Skip to content

Commit

Permalink
✨ feat: Supports Authelia login (lobehub#3589)
Browse files Browse the repository at this point in the history
* feat(next-auth): support Authelia.

* doc(authelia): Added configuration documentation for Authelia authentication.

* fix: typo and update doc.

* feat(next-auth): mapping profile for Authelia provider.

* doc: Add Authelia-related content to Auth environment variables documentation.
  • Loading branch information
IvanLi-CN authored Aug 27, 2024
1 parent b400fc0 commit 2141ae7
Show file tree
Hide file tree
Showing 7 changed files with 246 additions and 1 deletion.
75 changes: 75 additions & 0 deletions docs/self-hosting/advanced/auth/next-auth/authelia.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
---
title: Configuring Authelia Authentication Service for LobeChat
description: >-
Learn how to configure Authelia authentication service in LobeChat, including
creating a provider, configuring environment variables, and deploying
LobeChat. Detailed steps and necessary environment variable settings.
tags:
- Authelia Configuration
- Single Sign-On (SSO)
- LobeChat Authentication
- Environment Variables
- Deployment Instructions
---

## Configuring Authelia Authentication Service

## Authelia Configuration Flow

<Steps>
### Create an Authelia Identity Provider

We assume you are already familiar with using Authelia. Let's say your LobeChat instance is deployed at https://lobe.example.com/.
Note that currently only localhost supports HTTP access; other domains need to enable TLS, otherwise Authelia will actively interrupt authentication by default.

Now, let's open and edit the configuration file of your Authelia instance:

Add a new lobe-chat item under identity_providers -> oidc:

```yaml
identity_providers:
oidc:
...
## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
## See: https://www.authelia.com/c/oidc
- id: lobe-chat
description: LobeChat
secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
public: false
authorization_policy: two_factor
redirect_uris:
- https://chat.example.com/api/auth/callback/authelia
scopes:
- openid
- profile
- email
userinfo_signing_algorithm: none
```
Make sure to replace secret and redirect_urls with your own values.
Note! The secret configured in Authelia is ciphertext, i.e., a salted hash value. Its corresponding plaintext needs to be filled in LobeChat later.
Save the configuration file and restart the Authelia service. Now we have completed the Authelia configuration.
### Configure Environment Variables
When deploying LobeChat, you need to configure the following environment variables:
| Environment Variable | Type | Description |
| --- | --- | --- |
| `NEXT_AUTH_SECRET` | Required | The secret used to encrypt Auth.js session tokens. You can generate a secret using the following command: `openssl rand -base64 32` |
| `NEXT_AUTH_SSO_PROVIDERS` | Required | Select the SSO provider for LoboChat. Use `authentik` for Authentik. |
| `AUTHELIA_CLIENT_ID` | Required | The id just configured in Authelia, example value is lobe-chat |
| `AUTHELIA_CLIENT_SECRET` | The plaintext corresponding to the secret just configured in Authelia, example value is insecure_secret |
| `AUTHELIA_ISSUER` | Required | Your Authelia URL, for example https://sso.example.com |
| `NEXTAUTH_URL` | Optional | This URL is used to specify the callback address for Auth.js when performing OAuth verification. It only needs to be set when the default generated redirect address is incorrect. https://chat.example.com/api/auth |

<Callout type={'tip'}>
Go to [📘 Environment Variables](/docs/self-hosting/environment-variable#Authelia) for details about the variables.
</Callout>
</Steps>

<Callout type={'info'}>
After a successful deployment, users will be able to use LobeChat by authenticating with the users
configured in Authelia.
</Callout>
73 changes: 73 additions & 0 deletions docs/self-hosting/advanced/auth/next-auth/authelia.zh-CN.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
---
title: 在 LobeChat 中配置 Authelia 身份验证服务
description: 学习如何在 LobeChat 中配置 Authelia 身份验证服务,包括创建提供程序、配置环境变量和部署 LobeChat。详细步骤和必要环境变量设置。
tags:
- Authelia
- 身份验证
- 单点登录
- 环境变量
- LobeChat
---

