Skip to content

Commit

Permalink
✨ feat: add support for ZITADEL SSO provider (#1904)
Browse files Browse the repository at this point in the history
* ✨ feat: add ZITADEL SSO provider

* 📝 docs: add documentation for ZITADEL SSO provider
  • Loading branch information
yanghanlin authored Apr 8, 2024
1 parent a3f6577 commit 44152f7
Show file tree
Hide file tree
Showing 9 changed files with 204 additions and 2 deletions.
4 changes: 3 additions & 1 deletion docs/self-hosting/advanced/authentication.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,8 @@ Currently supported identity verification services include:
- [Auth0](/en/self-hosting/advanced/sso-providers/auth0)
- [Microsoft Entra ID](/en/self-hosting/advanced/sso-providers/microsoft-entra-id)
- [Authentik](/en/self-hosting/advanced/sso-providers/authentik)
- [Github](/en/self-hosting/advanced/sso-providers/github
- [Github](/en/self-hosting/advanced/sso-providers/github)
- [ZITADEL](/en/self-hosting/advanced/sso-providers/zitadel)

Click on the links to view the corresponding platform's configuration documentation.

Expand All @@ -23,6 +24,7 @@ The order corresponds to the display order of the SSO providers.
| Microsoft Entra ID | `azure-ad` |
| Authentik | `authentik` |
| Github | `github` |
| ZITADEL | `zitadel` |

## Other SSO Providers

Expand Down
2 changes: 2 additions & 0 deletions docs/self-hosting/advanced/authentication.zh-CN.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ LobeChat 支持配置外部身份验证服务,供企业 / 组织内部使用
- [Microsoft Entra ID](/zh/self-hosting/advanced/sso-providers/microsoft-entra-id)
- [Authentik](/zh/self-hosting/advanced/sso-providers/authentik)
- [Github](/zh/self-hosting/advanced/sso-providers/github)
- [ZITADEL](/zh/self-hosting/advanced/sso-providers/zitadel)

点击链接可以查看对应平台的配置文档。

Expand All @@ -23,6 +24,7 @@ LobeChat 支持配置外部身份验证服务,供企业 / 组织内部使用
| Microsoft Entra ID | `azure-ad` |
| Authentik | `authentik` |
| Github | `github` |
| ZITADEL | `zitadel` |

## 其他 SSO 提供商

Expand Down
65 changes: 65 additions & 0 deletions docs/self-hosting/advanced/sso-providers/zitadel.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
# Configure ZITADEL Authentication Service

<Steps>
### Create ZITADEL Application

Log in to the console of your ZITADEL instance using an account with at least a [`Project Owner` role](https://zitadel.com/docs/guides/manage/console/managers#roles), navigate to (or [create](https://zitadel.com/docs/guides/manage/console/projects#create-a-project)) the project you'd like to host your application in, and click the **New** button to create an application.

<Image alt="Create ZITADEL Application S1" inStep src="https://github.com/lobehub/lobe-chat/assets/8692892/b05473ad-04a6-4ebc-9810-116c778d4448" />

Fill in the name, choose **Web** as the application type, and click **Continue**.

<Image alt="Create ZITADEL Application S2" inStep src="https://github.com/lobehub/lobe-chat/assets/8692892/5a0e6c58-9e6f-4ffb-8af2-32e48cfb45b0" />

Choose **Code** as the authentication method.

<Image alt="Create ZITADEL Application S3" inStep src="https://github.com/lobehub/lobe-chat/assets/8692892/14ecaa12-74a1-4e2f-b171-9d9ac09d3d63" />

In the **Redirect URIs** field, fill in:

```
http(s)://your-domain/api/auth/callback/zitadel
```

<Image alt="Create ZITADEL Application S4" inStep src="https://github.com/lobehub/lobe-chat/assets/8692892/4ff3c3a0-9ca0-45ff-8f3a-219f4445098b" />

<Callout type={'important'}>
- You can fill in or modify redirect URIs after creating the application, but make sure the filled URL is consistent with the deployed URL.
- Replace `http(s)://your-domain` with the actual URL that LobeChat is deployed to.
</Callout>

Confirm the configuration and click **Create**.

