Add generic OpenID Connect provider (OAuth2)

This adds the oauth2 provider `oidc`. It needs an additional argument, the OIDC discovery endpoint to figure out where the auth and token URLs are. Configuration is similar to setting up the Google Authentication with these changes: * `OAUTH2_PROVIDER = oidc` * `OAUTH2_OIDC_DISCOVERY_ENDPOINT = https://auth.exampe.org/discovery`
2025-08-11 17:51:01 +00:00 · 2020-03-08 03:45:19 +01:00 · 2020-03-08 03:45:19 +01:00 · 3e1e0b604f
commit 3e1e0b604f
parent 54602b55bb
88 changed files with 15856 additions and 155 deletions
--- a/config/options.go
+++ b/config/options.go
@ -10,123 +10,126 @@ import (
 )

 const (
-	defaultHTTPS                     = false
-	defaultLogDateTime               = false
-	defaultHSTS                      = true
-	defaultHTTPService               = true
-	defaultSchedulerService          = true
-	defaultDebug                     = false
-	defaultBaseURL                   = "http://localhost"
-	defaultRootURL                   = "http://localhost"
-	defaultBasePath                  = ""
-	defaultWorkerPoolSize            = 5
-	defaultPollingFrequency          = 60
-	defaultBatchSize                 = 10
-	defaultRunMigrations             = false
-	defaultDatabaseURL               = "user=postgres password=postgres dbname=miniflux2 sslmode=disable"
-	defaultDatabaseMaxConns          = 20
-	defaultDatabaseMinConns          = 1
-	defaultListenAddr                = "127.0.0.1:8080"
-	defaultCertFile                  = ""
-	defaultKeyFile                   = ""
-	defaultCertDomain                = ""
-	defaultCertCache                 = "/tmp/cert_cache"
-	defaultCleanupFrequencyHours     = 24
-	defaultCleanupArchiveReadDays    = 60
-	defaultCleanupRemoveSessionsDays = 30
-	defaultProxyImages               = "http-only"
-	defaultCreateAdmin               = false
-	defaultOAuth2UserCreation        = false
-	defaultOAuth2ClientID            = ""
-	defaultOAuth2ClientSecret        = ""
-	defaultOAuth2RedirectURL         = ""
-	defaultOAuth2Provider            = ""
-	defaultPocketConsumerKey         = ""
-	defaultHTTPClientTimeout         = 20
-	defaultHTTPClientMaxBodySize     = 15
-	defaultAuthProxyHeader           = ""
-	defaultAuthProxyUserCreation     = false
+	defaultHTTPS                       = false
+	defaultLogDateTime                 = false
+	defaultHSTS                        = true
+	defaultHTTPService                 = true
+	defaultSchedulerService            = true
+	defaultDebug                       = false
+	defaultBaseURL                     = "http://localhost"
+	defaultRootURL                     = "http://localhost"
+	defaultBasePath                    = ""
+	defaultWorkerPoolSize              = 5
+	defaultPollingFrequency            = 60
+	defaultBatchSize                   = 10
+	defaultRunMigrations               = false
+	defaultDatabaseURL                 = "user=postgres password=postgres dbname=miniflux2 sslmode=disable"
+	defaultDatabaseMaxConns            = 20
+	defaultDatabaseMinConns            = 1
+	defaultListenAddr                  = "127.0.0.1:8080"
+	defaultCertFile                    = ""
+	defaultKeyFile                     = ""
+	defaultCertDomain                  = ""
+	defaultCertCache                   = "/tmp/cert_cache"
+	defaultCleanupFrequencyHours       = 24
+	defaultCleanupArchiveReadDays      = 60
+	defaultCleanupRemoveSessionsDays   = 30
+	defaultProxyImages                 = "http-only"
+	defaultCreateAdmin                 = false
+	defaultOAuth2UserCreation          = false
+	defaultOAuth2ClientID              = ""
+	defaultOAuth2ClientSecret          = ""
+	defaultOAuth2RedirectURL           = ""
+	defaultOAuth2OidcDiscoveryEndpoint = ""
+	defaultOAuth2Provider              = ""
+	defaultPocketConsumerKey           = ""
+	defaultHTTPClientTimeout           = 20
+	defaultHTTPClientMaxBodySize       = 15
+	defaultAuthProxyHeader             = ""
+	defaultAuthProxyUserCreation       = false
 )

