zhouhongbo
/
JZ_QGNB
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '74bce9432d'
${ noResults }
JZ_QGNB/DigitalHumanWeb/docs/self-hosting/advanced/auth/next-auth/authentik.mdx

74 lines
3.1 KiB
Markdown
Raw Blame History

---
title: Configuring Authentik Authentication Service for LobeChat
description: >-
Learn how to configure Authentik for Single Sign-On (SSO) for LobeChat,
including creating an application provider, setting environment variables, and
deployment instructions.
tags:
- Authentik Configuration
- Single Sign-On (SSO)
- LobeChat Authentication
- Environment Variables
- Deployment Instructions
---
## Configuring Authentik Authentication Service
## Authentik Configuration Flow
<Steps>
### Create an Authentik Application Provider
In your Authentik instance, use the administrator account to go to **Admin Interface** -> **Applications** -> **Providers** and create a new provider.
Select **OAuth2/OpenID Provider** as the provider type. Fill in the provider name, select the authentication flow and authorization flow.
In the `Redirect URL/Origin (regex)` field, fill in:
```bash
https://your-domain/api/auth/callback/authentik
```
<Callout type={'info'}>
- You can fill in or modify the `Redirect URL/Origin (regex)` later, but make sure the filled in
URL matches the deployed URL. - Replace `your-domain` with your own domain name
</Callout>
<Image
alt="Create Authentik Provider"
inStep
src="https://github.com/lobehub/lobe-chat/assets/67304509/4244634e-5f68-48d5-aac0-e5f4b06d1c4b"
/>
Click **Done**
After the creation is successful, click **Applications** on the left -> **Create**, fill in the name and Slug, select the provider created in the previous step, and click **Create**.
After the application provider is created, click the corresponding provider to enter the details page, click **Edit**, and save the `Client ID` and `Client Secret`.
Copy the URL of `OpenID Configuration Issuer` and save it.
### Configure Environment Variables
When deploying LobeChat, you need to configure the following environment variables:
| Environment Variable | Type | Description |
| --- | --- | --- |
| `NEXT_AUTH_SECRET` | Required | The secret used to encrypt Auth.js session tokens. You can generate a secret using the following command: `openssl rand -base64 32` |
| `NEXT_AUTH_SSO_PROVIDERS` | Required | Select the SSO provider for LoboChat. Use `authentik` for Authentik. |
| `AUTH_AUTHENTIK_ID` | Required | The Client ID from the Authentik application provider details page |
| `AUTH_AUTHENTIK_SECRET` | Required | The Client Secret from the Authentik application provider details page |
| `AUTH_AUTHENTIK_ISSUER` | Required | The OpenID Configuration Issuer from the Authentik application provider details page |
| `NEXTAUTH_URL` | Required | This URL is used to specify the callback address for Auth.js when performing OAuth authentication. It only needs to be set when the default generated redirect address is incorrect. `https://example.com/api/auth` |
<Callout type={'tip'}>
Go to [📘 Environment Variables](/docs/self-hosting/environment-variable#Authentik) for details about the variables.
</Callout>
</Steps>
<Callout type={'info'}>
After a successful deployment, users will be able to use LobeChat by authenticating with the users
configured in Authentik.
</Callout>
Reference in New Issue View Git Blame Copy Permalink