From 4ab2007c9946c3bcaa891d3fcf62cc29efc27887 Mon Sep 17 00:00:00 2001
From: Sunil Mohan Adapa <sunil@medhas.org>
Date: Mon, 24 Nov 2025 08:56:27 -0800
Subject: [PATCH] calibre: Use OpenID Connect instead of pubtkt based SSO

Tests:

- Functional tests work.

- Admin user is able to access the application

- User belonging to special group is able to access the application

- Regular user is not able to access the application

- Anonymous user is not able to access the application

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
---
 .../apache2/conf-available/calibre-freedombox.conf  | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/plinth/modules/calibre/data/usr/share/freedombox/etc/apache2/conf-available/calibre-freedombox.conf b/plinth/modules/calibre/data/usr/share/freedombox/etc/apache2/conf-available/calibre-freedombox.conf
index e423f2134..8187c95ed 100644
--- a/plinth/modules/calibre/data/usr/share/freedombox/etc/apache2/conf-available/calibre-freedombox.conf
+++ b/plinth/modules/calibre/data/usr/share/freedombox/etc/apache2/conf-available/calibre-freedombox.conf
@@ -3,8 +3,13 @@
 ##
 <Location /calibre>
     ProxyPass http://localhost:8844/calibre
-    Include includes/freedombox-single-sign-on.conf
-    <IfModule mod_auth_pubtkt.c>
-        TKTAuthToken "admin" "calibre"
-    </IfModule>
+    Use AuthOpenIDConnect
+    Use RequireGroup calibre
+
+    # Calibre has a bug where an empty value for a HTTP header is treated as
+    # invalid. OIDC_CLAIM_email can be empty and this causes Calibre to error
+    # out. So, try to pass all the OpenID Connect user information and claims as
+    # headers that can't have an empty value.
+    OIDCPassIDTokenAs "serialized"
+    OIDCPassUserInfoAs "json"
 </Location>