<Image alt="Create ZITADEL Application S5" inStep src="https://github.com/lobehub/lobe-chat/assets/8692892/bee24764-aa42-47d9-ad43-bcb8e7b35bc3" />

Save the **ClientId** and **ClientSecret** for later use.

<Image alt="Create ZITADEL Application S6" inStep src="https://github.com/lobehub/lobe-chat/assets/8692892/407b4eed-7f21-4aa6-b68f-9bae2faf09d0" />

In the application settings page, navigate to the **URLs** tab, and save the **issuer** URL.

<Image alt="Create ZITADEL Application S7" inStep src="https://github.com/lobehub/lobe-chat/assets/8692892/d12a2661-7b98-484f-8f3d-07e84d42ae08" />

### Configure Environment Variables

When deploying LobeChat, you need to configure the following environment variables:

| Environment Variable | Type | Description |
| ----------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `ENABLE_OAUTH_SSO` | Required | Enable single sign-on (SSO) for LobeChat. Set to `1` to enable single sign-on. |
| `NEXTAUTH_SECRET` | Required | Key used to encrypt Auth.js session tokens. You can generate a key using the following command: `openssl rand -base64 32` |
| `SSO_PROVIDERS` | Optional | Select the single sign-on provider for LoboChat. Use `zitadel` for ZITADEL. |
| `ZITADEL_CLIENT_ID` | Required | Client ID (`ClientId` as shown in ZITADEL) of the ZITADEL application |
| `ZITADEL_CLIENT_SECRET` | Required | Client Secret (`ClientSecret` as shown in ZITADEL) of the ZITADEL application |
| `ZITADEL_ISSUER` | Required | Issuer URL of the ZITADEL application |
| `ACCESS_CODE` | Required | Add a password to access this service. You can set a sufficiently long random password to "disable" access code authorization. |
| `NEXTAUTH_URL` | Optional | The URL is used to specify the callback address for the execution of OAuth authentication in Auth.js. It needs to be set only when the default address is incorrect. `https://example.com/api/auth` |

<Callout type={'tip'}>
You can refer to the related variable details at [📘Environment Variables](/en/self-hosting/environment-variables/auth#zitadel).
</Callout>
</Steps>

<Callout>
After successful deployment, users will be able to authenticate and use LobeChat using existing users configured in ZITADEL.
</Callout>
65 changes: 65 additions & 0 deletions docs/self-hosting/advanced/sso-providers/zitadel.zh-CN.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
# 配置 ZITADEL 身份验证服务

<Steps>
### 创建 ZITADEL 应用

使用具有 [`Project Owner` 角色](https://zitadel.com/docs/guides/manage/console/managers#roles)的账户登录到 ZITADEL 实例控制台,进入(或[创建](https://zitadel.com/docs/guides/manage/console/projects#create-a-project))该应用所属的项目,点击「创建」按钮创建应用。

<Image alt="创建 ZITADEL 应用 1" inStep src="https://github.com/lobehub/lobe-chat/assets/8692892/3564110d-bef9-47f3-b775-e5f28b4275b2" />

填写应用名称,应用类型选择「Web」,点击「继续」。

<Image alt="创建 ZITADEL 应用 2" inStep src="https://github.com/lobehub/lobe-chat/assets/8692892/12451b47-8dcd-40a9-b18d-2806b07efecc" />

选择「Code」作为身份验证方式。

<Image alt="创建 ZITADEL 应用 3" inStep src="https://github.com/lobehub/lobe-chat/assets/8692892/9d5cb651-ad10-47c7-8c8b-2256163c5521" />

