-
-
Notifications
You must be signed in to change notification settings - Fork 10.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
✨ feat: add support for ZITADEL SSO provider (#1904)
* ✨ feat: add ZITADEL SSO provider * 📝 docs: add documentation for ZITADEL SSO provider
- Loading branch information
1 parent
a3f6577
commit 44152f7
Showing
9 changed files
with
204 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,65 @@ | ||
# Configure ZITADEL Authentication Service | ||
|
||
<Steps> | ||
### Create ZITADEL Application | ||
|
||
Log in to the console of your ZITADEL instance using an account with at least a [`Project Owner` role](https://zitadel.com/docs/guides/manage/console/managers#roles), navigate to (or [create](https://zitadel.com/docs/guides/manage/console/projects#create-a-project)) the project you'd like to host your application in, and click the **New** button to create an application. | ||
|
||
<Image alt="Create ZITADEL Application S1" inStep src="https://github.com/lobehub/lobe-chat/assets/8692892/b05473ad-04a6-4ebc-9810-116c778d4448" /> | ||
|
||
Fill in the name, choose **Web** as the application type, and click **Continue**. | ||
|
||
<Image alt="Create ZITADEL Application S2" inStep src="https://github.com/lobehub/lobe-chat/assets/8692892/5a0e6c58-9e6f-4ffb-8af2-32e48cfb45b0" /> | ||
|
||
Choose **Code** as the authentication method. | ||
|
||
<Image alt="Create ZITADEL Application S3" inStep src="https://github.com/lobehub/lobe-chat/assets/8692892/14ecaa12-74a1-4e2f-b171-9d9ac09d3d63" /> | ||
|
||
In the **Redirect URIs** field, fill in: | ||
|
||
``` | ||
http(s)://your-domain/api/auth/callback/zitadel | ||
``` | ||
|
||
<Image alt="Create ZITADEL Application S4" inStep src="https://github.com/lobehub/lobe-chat/assets/8692892/4ff3c3a0-9ca0-45ff-8f3a-219f4445098b" /> | ||
|
||
<Callout type={'important'}> | ||
- You can fill in or modify redirect URIs after creating the application, but make sure the filled URL is consistent with the deployed URL. | ||
- Replace `http(s)://your-domain` with the actual URL that LobeChat is deployed to. | ||
</Callout> | ||
|
||
Confirm the configuration and click **Create**. | ||
|
||
<Image alt="Create ZITADEL Application S5" inStep src="https://github.com/lobehub/lobe-chat/assets/8692892/bee24764-aa42-47d9-ad43-bcb8e7b35bc3" /> | ||
|
||
Save the **ClientId** and **ClientSecret** for later use. | ||
|
||
<Image alt="Create ZITADEL Application S6" inStep src="https://github.com/lobehub/lobe-chat/assets/8692892/407b4eed-7f21-4aa6-b68f-9bae2faf09d0" /> | ||
|
||
In the application settings page, navigate to the **URLs** tab, and save the **issuer** URL. | ||
|
||
<Image alt="Create ZITADEL Application S7" inStep src="https://github.com/lobehub/lobe-chat/assets/8692892/d12a2661-7b98-484f-8f3d-07e84d42ae08" /> | ||
|
||
### Configure Environment Variables | ||
|
||
When deploying LobeChat, you need to configure the following environment variables: | ||
|
||
| Environment Variable | Type | Description | | ||
| ----------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | ||
| `ENABLE_OAUTH_SSO` | Required | Enable single sign-on (SSO) for LobeChat. Set to `1` to enable single sign-on. | | ||
| `NEXTAUTH_SECRET` | Required | Key used to encrypt Auth.js session tokens. You can generate a key using the following command: `openssl rand -base64 32` | | ||
| `SSO_PROVIDERS` | Optional | Select the single sign-on provider for LoboChat. Use `zitadel` for ZITADEL. | | ||
| `ZITADEL_CLIENT_ID` | Required | Client ID (`ClientId` as shown in ZITADEL) of the ZITADEL application | | ||
| `ZITADEL_CLIENT_SECRET` | Required | Client Secret (`ClientSecret` as shown in ZITADEL) of the ZITADEL application | | ||
| `ZITADEL_ISSUER` | Required | Issuer URL of the ZITADEL application | | ||
| `ACCESS_CODE` | Required | Add a password to access this service. You can set a sufficiently long random password to "disable" access code authorization. | | ||
| `NEXTAUTH_URL` | Optional | The URL is used to specify the callback address for the execution of OAuth authentication in Auth.js. It needs to be set only when the default address is incorrect. `https://example.com/api/auth` | | ||