# 配置 Authelia 身份验证服务

## Authelia 配置流程

<Steps>
### 创建 Authelia 提供应用

我们现在默认您已经了解了如何使用 Authelia。假设您的 LobeChat 实例部署在 `https://lobe.example.com/` 中。
注意,目前只有 `localhost` 支持 HTTP 访问,其他域名需要启用 TLS,否则 Authelia 默认将主动中断身份认证。

现在,我们打开 Authelia 实例的配置文件进行编辑:

`identity_providers`-> `oidc` 下新增一个 `lobe-chat` 的项目:

```yaml
...
identity_providers:
oidc:
...
## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
## See: https://www.authelia.com/c/oidc
- id: lobe-chat
description: LobeChat
secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
public: false
authorization_policy: two_factor
redirect_uris:
- https://chat.example.com/api/auth/callback/authelia
scopes:
- openid
- profile
- email
userinfo_signing_algorithm: none
```
请您确保 `secret` 和 `redirect_urls` 替换成您自己的值。
注意!Authelia 中配置 `secret` 是密文,即加盐哈希值。其对应的明文稍后需要填写在 lobeChat 中。

保存配置文件,然后重启 Authelia 服务。现在我们完成了 Authelia 的配置工作。

### 配置环境变量

在部署 LobeChat 时,你需要配置以下环境变量:

| 环境变量 | 类型 | 描述 |
| --- | --- | --- |
| `NEXT_AUTH_SECRET` | 必选 | 用于加密 Auth.js 会话令牌的密钥。您可以使用以下命令生成秘钥: `openssl rand -base64 32` |
| `NEXT_AUTH_SSO_PROVIDERS` | 必选 | 选择 LoboChat 的单点登录提供商。使用 Authelia 请填写 `authelia`。 |
| `AUTHELIA_CLIENT_ID` | 必选 | 刚刚在 Authelia 配置的 `id`,示例值是 `lobe-chat` |
| `AUTHELIA_CLIENT_SECRET` | 必选 | 刚刚在 Authelia 配置的 `secret` 对应的明文,示例值是 `insecure_secret` |
| `AUTHELIA_ISSUER` | 必选 |您的 Authelia 的网址,例如 `https://sso.example.com` |
| `NEXTAUTH_URL` | 可选 | 该 URL 用于指定 Auth.js 在执行 OAuth 验证时的回调地址,当默认生成的重定向地址发生不正确时才需要设置。`https://chat.example.com/api/auth` |

<Callout type={'tip'}>
前往 [📘 环境变量](/docs/self-hosting/environment-variable#Authelia) 可查阅相关变量详情。

</Callout>
</Steps>

<Callout type={'info'}>
部署成功后,用户将可以使用 Authelia 中配置的用户通过身份认证并使用 LobeChat。
</Callout>
23 changes: 23 additions & 0 deletions docs/self-hosting/environment-variables/auth.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,29 @@ LobeChat provides a complete authentication service capability when deployed. Th
- Default: `-`
- Example: `https://your-authentik-domain.com/application/o/slug/`

### Authelia

#### `AUTHELIA_CLIENT_ID`

- Type: Required
- Description: Client ID of the Authelia provider application. You can access it [here][auth0-client-page] and navigate to the application settings to view.
- Default: `-`
- Example: `lobe-chat`

#### `AUTHELIA_CLIENT_SECRET`

- Type: Required
- Description: The plaintext of the Client Secret for the Authelia provider
- Default: `-`
- Example: `insecure_secret`

#### `AUTHELIA_ISSUER`

- Type: Required
- Description: Issuer of the Authelia provider application.
- Default: `-`
- Example: `https://sso.example.com`

### Github

#### `GITHUB_CLIENT_ID`
Expand Down
23 changes: 23 additions & 0 deletions docs/self-hosting/environment-variables/auth.zh-CN.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,29 @@ LobeChat 在部署时提供了完善的身份验证服务能力,以下是相
- 默认值: `-`
- 示例: `https://your-authentik-domain.com/application/o/slug/`