 // Options contains configuration options.
 type Options struct {
-	HTTPS                     bool
-	logDateTime               bool
-	hsts                      bool
-	httpService               bool
-	schedulerService          bool
-	debug                     bool
-	baseURL                   string
-	rootURL                   string
-	basePath                  string
-	databaseURL               string
-	databaseMaxConns          int
-	databaseMinConns          int
-	runMigrations             bool
-	listenAddr                string
-	certFile                  string
-	certDomain                string
-	certCache                 string
-	certKeyFile               string
-	cleanupFrequencyHours     int
-	cleanupArchiveReadDays    int
-	cleanupRemoveSessionsDays int
-	pollingFrequency          int
-	batchSize                 int
-	workerPoolSize            int
-	createAdmin               bool
-	proxyImages               string
-	oauth2UserCreationAllowed bool
-	oauth2ClientID            string
-	oauth2ClientSecret        string
-	oauth2RedirectURL         string
-	oauth2Provider            string
-	pocketConsumerKey         string
-	httpClientTimeout         int
-	httpClientMaxBodySize     int64
-	authProxyHeader           string
-	authProxyUserCreation     bool
+	HTTPS                       bool
+	logDateTime                 bool
+	hsts                        bool
+	httpService                 bool
+	schedulerService            bool
+	debug                       bool
+	baseURL                     string
+	rootURL                     string
+	basePath                    string
+	databaseURL                 string
+	databaseMaxConns            int
+	databaseMinConns            int
+	runMigrations               bool
+	listenAddr                  string
+	certFile                    string
+	certDomain                  string
+	certCache                   string
+	certKeyFile                 string
+	cleanupFrequencyHours       int
+	cleanupArchiveReadDays      int
+	cleanupRemoveSessionsDays   int
+	pollingFrequency            int
+	batchSize                   int
+	workerPoolSize              int
+	createAdmin                 bool
+	proxyImages                 string
+	oauth2UserCreationAllowed   bool
+	oauth2ClientID              string
+	oauth2ClientSecret          string
+	oauth2RedirectURL           string
+	oauth2OidcDiscoveryEndpoint string
+	oauth2Provider              string
+	pocketConsumerKey           string
+	httpClientTimeout           int
+	httpClientMaxBodySize       int64
+	authProxyHeader             string
+	authProxyUserCreation       bool
 }