|
||
<Callout type={'tip'}> | ||
You can refer to the related variable details at [📘Environment Variables](/en/self-hosting/environment-variables/auth#zitadel). | ||
</Callout> | ||
</Steps> | ||
|
||
<Callout> | ||
After successful deployment, users will be able to authenticate and use LobeChat using existing users configured in ZITADEL. | ||
</Callout> |
65 changes: 65 additions & 0 deletions
65
docs/self-hosting/advanced/sso-providers/zitadel.zh-CN.mdx
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,65 @@ | ||
# 配置 ZITADEL 身份验证服务 | ||
|
||
<Steps> | ||
### 创建 ZITADEL 应用 | ||
|
||
使用具有 [`Project Owner` 角色](https://zitadel.com/docs/guides/manage/console/managers#roles)的账户登录到 ZITADEL 实例控制台,进入(或[创建](https://zitadel.com/docs/guides/manage/console/projects#create-a-project))该应用所属的项目,点击「创建」按钮创建应用。 | ||
|
||
<Image alt="创建 ZITADEL 应用 1" inStep src="https://github.com/lobehub/lobe-chat/assets/8692892/3564110d-bef9-47f3-b775-e5f28b4275b2" /> | ||
|
||
填写应用名称,应用类型选择「Web」,点击「继续」。 | ||
|
||
<Image alt="创建 ZITADEL 应用 2" inStep src="https://github.com/lobehub/lobe-chat/assets/8692892/12451b47-8dcd-40a9-b18d-2806b07efecc" /> | ||
|
||
选择「Code」作为身份验证方式。 | ||
|
||
<Image alt="创建 ZITADEL 应用 3" inStep src="https://github.com/lobehub/lobe-chat/assets/8692892/9d5cb651-ad10-47c7-8c8b-2256163c5521" /> | ||
|
||
在「重定向 URLs」字段中填写: | ||
|
||
``` | ||
http(s)://your-domain/api/auth/callback/zitadel | ||
``` | ||
|
||
<Image alt="创建 ZITADEL 应用 4" inStep src="https://github.com/lobehub/lobe-chat/assets/8692892/1699bf46-0c8d-4238-9eb5-34282bfe529a" /> | ||
|
||
<Callout type={'important'}> | ||
- 可以创建应用后再填写或修改重定向 URL,但请确保填写的 URL 与部署的 URL 一致。 | ||
- 请将 `http(s)://your-domain` 替换为 LobeChat 部署的实际 URL。 | ||
</Callout> | ||
|
||
确认配置并点击「创建」。 | ||
|
||
<Image alt="创建 ZITADEL 应用 5" inStep src="https://github.com/lobehub/lobe-chat/assets/8692892/375b3d73-6796-465c-9063-f2762093f763" /> | ||
|
||
记录下「ClientId」和「ClientSecret」备用。 | ||
|
||
<Image alt="创建 ZITADEL 应用 6" inStep src="https://github.com/lobehub/lobe-chat/assets/8692892/40bb6b4c-18e0-4ae5-abae-ae0cf202cf08" /> | ||
|
||
在应用设置页面中,切换到「URLs」选项卡,记录下「issuer」URL。 | ||
|
||
<Image alt="创建 ZITADEL 应用 7" inStep src="https://github.com/lobehub/lobe-chat/assets/8692892/79c55d44-8dcb-429c-a072-d3eb014bbceb" /> | ||
|
||
### 配置环境变量 | ||
|
||
部署 LobeChat 时,您需要配置以下环境变量: | ||
|
||
| 环境变量 | 类型 | 描述 | | ||
| ----------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | ||
| `ENABLE_OAUTH_SSO` | 必选 | 为 LobeChat 启用单点登录(SSO)。设置为 `1` 以启用单点登录。 | | ||
| `NEXTAUTH_SECRET` | 必选 | 用于加密 Auth.js 会话令牌的密钥。您可以使用以下命令生成密钥:`openssl rand -base64 32` | | ||
| `SSO_PROVIDERS` | 可选 | 为 LobeChat 选择单点登录提供程序。对于 ZITADEL,请填写 `zitadel`。 | | ||
| `ZITADEL_CLIENT_ID` | 必选 | ZITADEL 应用的 Client ID(`ClientId`)。 | | ||
| `ZITADEL_CLIENT_SECRET` | 必选 | ZITADEL 应用的 Client Secret(`ClientSecret`)。 | | ||
| `ZITADEL_ISSUER` | 必选 | ZITADEL 应用的 OpenID Connect 颁发者(issuer)URL。 | | ||
| `ACCESS_CODE` | 必选 | 添加访问此服务的代码。您可以设置一个足够长的随机密码以「禁用」访问码授权。 | | ||
| `NEXTAUTH_URL` | 可选 | 该 URL 用于指定 Auth.js 中执行 OAuth 认证的回调地址。仅当默认地址不正确时才需要设置。`https://example.com/api/auth` | | ||
|
||
<Callout type={'tip'}> | ||
您可以在 [📘 环境变量](/zh/self-hosting/environment-variables/auth#zitadel) 中查看相关变量的详细信息。 | ||
</Callout> | ||
</Steps> | ||
|
||
<Callout> | ||
部署成功后,用户将能够通过 ZITADEL 中配置的用户进行身份验证并使用 LobeChat。 | ||
</Callout> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
import Zitadel from 'next-auth/providers/zitadel'; | ||
|
||
import { getServerConfig } from '@/config/server'; | ||
|
||
const { ZITADEL_CLIENT_ID, ZITADEL_CLIENT_SECRET, ZITADEL_ISSUER } = getServerConfig(); | ||
|
||
const provider = { | ||
id: 'zitadel', | ||
provider: Zitadel({ | ||
// Available scopes in ZITADEL: https://zitadel.com/docs/apis/openidoauth/scopes | ||
authorization: { params: { scope: 'openid email profile' } }, | ||
clientId: ZITADEL_CLIENT_ID, | ||
clientSecret: ZITADEL_CLIENT_SECRET, | ||
issuer: ZITADEL_ISSUER, | ||
}), | ||
}; | ||
|
||
export default provider; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters