStart}OIDC_X_FORWARDED_HEADERS${VEnd}>
		OIDCXForwardedHeaders ${OIDC_X_FORWARDED_HEADERS}
	</IfDefine>

	OIDCRefreshAccessTokenBeforeExpiry 999999
</IfDefine>

<Directory />
	AllowOverride None
	Options FollowSymLinks
	Require all denied
</Directory>

<Directory /var/www/FreshRSS/p>
	AllowOverride None
	Include /var/www/FreshRSS/p/.htaccess
	Options FollowSymLinks
	Require all granted
</Directory>

<Directory /var/www/FreshRSS/p/api>
	Include /var/www/FreshRSS/p/api/.htaccess
</Directory>

<Directory /var/www/FreshRSS/p/i>
	ExpiresActive Off

	<IfDefine OIDC_ENABLED>
		AuthType openid-connect
		Require valid-user
	</IfDefine>
	IncludeOptional /var/www/FreshRSS/p/i/.htaccess
</Directory>

<Directory /var/www/FreshRSS/p/themes>
	Include /var/www/FreshRSS/p/themes/.htaccess
</Directory>

[laxmanpradhan]

perhaps this error is related to the apache2 settings not being updated? Trying to run apache2 commands from the docker console doesn't work:

[Alkarex]

To run Apache manually, you need to source the environment variables like . /etc/apache2/envvars

[laxmanpradhan]

ok so after some pretty extensive testing and trying various combinations, I've discovered that none of the OIDC apache settings I've changed have made any difference.

I currently have a custom apache config file mapped into the docker container as follows:

volumes:
- /dockerData/freshrss/FreshRSS.Apache.conf:/var/www/FreshRSS/Docker/FreshRSS.Apache.conf
- /dockerData/freshrss/FreshRSS.Apache.conf:/etc/apache2/sites-available/FreshRSS.Apache.conf

the apache2.conf file says it will import anything in sites-enabled:

The above conf file is sim linked in sites-enabled:

Even if I set the timeouts to something super small like this:

OIDCSessionInactivityTimeout 60
OIDCSessionMaxDuration  60
OIDCRefreshAccessTokenBeforeExpiry 60
OIDCSessionType client-cookie

you would expect the cookies to expire in just 60s but they do not. The default behavior is completely unchanged.

As far as I can tell, none of the changes I'm making to the apache config are actually doing anything. I've tried running apache2ctl restart and also restarting the docker container and it doesn't make any difference.

Anyone know what I'm doing wrong and why apache wont use the variables?

[Alkarex]

I do not know. Just to be sure, try to exec in the container to double check the files manually.
You could also try to put a wrong variable, which is supposed to lead to a 500 error if the file is correctly read.

[GregoryDosh]

@laxmanpradhan Thanks for the initial discovery and pointers in the right direction. The missing piece might just be volume mounting over the top of the sites-enabled path too. I got this working for my self-hosted environment like so

Pull when I think are important bits below

apache.conf

Inside of the existing freshrss/freshrss:latest Docker image I pulled the existing apache.conf from cat /var/www/FreshRSS/Docker/FreshRSS.Apache.conf and then below the existing OIDCClientSecret ${OIDC_CLIENT_SECRET} line I added the following snippet

         OIDCClientSecret ${OIDC_CLIENT_SECRET}
 
+        OIDCRefreshAccessTokenBeforeExpiry 2592000
+        OIDCSessionInactivityTimeout 2592000
+        OIDCSessionMaxDuration 2592000
+        OIDCSessionType client-cookie:persistent:store_id_token
 
         OIDCRedirectURI /i/oidc/

docker-compose.yml

Add volume mount of the modified apache.conf file to the 3 locations. Not all are possibly needed but this got mine working? I tried a shortlived token and it seemed to sign out quickly. Put it at 30days timeout and then tried closing/reopening browser etc. and it seemed to be persisting again. We'll see again in a day.

...
  freshrss:
    image: freshrss/freshrss:latest
    volumes:
      - /freshrss/apache.conf:/var/www/FreshRSS/Docker/FreshRSS.Apache.conf:ro
      - /freshrss/apache.conf:/etc/apache2/sites-enabled/FreshRSS.Apache.conf:ro
      - /freshrss/apache.conf:/etc/apache2/sites-available/FreshRSS.Apache.conf:ro
...

Edit: This seemed to do the trick. Now I'm greeted with a banner notification There are new articles available, click to refresh the page. when I swap back to this tab. No need to login again so soon.