# Oauth2 qBittorrent mod This is a docker mod compatible with the qBittorrent container at https://github.com/linuxserver/docker-qbittorrent, which integrates Oauth2 (with OpenID Connect) into the WebUI authentication. ## Versioning Because all this does is add another program to the qBittorrent container, the versioning is primarily based on oauth2-proxy versioning. The docker tagging format follows the following format: `git.myriation.xyz/myriation/oauth2-qbittorrent-mod:v-r[-ARCHITECTURE]`. For example, the tag `git.myriation.xyz/myriation/oauth2-qbittorrent-mod:v7.5.1-r0-arm64` would reference the first revision of the mod that uses version 7.5.1 of oauth2-proxy, and supports only arm architectures. ## Configuration This mod can be configured through a few environment variables as listed below. These should be provided alongside the variables provided to the qBittorrent container. All of the listed variables are required, or else this will not function correctly. | Variable name | Description | | ----------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | | OAUTH2_CLIENT_ID | The client ID of the oauth2 application to authenticate against | | OAUTH2_ISSUER_URL | The issuer URL of the OIDC provider, used to fetch setup information through the discovery endpoint (`/.well-known/openid-configuration`) | | OAUTH2_PUBLIC_URL | The root URL that qBittorrent is intended to be accessible from, used for redirect URL configuration (the redirect URL is `"$OAUTH2_PUBLIC_URL/oauth2/callback"`) | | OAUTH2_PROXY_PORT | The port the oauth2-proxy process will listen on (this should be the port you intend to be publically accessible) | ## Important things to know when using this mod (please read before use) Firstly, because this effectively overrides the authentication, using this will disable any attempts to login with normal authentication by replacing the login with a randomly generated password, to force any authentication attempts to pass through the proxy first. Due to how this configures qBittorrent, any request seen as "localhost" by qBittorrent will be allowed through, which notably includes requests by the oauth2-proxy process. In addition, due to the nature of proxying requests, this requires that the port set via `$WEBUI_PORT` be set to a port that you DO NOT want qBittorrent to be accessible from. The port you want it to be accessible from should instead be set via `$OAUTH2_PROXY_PORT`, so that requests through this port will be correctly proxied and authenticated before being redirected to qBittorrent. For example, if you want qBittorrent WebUI to be accessible at :80, `$OAUTH2_PROXY_PORT` should be set to `80`, and `$WEBUI_PORT` should be set to something other than `80`, such as `81`. Lastly, because this is mainly designed for my personal use, I modified the signin page template from oauth2-proxy to include generated [Dark Reader](https://github.com/darkreader/darkreader) css, as the light mode was blinding me and dark mode is cool. If someone besides me wants to use this, I will gladly change that to be configurable (and probably will in the future anyways, template folder should likely be configurable through a runtime env var), but as of right now, it is hardcoded to use the dark-modeified sign-in page.