[Bug] OIDC login auth always logs in admin user

[jasonajack]

Describe the bug

I have configured Authelia IdP for FreshRSS and configured it exactly as defined in the guide (link goes to Authelia's FreshRSS guide). I've also compared it to the FreshRSS OIDC authentication guide. I have one admin user and one test user defined (belonging to IdP groups admin and users respectively).

Whenever I go to my FreshRSS server it successfully redirects me to Authelia. When I enter my credentials for the "test" user however, it instead logs me in as my Admin user. As an experiment I've tried adding other users and logging in with those but it always authenticates as the Admin user regardless.

To Reproduce

1. Go to freshrss.
2. Enter my user credentials
3. Always logs in as my Admin user no matter what credentials are sent by Authelia back to FreshRSS

Expected behavior

FreshRSS either creates a new user and logs me in or it rejects me because the user is not known to FreshRSS. Preferably the former, but even the latter is better than always logging in as Admin no matter what credentials are used.

FreshRSS version

1.25.0

System information

• Database version: SQLite
• PHP version: Unknown
• Installation type: Docker (docker.io/freshrss/freshrss:1.25.0)
  -Web server type: Unknown
• Device: PC
• OS: Win11
• Browser: Firefox

Additional context

No response

[Alkarex]

Hello,
To debug this type of issue, I suggest creating a file ./FreshRSS/p/i/phpinfo.php containing:

<?php
phpinfo();

then access it from your Web browser https://freshrss.example.net/i/phpinfo.php and check what user information has been received.

[jasonajack]

@Alkarex Thanks for the recommendation! I found that it is indeed using my Test user rather than my Admin:

(I censored my email with mydomain.com):

$_SERVER['OIDC_CLAIM_email: test@mydomain.com
$_SERVER['OIDC_CLAIM_email_verified: 1
$_SERVER['OIDC_CLAIM_groups: users

However, when I go to the normal homepage with the same credentials (in the same browser window) it still shows my Admin profile (username mog):

[Alkarex]

On that page, check in particular $_SERVER['REMOTE_USER'] or similar (REDIRECT_REMOTE_USER, HTTP_REMOTE_USER, HTTP_X_WEBAUTH_USER).

And check in your FreshRSS Docker logs for any warning related to OIDC

[jasonajack]

In the phpinfo page:

$_SERVER['REMOTE_USER']: test

However, I'm seeing this in the logs:

[auth_openidc:warn] [pid 43:tid 43] [client 172.70.174.248:0] oidc_check_x_forwarded_hdr: OIDCXForwardedHeaders configured for header X-Forwarded-Host but not found in request, referer: https://auth.mydomain.com/

EDIT: I figured out the OIDCXForwardedHeaders issue and fixed my proxy config in nginx. However, I'm still getting the same user mismatch issue. For reference my forwarded headers env var is set to:

OIDC_X_FORWARDED_HEADERS: X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto

[Alkarex]

$_SERVER['REMOTE_USER']: test

Please post a screenshot of your Authentication configuration page

In my case (for normal Web form login), but yours should be HTTP:

[jasonajack]

@Alkarex That did the trick! I had it on None because I figured with OIDC there was no need for a web form login, and I did not consider the "HTTP" login either as I figured that was a popup login dialog. But switching to HTTP worked and now I see the test user login. Thank you!

Before (did not work):

After (works):

[mpalatsi]

@Alkarex Thanks for pointing me here. So what I'm seeing is that this probably works fine under normal circumstances, however if you're the admin and you want to test whether or not OIDC is working as intended, it will not dispose of the current session when switching between Authentik users.

Test Scenario:

1. Stop docker container
2. Start docker container
3. Login to Authentik (user: Test)
4. Open FreshRSS
5. Logs in successfully as user Test
6. Close tab
7. Login to different Authentik user (user: Test2)
8. Open FreshRSS
9. Notice that you're still logged into user: Test
10. Stop docker container
11. Start docker container
12. Login to Authentik with user Test2
13. Open FreshRSS
14. Notice that you're logged in as user Test2

[Alkarex]

@mpalatsi I do not think restarting the container makes any difference, but that does not hurt. Using another Web browser (session) would likely make a difference though.
To debug what is the responsibility of FreshRSS from the responsibility of what is in front, please try the phpinfo test I posted higher up

[Alkarex]

@jasonajack Super. Please consider improving our documentation if you can, accordingly
https://github.com/FreshRSS/FreshRSS/tree/edge/docs/en/admins/

[jasonajack]

@jasonajack Super. Please consider improving our documentation if you can, accordingly https://github.com/FreshRSS/FreshRSS/tree/edge/docs/en/admins/

I went to do so and as it turns out it is actually quite clearly listed in step 5:
https://github.com/FreshRSS/FreshRSS/blob/edge/docs/en/admins/16_OpenID-Connect.md#initial-setup-process

Select HTTP Authentication Method as the authentication method

smh I should have seen that but must have missed it while I was configuring everything else. I appreciate your help.