From 2141ae71a423bcf584fbc0aaad617b632be5ecb9 Mon Sep 17 00:00:00 2001 From: Ivan Li Date: Tue, 27 Aug 2024 10:22:05 +0800 Subject: [PATCH] =?UTF-8?q?=20=E2=9C=A8=20feat:=20Supports=20Authelia=20lo?= =?UTF-8?q?gin=20(#3589)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * feat(next-auth): support Authelia. * doc(authelia): Added configuration documentation for Authelia authentication. * fix: typo and update doc. * feat(next-auth): mapping profile for Authelia provider. * doc: Add Authelia-related content to Auth environment variables documentation. --- .../advanced/auth/next-auth/authelia.mdx | 75 +++++++++++++++++++ .../auth/next-auth/authelia.zh-CN.mdx | 73 ++++++++++++++++++ .../environment-variables/auth.mdx | 23 ++++++ .../environment-variables/auth.zh-CN.mdx | 23 ++++++ src/config/auth.ts | 10 +++ src/libs/next-auth/sso-providers/authelia.ts | 40 ++++++++++ src/libs/next-auth/sso-providers/index.ts | 3 +- 7 files changed, 246 insertions(+), 1 deletion(-) create mode 100644 docs/self-hosting/advanced/auth/next-auth/authelia.mdx create mode 100644 docs/self-hosting/advanced/auth/next-auth/authelia.zh-CN.mdx create mode 100644 src/libs/next-auth/sso-providers/authelia.ts diff --git a/docs/self-hosting/advanced/auth/next-auth/authelia.mdx b/docs/self-hosting/advanced/auth/next-auth/authelia.mdx new file mode 100644 index 000000000000..84a14297895c --- /dev/null +++ b/docs/self-hosting/advanced/auth/next-auth/authelia.mdx @@ -0,0 +1,75 @@ +--- +title: Configuring Authelia Authentication Service for LobeChat +description: >- + Learn how to configure Authelia authentication service in LobeChat, including + creating a provider, configuring environment variables, and deploying + LobeChat. Detailed steps and necessary environment variable settings. +tags: + - Authelia Configuration + - Single Sign-On (SSO) + - LobeChat Authentication + - Environment Variables + - Deployment Instructions +--- + +## Configuring Authelia Authentication Service + +## Authelia Configuration Flow + + +### Create an Authelia Identity Provider + +We assume you are already familiar with using Authelia. Let's say your LobeChat instance is deployed at https://lobe.example.com/. +Note that currently only localhost supports HTTP access; other domains need to enable TLS, otherwise Authelia will actively interrupt authentication by default. + +Now, let's open and edit the configuration file of your Authelia instance: + +Add a new lobe-chat item under identity_providers -> oidc: + +```yaml +identity_providers: + oidc: + ... + ## The other portions of the mandatory OpenID Connect 1.0 configuration go here. + ## See: https://www.authelia.com/c/oidc + - id: lobe-chat + description: LobeChat + secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'. + public: false + authorization_policy: two_factor + redirect_uris: + - https://chat.example.com/api/auth/callback/authelia + scopes: + - openid + - profile + - email + userinfo_signing_algorithm: none +``` + +Make sure to replace secret and redirect_urls with your own values. +Note! The secret configured in Authelia is ciphertext, i.e., a salted hash value. Its corresponding plaintext needs to be filled in LobeChat later. + +Save the configuration file and restart the Authelia service. Now we have completed the Authelia configuration. + +### Configure Environment Variables + +When deploying LobeChat, you need to configure the following environment variables: + +| Environment Variable | Type | Description | +| --- | --- | --- | +| `NEXT_AUTH_SECRET` | Required | The secret used to encrypt Auth.js session tokens. You can generate a secret using the following command: `openssl rand -base64 32` | +| `NEXT_AUTH_SSO_PROVIDERS` | Required | Select the SSO provider for LoboChat. Use `authentik` for Authentik. | +| `AUTHELIA_CLIENT_ID` | Required | The id just configured in Authelia, example value is lobe-chat | +| `AUTHELIA_CLIENT_SECRET` | The plaintext corresponding to the secret just configured in Authelia, example value is insecure_secret | +| `AUTHELIA_ISSUER` | Required | Your Authelia URL, for example https://sso.example.com | +| `NEXTAUTH_URL` | Optional | This URL is used to specify the callback address for Auth.js when performing OAuth verification. It only needs to be set when the default generated redirect address is incorrect. https://chat.example.com/api/auth | + + + Go to [📘 Environment Variables](/docs/self-hosting/environment-variable#Authelia) for details about the variables. + + + + + After a successful deployment, users will be able to use LobeChat by authenticating with the users + configured in Authelia. + diff --git a/docs/self-hosting/advanced/auth/next-auth/authelia.zh-CN.mdx b/docs/self-hosting/advanced/auth/next-auth/authelia.zh-CN.mdx new file mode 100644 index 000000000000..356abbc5f2ed --- /dev/null +++ b/docs/self-hosting/advanced/auth/next-auth/authelia.zh-CN.mdx @@ -0,0 +1,73 @@ +--- +title: 在 LobeChat 中配置 Authelia 身份验证服务 +description: 学习如何在 LobeChat 中配置 Authelia 身份验证服务,包括创建提供程序、配置环境变量和部署 LobeChat。详细步骤和必要环境变量设置。 +tags: + - Authelia + - 身份验证 + - 单点登录 + - 环境变量 + - LobeChat +--- + +# 配置 Authelia 身份验证服务 + +## Authelia 配置流程 + + +### 创建 Authelia 提供应用 + +我们现在默认您已经了解了如何使用 Authelia。假设您的 LobeChat 实例部署在 `https://lobe.example.com/` 中。 +注意,目前只有 `localhost` 支持 HTTP 访问,其他域名需要启用 TLS,否则 Authelia 默认将主动中断身份认证。 + +现在,我们打开 Authelia 实例的配置文件进行编辑: + +在 `identity_providers`-> `oidc` 下新增一个 `lobe-chat` 的项目: + +```yaml +... +identity_providers: + oidc: + ... + ## The other portions of the mandatory OpenID Connect 1.0 configuration go here. + ## See: https://www.authelia.com/c/oidc + - id: lobe-chat + description: LobeChat + secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'. + public: false + authorization_policy: two_factor + redirect_uris: + - https://chat.example.com/api/auth/callback/authelia + scopes: + - openid + - profile + - email + userinfo_signing_algorithm: none +``` + +请您确保 `secret` 和 `redirect_urls` 替换成您自己的值。 +注意!Authelia 中配置 `secret` 是密文,即加盐哈希值。其对应的明文稍后需要填写在 lobeChat 中。 + +保存配置文件,然后重启 Authelia 服务。现在我们完成了 Authelia 的配置工作。 + +### 配置环境变量 + +在部署 LobeChat 时,你需要配置以下环境变量: + +| 环境变量 | 类型 | 描述 | +| --- | --- | --- | +| `NEXT_AUTH_SECRET` | 必选 | 用于加密 Auth.js 会话令牌的密钥。您可以使用以下命令生成秘钥: `openssl rand -base64 32` | +| `NEXT_AUTH_SSO_PROVIDERS` | 必选 | 选择 LoboChat 的单点登录提供商。使用 Authelia 请填写 `authelia`。 | +| `AUTHELIA_CLIENT_ID` | 必选 | 刚刚在 Authelia 配置的 `id`,示例值是 `lobe-chat` | +| `AUTHELIA_CLIENT_SECRET` | 必选 | 刚刚在 Authelia 配置的 `secret` 对应的明文,示例值是 `insecure_secret` | +| `AUTHELIA_ISSUER` | 必选 |您的 Authelia 的网址,例如 `https://sso.example.com` | +| `NEXTAUTH_URL` | 可选 | 该 URL 用于指定 Auth.js 在执行 OAuth 验证时的回调地址,当默认生成的重定向地址发生不正确时才需要设置。`https://chat.example.com/api/auth` | + + + 前往 [📘 环境变量](/docs/self-hosting/environment-variable#Authelia) 可查阅相关变量详情。 + + + + + + 部署成功后,用户将可以使用 Authelia 中配置的用户通过身份认证并使用 LobeChat。 + diff --git a/docs/self-hosting/environment-variables/auth.mdx b/docs/self-hosting/environment-variables/auth.mdx index 8043edffa132..5a8b8d1705fb 100644 --- a/docs/self-hosting/environment-variables/auth.mdx +++ b/docs/self-hosting/environment-variables/auth.mdx @@ -109,6 +109,29 @@ LobeChat provides a complete authentication service capability when deployed. Th - Default: `-` - Example: `https://your-authentik-domain.com/application/o/slug/` +### Authelia + +#### `AUTHELIA_CLIENT_ID` + +- Type: Required +- Description: Client ID of the Authelia provider application. You can access it [here][auth0-client-page] and navigate to the application settings to view. +- Default: `-` +- Example: `lobe-chat` + +#### `AUTHELIA_CLIENT_SECRET` + +- Type: Required +- Description: The plaintext of the Client Secret for the Authelia provider +- Default: `-` +- Example: `insecure_secret` + +#### `AUTHELIA_ISSUER` + +- Type: Required +- Description: Issuer of the Authelia provider application. +- Default: `-` +- Example: `https://sso.example.com` + ### Github #### `GITHUB_CLIENT_ID` diff --git a/docs/self-hosting/environment-variables/auth.zh-CN.mdx b/docs/self-hosting/environment-variables/auth.zh-CN.mdx index e460d22a0ac0..69fe17ec7146 100644 --- a/docs/self-hosting/environment-variables/auth.zh-CN.mdx +++ b/docs/self-hosting/environment-variables/auth.zh-CN.mdx @@ -107,6 +107,29 @@ LobeChat 在部署时提供了完善的身份验证服务能力,以下是相 - 默认值: `-` - 示例: `https://your-authentik-domain.com/application/o/slug/` +### Authelia + +#### `AUTHELIA_CLIENT_ID` + +- 类型:必选 +- 描述: Authelia 提供程序的 Client ID +- 默认值: `-` +- 示例: `lobe-chat` + +#### `AUTHELIA_CLIENT_SECRET` + +- 类型:必选 +- 描述: Authelia 提供程序的 Client Secret 的明文 +- 默认值: `-` +- 示例: `insecure_secret` + +#### `AUTHELIA_ISSUER` + +- 类型:必选 +- 描述: Authentik 提供程序的 OpenID Connect 颁发者 +- 默认值: `-` +- 示例: `https://sso.example.com` + ### Github #### `GITHUB_CLIENT_ID` diff --git a/src/config/auth.ts b/src/config/auth.ts index eada77f00cb8..aa490a411e4e 100644 --- a/src/config/auth.ts +++ b/src/config/auth.ts @@ -81,6 +81,11 @@ export const getAuthConfig = () => { AUTHENTIK_CLIENT_SECRET: z.string().optional(), AUTHENTIK_ISSUER: z.string().optional(), + // AUTHELIA + AUTHELIA_CLIENT_ID: z.string().optional(), + AUTHELIA_CLIENT_SECRET: z.string().optional(), + AUTHELIA_ISSUER: z.string().optional(), + // ZITADEL ZITADEL_CLIENT_ID: z.string().optional(), ZITADEL_CLIENT_SECRET: z.string().optional(), @@ -118,6 +123,11 @@ export const getAuthConfig = () => { AUTHENTIK_CLIENT_SECRET: process.env.AUTHENTIK_CLIENT_SECRET, AUTHENTIK_ISSUER: process.env.AUTHENTIK_ISSUER, + // AUTHELIA + AUTHELIA_CLIENT_ID: process.env.AUTHELIA_CLIENT_ID, + AUTHELIA_CLIENT_SECRET: process.env.AUTHELIA_CLIENT_SECRET, + AUTHELIA_ISSUER: process.env.AUTHELIA_ISSUER, + // ZITADEL ZITADEL_CLIENT_ID: process.env.ZITADEL_CLIENT_ID, ZITADEL_CLIENT_SECRET: process.env.ZITADEL_CLIENT_SECRET, diff --git a/src/libs/next-auth/sso-providers/authelia.ts b/src/libs/next-auth/sso-providers/authelia.ts new file mode 100644 index 000000000000..748f8d42f5fe --- /dev/null +++ b/src/libs/next-auth/sso-providers/authelia.ts @@ -0,0 +1,40 @@ +import type { OIDCConfig } from '@auth/core/providers'; + +import { authEnv } from '@/config/auth'; + +import { CommonProviderConfig } from './sso.config'; + +export type AutheliaProfile = { + // The users display name + email: string; + // The users email + groups: string[]; + // The username the user used to login with + name: string; + preferred_username: string; // The users groups + sub: string; // The users id +}; + +const provider = { + id: 'authelia', + provider: { + ...CommonProviderConfig, + authorization: { params: { scope: 'openid email profile' } }, + checks: ['state', 'pkce'], + clientId: authEnv.AUTHELIA_CLIENT_ID, + clientSecret: authEnv.AUTHELIA_CLIENT_SECRET, + id: 'authelia', + issuer: authEnv.AUTHELIA_ISSUER, + name: 'Authelia', + profile(profile) { + return { + email: profile.email, + name: profile.name, + providerAccountId: profile.sub, + }; + }, + type: 'oidc', + } satisfies OIDCConfig, +}; + +export default provider; diff --git a/src/libs/next-auth/sso-providers/index.ts b/src/libs/next-auth/sso-providers/index.ts index 384908786df8..b3d05b177342 100644 --- a/src/libs/next-auth/sso-providers/index.ts +++ b/src/libs/next-auth/sso-providers/index.ts @@ -1,7 +1,8 @@ import Auth0 from './auth0'; +import Authelia from './authelia'; import Authentik from './authentik'; import AzureAD from './azure-ad'; import Github from './github'; import Zitadel from './zitadel'; -export const ssoProviders = [Auth0, Authentik, AzureAD, Github, Zitadel]; +export const ssoProviders = [Auth0, Authentik, AzureAD, Github, Zitadel, Authelia];