 // NewOptions returns Options with default values.
 func NewOptions() *Options {
 	return &Options{
-		HTTPS:                     defaultHTTPS,
-		logDateTime:               defaultLogDateTime,
-		hsts:                      defaultHSTS,
-		httpService:               defaultHTTPService,
-		schedulerService:          defaultSchedulerService,
-		debug:                     defaultDebug,
-		baseURL:                   defaultBaseURL,
-		rootURL:                   defaultRootURL,
-		basePath:                  defaultBasePath,
-		databaseURL:               defaultDatabaseURL,
-		databaseMaxConns:          defaultDatabaseMaxConns,
-		databaseMinConns:          defaultDatabaseMinConns,
-		runMigrations:             defaultRunMigrations,
-		listenAddr:                defaultListenAddr,
-		certFile:                  defaultCertFile,
-		certDomain:                defaultCertDomain,
-		certCache:                 defaultCertCache,
-		certKeyFile:               defaultKeyFile,
-		cleanupFrequencyHours:     defaultCleanupFrequencyHours,
-		cleanupArchiveReadDays:    defaultCleanupArchiveReadDays,
-		cleanupRemoveSessionsDays: defaultCleanupRemoveSessionsDays,
-		pollingFrequency:          defaultPollingFrequency,
-		batchSize:                 defaultBatchSize,
-		workerPoolSize:            defaultWorkerPoolSize,
-		createAdmin:               defaultCreateAdmin,
-		proxyImages:               defaultProxyImages,
-		oauth2UserCreationAllowed: defaultOAuth2UserCreation,
-		oauth2ClientID:            defaultOAuth2ClientID,
-		oauth2ClientSecret:        defaultOAuth2ClientSecret,
-		oauth2RedirectURL:         defaultOAuth2RedirectURL,
-		oauth2Provider:            defaultOAuth2Provider,
-		pocketConsumerKey:         defaultPocketConsumerKey,
-		httpClientTimeout:         defaultHTTPClientTimeout,
-		httpClientMaxBodySize:     defaultHTTPClientMaxBodySize * 1024 * 1024,
-		authProxyHeader:           defaultAuthProxyHeader,
-		authProxyUserCreation:     defaultAuthProxyUserCreation,
+		HTTPS:                       defaultHTTPS,
+		logDateTime:                 defaultLogDateTime,
+		hsts:                        defaultHSTS,
+		httpService:                 defaultHTTPService,
+		schedulerService:            defaultSchedulerService,
+		debug:                       defaultDebug,
+		baseURL:                     defaultBaseURL,
+		rootURL:                     defaultRootURL,
+		basePath:                    defaultBasePath,
+		databaseURL:                 defaultDatabaseURL,
+		databaseMaxConns:            defaultDatabaseMaxConns,
+		databaseMinConns:            defaultDatabaseMinConns,
+		runMigrations:               defaultRunMigrations,
+		listenAddr:                  defaultListenAddr,
+		certFile:                    defaultCertFile,
+		certDomain:                  defaultCertDomain,
+		certCache:                   defaultCertCache,
+		certKeyFile:                 defaultKeyFile,
+		cleanupFrequencyHours:       defaultCleanupFrequencyHours,
+		cleanupArchiveReadDays:      defaultCleanupArchiveReadDays,
+		cleanupRemoveSessionsDays:   defaultCleanupRemoveSessionsDays,
+		pollingFrequency:            defaultPollingFrequency,
+		batchSize:                   defaultBatchSize,
+		workerPoolSize:              defaultWorkerPoolSize,
+		createAdmin:                 defaultCreateAdmin,
+		proxyImages:                 defaultProxyImages,
+		oauth2UserCreationAllowed:   defaultOAuth2UserCreation,
+		oauth2ClientID:              defaultOAuth2ClientID,
+		oauth2ClientSecret:          defaultOAuth2ClientSecret,
+		oauth2RedirectURL:           defaultOAuth2RedirectURL,
+		oauth2OidcDiscoveryEndpoint: defaultOAuth2OidcDiscoveryEndpoint,
+		oauth2Provider:              defaultOAuth2Provider,
+		pocketConsumerKey:           defaultPocketConsumerKey,
+		httpClientTimeout:           defaultHTTPClientTimeout,
+		httpClientMaxBodySize:       defaultHTTPClientMaxBodySize * 1024 * 1024,
+		authProxyHeader:             defaultAuthProxyHeader,
+		authProxyUserCreation:       defaultAuthProxyUserCreation,
 	}
 }

@ -250,6 +253,11 @@ func (o *Options) OAuth2RedirectURL() string {
 	return o.oauth2RedirectURL
 }

+// OAuth2OidcDiscoveryEndpoint returns the OAuth2 OIDC discovery endpoint.
+func (o *Options) OAuth2OidcDiscoveryEndpoint() string {
+	return o.oauth2OidcDiscoveryEndpoint
+}
+
 // OAuth2Provider returns the name of the OAuth2 provider configured.
 func (o *Options) OAuth2Provider() string {
 	return o.oauth2Provider
@ -348,6 +356,7 @@ func (o *Options) String() string {
 	builder.WriteString(fmt.Sprintf("OAUTH2_CLIENT_ID: %v\n", o.oauth2ClientID))
 	builder.WriteString(fmt.Sprintf("OAUTH2_CLIENT_SECRET: %v\n", o.oauth2ClientSecret))
 	builder.WriteString(fmt.Sprintf("OAUTH2_REDIRECT_URL: %v\n", o.oauth2RedirectURL))
+	builder.WriteString(fmt.Sprintf("OAUTH2_OIDC_DISCOVERY_ENDPOINT: %v\n", o.oauth2OidcDiscoveryEndpoint))
 	builder.WriteString(fmt.Sprintf("OAUTH2_PROVIDER: %v\n", o.oauth2Provider))
 	builder.WriteString(fmt.Sprintf("HTTP_CLIENT_TIMEOUT: %v\n", o.httpClientTimeout))
 	builder.WriteString(fmt.Sprintf("HTTP_CLIENT_MAX_BODY_SIZE: %v\n", o.httpClientMaxBodySize))