OIDC parameters for Authentik

[AlphaJack]

I had to modify the OIDC discovery endpoint URL given by my IDP, because Miniflux automatically appends .well-known/openid-configuration, similar to goharbor/harbor#12535.

Maybe it is worth mentioning in the documentation that the ".well-known" part is automatically appended.

These parameters work for Authentik:

OAUTH2_PROVIDER=oidc
OAUTH2_CLIENT_ID=XXXXXX
OAUTH2_CLIENT_SECRET=YYYYYY
OAUTH2_REDIRECT_URL=https://miniflux.example.org/oauth2/oidc/callback
# discovery endpoint is        https://authentik.example.org/application/o/miniflux/.well-known/openid-configuration
OAUTH2_OIDC_DISCOVERY_ENDPOINT=https://authentik.example.org/application/o/miniflux/
# if not set, miniflux returns "Access forbidden" if the user doesn't exist
OAUTH2_USER_CREATION=1

[fguillot]

I have updated the documentation: https://miniflux.app/docs/howto.html#oauth2

[miklosbagi]

Cool, thanks, this saved me the hour 🙏🏻

Do we have a recommended way to make miniflux container trust https://authentik.example.org (using your example)?
It's quite easy to run into something like this without it:

level=ERROR msg="Failed to initialize OIDC provider" error="oidc: failed to initialize provider \"https://authentik.example.org/application/o/miniflux/\": Get \"https://authentik.example.org/application/o/miniflux/.well-known/openid-configuration\": tls: failed to verify certificate: x509: certificate signed by unknown authority"
level=ERROR msg="Unable to initialize OAuth2 provider" provider=oidc error="oauth2 provider not found"
Failed to initialize OIDC provide

And although it's possible to inject certs, it's quite some clutter.
For example the init solution I'm using now:

services:
  miniflux-certs-init:
    image: alpine:latest
    entrypoint: /bin/sh
    command: >
      -c "
      apk add --no-cache ca-certificates &&
      rm -rf /shared-certs/* &&
      mkdir -p /usr/local/share/ca-certificates &&
      cp /certs/*_ca.crt /usr/local/share/ca-certificates/ &&
      update-ca-certificates &&
      cp -prf /etc/ssl/* /shared-certs/ &&
      touch /shared-certs/generated-by-cainit-$(date +%Y%m%d-%H%M%S) &&
      echo 'Certificates updated. Exiting.'"
    volumes:
      - ../_common/certs:/certs:ro
      - ./config/ssl:/shared-certs

  miniflux:
    image: miniflux/miniflux:distroless
    environment:
    ...
    OAUTH2_PROVIDER=oidc
    OAUTH2_CLIENT_ID=XXXXXX
    OAUTH2_CLIENT_SECRET=YYYYYY
    OAUTH2_REDIRECT_URL=https://miniflux.example.org/oauth2/oidc/callback
    OAUTH2_OIDC_DISCOVERY_ENDPOINT=https://authentik.example.org/application/o/miniflux/
    OAUTH2_USER_CREATION=1
    volumes:
      - ./config/ssl:/etc/ssl:ro
    depends_on:
      db:
        condition: service_healthy
      miniflux-certs-init:
        condition: service_completed_successfully

db:
...

I've seen some better solutions lately like LEGO_CA_CERTIFICATES for traefik, NODE_EXTRA_CA_CERTS for immich.
Do we have anything like this for miniflux, or is this considered more like an edge case?