oauth2-qbittorrent-mod/README.md
2024-01-15 23:59:14 -07:00

3.7 KiB

Oauth2 qBittorrent mod

This is a docker mod compatible with the qBittorrent container at https://github.com/linuxserver/docker-qbittorrent, which integrates Oauth2 (with OpenID Connect) into the WebUI authentication.

Versioning

Because all this does is add another program to the qBittorrent container, the versioning is primarily based on oauth2-proxy versioning. The docker tagging format follows the following format: git.myriation.xyz/myriation/oauth2-qbittorrent-mod:v<PROXY_VERSION>-r<MOD_REVISION>[-ARCHITECTURE]. For example, the tag git.myriation.xyz/myriation/oauth2-qbittorrent-mod:v7.5.1-r0-arm64 would reference the first revision of the mod that uses version 7.5.1 of oauth2-proxy, and supports only arm architectures.

Configuration

This mod can be configured through a few environment variables as listed below. These should be provided alongside the variables provided to the qBittorrent container. All of the listed variables are required, or else this will not function correctly.

Variable name Description
OAUTH2_CLIENT_ID The client ID of the oauth2 application to authenticate against
OAUTH2_ISSUER_URL The issuer URL of the OIDC provider, used to fetch setup information through the discovery endpoint (/.well-known/openid-configuration)
OAUTH2_PUBLIC_URL The root URL that qBittorrent is intended to be accessible from, used for redirect URL configuration (the redirect URL is "$OAUTH2_PUBLIC_URL/oauth2/callback")
OAUTH2_PROXY_PORT The port the oauth2-proxy process will listen on (this should be the port you intend to be publically accessible)

Important things to know when using this mod (please read before use)

Firstly, because this effectively overrides the authentication, using this will disable any attempts to login with normal authentication by replacing the login with a randomly generated password, to force any authentication attempts to pass through the proxy first. Due to how this configures qBittorrent, any request seen as "localhost" by qBittorrent will be allowed through, which notably includes requests by the oauth2-proxy process.

In addition, due to the nature of proxying requests, this requires that the port set via $WEBUI_PORT be set to a port that you DO NOT want qBittorrent to be accessible from. The port you want it to be accessible from should instead be set via $OAUTH2_PROXY_PORT, so that requests through this port will be correctly proxied and authenticated before being redirected to qBittorrent. For example, if you want qBittorrent WebUI to be accessible at :80, $OAUTH2_PROXY_PORT should be set to 80, and $WEBUI_PORT should be set to something other than 80, such as 81.

Lastly, because this is mainly designed for my personal use, I modified the signin page template from oauth2-proxy to include generated Dark Reader css, as the light mode was blinding me and dark mode is cool. If someone besides me wants to use this, I will gladly change that to be configurable (and probably will in the future anyways, template folder should likely be configurable through a runtime env var), but as of right now, it is hardcoded to use the dark-modeified sign-in page.