--- title: Integrate with FreshRSS sidebar_label: FreshRSS support_level: community --- ## What is FreshRSS > FreshRSS is a self-hosted RSS feed aggregator. > > -- https://github.com/FreshRSS/FreshRSS ## Preparation The following placeholders are used in this guide: - `freshrss.company` is the FQDN of the FreshRSS installation. - `authentik.company` is the FQDN of the authentik installation. :::note This documentation only lists the settings that have been changed from their default values. Please verify your changes carefully to avoid any issues accessing your application. ::: ## authentik configuration To support the integration of FreshRss with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.) - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - Add two `Strict` redirect URI and set them to `https://freshrss.company/i/oidc/` and `https://freshrss.company:443/i/oidc/`. If FreshRSS is exposed on a port other than `443`, update the second redirect URI accordingly. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. 3. Click **Submit** to save the new application and provider. ## FreshRSS configuration :::info This integration is compatible only with Docker or Kubernetes installations of FreshRSS that use the [FreshRSS Docker image](https://hub.docker.com/r/freshrss/freshrss/) on x86_64 systems. Note that the Alpine version of the image is not supported. For more details, see [this issue on the FreshRSS GitHub repository](https://github.com/FreshRSS/FreshRSS/issues/5722). ::: :::warning Before restarting your Docker container, ensure that at least one Admin user in your FreshRSS instance has a username that matches an authentik user. ::: To enable OIDC login with FreshRSS, update your `.env` file to include the following variables: ```yaml showLineNumbers OIDC_ENABLED=1 OIDC_PROVIDER_METADATA_URL=https://authentik.company/application/o//.well-known/openid-configuration OIDC_CLIENT_ID= OIDC_CLIENT_SECRET= OIDC_X_FORWARDED_HEADERS=X-Forwarded-Port X-Forwarded-Proto X-Forwarded-Host OIDC_SCOPES=openid email profile ``` Once your container or pod is restarted, attempt to login as a user that exists in both FreshRSS and authentik. Go to **Settings** -> **Authentication** and set the authentication method to **HTTP**. ## Configuration verification To verify that authentik is correctly set up with FreshRSS, log out of FreshRSS and try logging back in using authentik. You should see a new button on the login page for OIDC authentication. ## Resources - [FreshRSS documentation for OpenID Connect](https://freshrss.github.io/FreshRSS/en/admins/16_OpenID-Connect.html). - [FreshRSS documentation for OIDC with authentik](https://freshrss.github.io/FreshRSS/en/admins/16_OpenID-Connect-Authentik.html)