在「重定向 URLs」字段中填写:

```
http(s)://your-domain/api/auth/callback/zitadel
```

<Image alt="创建 ZITADEL 应用 4" inStep src="https://github.com/lobehub/lobe-chat/assets/8692892/1699bf46-0c8d-4238-9eb5-34282bfe529a" />

<Callout type={'important'}>
- 可以创建应用后再填写或修改重定向 URL,但请确保填写的 URL 与部署的 URL 一致。
- 请将 `http(s)://your-domain` 替换为 LobeChat 部署的实际 URL。
</Callout>

确认配置并点击「创建」。

<Image alt="创建 ZITADEL 应用 5" inStep src="https://github.com/lobehub/lobe-chat/assets/8692892/375b3d73-6796-465c-9063-f2762093f763" />

记录下「ClientId」和「ClientSecret」备用。

<Image alt="创建 ZITADEL 应用 6" inStep src="https://github.com/lobehub/lobe-chat/assets/8692892/40bb6b4c-18e0-4ae5-abae-ae0cf202cf08" />

在应用设置页面中,切换到「URLs」选项卡,记录下「issuer」URL。

<Image alt="创建 ZITADEL 应用 7" inStep src="https://github.com/lobehub/lobe-chat/assets/8692892/79c55d44-8dcb-429c-a072-d3eb014bbceb" />

### 配置环境变量

部署 LobeChat 时,您需要配置以下环境变量:

| 环境变量 | 类型 | 描述 |
| ----------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `ENABLE_OAUTH_SSO` | 必选 | 为 LobeChat 启用单点登录(SSO)。设置为 `1` 以启用单点登录。 |
| `NEXTAUTH_SECRET` | 必选 | 用于加密 Auth.js 会话令牌的密钥。您可以使用以下命令生成密钥:`openssl rand -base64 32` |
| `SSO_PROVIDERS` | 可选 | 为 LobeChat 选择单点登录提供程序。对于 ZITADEL,请填写 `zitadel`|
| `ZITADEL_CLIENT_ID` | 必选 | ZITADEL 应用的 Client ID(`ClientId`)。 |
| `ZITADEL_CLIENT_SECRET` | 必选 | ZITADEL 应用的 Client Secret(`ClientSecret`)。 |
| `ZITADEL_ISSUER` | 必选 | ZITADEL 应用的 OpenID Connect 颁发者(issuer)URL。 |
| `ACCESS_CODE` | 必选 | 添加访问此服务的代码。您可以设置一个足够长的随机密码以「禁用」访问码授权。 |
| `NEXTAUTH_URL` | 可选 | 该 URL 用于指定 Auth.js 中执行 OAuth 认证的回调地址。仅当默认地址不正确时才需要设置。`https://example.com/api/auth` |

<Callout type={'tip'}>
您可以在 [📘 环境变量](/zh/self-hosting/environment-variables/auth#zitadel) 中查看相关变量的详细信息。
</Callout>
</Steps>

<Callout>
部署成功后,用户将能够通过 ZITADEL 中配置的用户进行身份验证并使用 LobeChat。
</Callout>
23 changes: 23 additions & 0 deletions docs/self-hosting/environment-variables/auth.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,29 @@ LobeChat provides a complete authentication service capability when deployed. Th
- Default: `-`
- Example: `dd262976ac0931d947e104891586a053f3d3750b`

## ZITADEL

### `ZITADEL_CLIENT_ID`

- Type: Required
- Description: Client ID of the ZITADEL application. This can be found under your application in the ZITADEL console.
- Default: `-`
- Example: `123456789012345678@your-project`

### `ZITADEL_CLIENT_SECRET`

- Type: Required
- Description: Client Secret of the ZITADEL application.
- Default: `-`
- Example: `9QF1n5ATzU7Z3mHp2Iw4gKX8kY6oR7uW1DnKcV3LqX2jF6iG3fBmJ1kV7nS5zE6A`

### `ZITADEL_ISSUER`

- Type: Required
- Description: Issuer of the ZITADEL application. This is usually the URL of the ZITADEL instance, and can be found in `URLs` tab of your application in the console.
- Default: `-`
- Example: `https://your-instance-abc123.zitadel.cloud`

<Callout>
Currently, we only support providers above. If you need to use other identity verification service
providers, you can submit a [feature
Expand Down
23 changes: 23 additions & 0 deletions docs/self-hosting/environment-variables/auth.zh-CN.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,29 @@ LobeChat 在部署时提供了完善的身份验证服务能力,以下是相
- Default: `-`
- Example: `dd262976ac0931d947e104891586a053f3d3750b`

## ZITADEL

### `ZITADEL_CLIENT_ID`

- 类型:必选
- 描述:ZITADEL 应用的 Client ID。您可以在 ZITADEL 控制台应用设置中找到 Client ID。
- 默认值:`-`
- 示例:`123456789012345678@your-project`

### `ZITADEL_CLIENT_SECRET`

- 类型:必选
- 描述:ZITADEL 应用的 Client Secret。
- 默认值:`-`
- 示例:`9QF1n5ATzU7Z3mHp2Iw4gKX8kY6oR7uW1DnKcV3LqX2jF6iG3fBmJ1kV7nS5zE6A`

### `ZITADEL_ISSUER`

- 类型:必选
- 描述:ZITADEL 应用的 OpenID Connect 颁发者(issuer),通常为 ZITADEL 实例的 URL。您可以在 ZITADEL 控制台应用设置中的 `URLs` 选项卡中找到 issuer。
- 默认值:`-`
- 示例:`https://your-instance-abc123.zitadel.cloud`

<Callout>
如果您需要使用其他身份验证服务提供商,可以提交
[功能请求](https://github.com/lobehub/lobe-chat/issues/new/choose) 或 Pull Request。
Expand Down
3 changes: 2 additions & 1 deletion src/app/api/auth/sso-providers/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -2,5 +2,6 @@ import Auth0 from './auth0';
import Authentik from './authentik';
import AzureAD from './azure-ad';
import Github from './github';
import Zitadel from './zitadel';

export const ssoProviders = [Auth0, Authentik, AzureAD, Github];
export const ssoProviders = [Auth0, Authentik, AzureAD, Github, Zitadel];
18 changes: 18 additions & 0 deletions src/app/api/auth/sso-providers/zitadel.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
import Zitadel from 'next-auth/providers/zitadel';

import { getServerConfig } from '@/config/server';

const { ZITADEL_CLIENT_ID, ZITADEL_CLIENT_SECRET, ZITADEL_ISSUER } = getServerConfig();

const provider = {
id: 'zitadel',
provider: Zitadel({
// Available scopes in ZITADEL: https://zitadel.com/docs/apis/openidoauth/scopes
authorization: { params: { scope: 'openid email profile' } },
clientId: ZITADEL_CLIENT_ID,
clientSecret: ZITADEL_CLIENT_SECRET,
issuer: ZITADEL_ISSUER,
}),
};

export default provider;
3 changes: 3 additions & 0 deletions src/config/server/app.ts
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,9 @@ export const getAppConfig = () => {
AUTHENTIK_CLIENT_ID: process.env.AUTHENTIK_CLIENT_ID || '',
AUTHENTIK_CLIENT_SECRET: process.env.AUTHENTIK_CLIENT_SECRET || '',
AUTHENTIK_ISSUER: process.env.AUTHENTIK_ISSUER || '',
ZITADEL_CLIENT_ID: process.env.ZITADEL_CLIENT_ID || '',
ZITADEL_CLIENT_SECRET: process.env.ZITADEL_CLIENT_SECRET || '',
ZITADEL_ISSUER: process.env.ZITADEL_ISSUER || '',
NEXTAUTH_SECRET: process.env.NEXTAUTH_SECRET || '',

ENABLE_LANGFUSE: process.env.ENABLE_LANGFUSE === '1',
Expand Down

0 comments on commit 44152f7

Please sign in to comment.