### Authelia

#### `AUTHELIA_CLIENT_ID`

- 类型:必选
- 描述: Authelia 提供程序的 Client ID
- 默认值: `-`
- 示例: `lobe-chat`

#### `AUTHELIA_CLIENT_SECRET`

- 类型:必选
- 描述: Authelia 提供程序的 Client Secret 的明文
- 默认值: `-`
- 示例: `insecure_secret`

#### `AUTHELIA_ISSUER`

- 类型:必选
- 描述: Authentik 提供程序的 OpenID Connect 颁发者
- 默认值: `-`
- 示例: `https://sso.example.com`

### Github

#### `GITHUB_CLIENT_ID`
Expand Down
10 changes: 10 additions & 0 deletions src/config/auth.ts
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,11 @@ export const getAuthConfig = () => {
AUTHENTIK_CLIENT_SECRET: z.string().optional(),
AUTHENTIK_ISSUER: z.string().optional(),

// AUTHELIA
AUTHELIA_CLIENT_ID: z.string().optional(),
AUTHELIA_CLIENT_SECRET: z.string().optional(),
AUTHELIA_ISSUER: z.string().optional(),

// ZITADEL
ZITADEL_CLIENT_ID: z.string().optional(),
ZITADEL_CLIENT_SECRET: z.string().optional(),
Expand Down Expand Up @@ -118,6 +123,11 @@ export const getAuthConfig = () => {
AUTHENTIK_CLIENT_SECRET: process.env.AUTHENTIK_CLIENT_SECRET,
AUTHENTIK_ISSUER: process.env.AUTHENTIK_ISSUER,

// AUTHELIA
AUTHELIA_CLIENT_ID: process.env.AUTHELIA_CLIENT_ID,
AUTHELIA_CLIENT_SECRET: process.env.AUTHELIA_CLIENT_SECRET,
AUTHELIA_ISSUER: process.env.AUTHELIA_ISSUER,

// ZITADEL
ZITADEL_CLIENT_ID: process.env.ZITADEL_CLIENT_ID,
ZITADEL_CLIENT_SECRET: process.env.ZITADEL_CLIENT_SECRET,
Expand Down
40 changes: 40 additions & 0 deletions src/libs/next-auth/sso-providers/authelia.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
import type { OIDCConfig } from '@auth/core/providers';

import { authEnv } from '@/config/auth';

import { CommonProviderConfig } from './sso.config';

export type AutheliaProfile = {
// The users display name
email: string;
// The users email
groups: string[];
// The username the user used to login with
name: string;
preferred_username: string; // The users groups
sub: string; // The users id
};

const provider = {
id: 'authelia',
provider: {
...CommonProviderConfig,
authorization: { params: { scope: 'openid email profile' } },
checks: ['state', 'pkce'],
clientId: authEnv.AUTHELIA_CLIENT_ID,
clientSecret: authEnv.AUTHELIA_CLIENT_SECRET,
id: 'authelia',
issuer: authEnv.AUTHELIA_ISSUER,
name: 'Authelia',
profile(profile) {
return {
email: profile.email,
name: profile.name,
providerAccountId: profile.sub,
};
},
type: 'oidc',
} satisfies OIDCConfig<AutheliaProfile>,
};

export default provider;
3 changes: 2 additions & 1 deletion src/libs/next-auth/sso-providers/index.ts
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
import Auth0 from './auth0';
import Authelia from './authelia';
import Authentik from './authentik';
import AzureAD from './azure-ad';
import Github from './github';
import Zitadel from './zitadel';

export const ssoProviders = [Auth0, Authentik, AzureAD, Github, Zitadel];
export const ssoProviders = [Auth0, Authentik, AzureAD, Github, Zitadel, Authelia];

0 comments on commit 2141ae7

Please sign in to comment.