Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

✨ feat: add support for ZITADEL SSO provider #1904

Merged
merged 2 commits into from
Apr 8, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion docs/self-hosting/advanced/authentication.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,8 @@ Currently supported identity verification services include:
- [Auth0](/en/self-hosting/advanced/sso-providers/auth0)
- [Microsoft Entra ID](/en/self-hosting/advanced/sso-providers/microsoft-entra-id)
- [Authentik](/en/self-hosting/advanced/sso-providers/authentik)
- [Github](/en/self-hosting/advanced/sso-providers/github
- [Github](/en/self-hosting/advanced/sso-providers/github)
- [ZITADEL](/en/self-hosting/advanced/sso-providers/zitadel)

Click on the links to view the corresponding platform's configuration documentation.

Expand All @@ -23,6 +24,7 @@ The order corresponds to the display order of the SSO providers.
| Microsoft Entra ID | `azure-ad` |
| Authentik | `authentik` |
| Github | `github` |
| ZITADEL | `zitadel` |

## Other SSO Providers

Expand Down
2 changes: 2 additions & 0 deletions docs/self-hosting/advanced/authentication.zh-CN.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ LobeChat 支持配置外部身份验证服务,供企业 / 组织内部使用
- [Microsoft Entra ID](/zh/self-hosting/advanced/sso-providers/microsoft-entra-id)
- [Authentik](/zh/self-hosting/advanced/sso-providers/authentik)
- [Github](/zh/self-hosting/advanced/sso-providers/github)
- [ZITADEL](/zh/self-hosting/advanced/sso-providers/zitadel)

点击链接可以查看对应平台的配置文档。

Expand All @@ -23,6 +24,7 @@ LobeChat 支持配置外部身份验证服务,供企业 / 组织内部使用
| Microsoft Entra ID | `azure-ad` |
| Authentik | `authentik` |
| Github | `github` |
| ZITADEL | `zitadel` |

## 其他 SSO 提供商

Expand Down
65 changes: 65 additions & 0 deletions docs/self-hosting/advanced/sso-providers/zitadel.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
# Configure ZITADEL Authentication Service

<Steps>
### Create ZITADEL Application

Log in to the console of your ZITADEL instance using an account with at least a [`Project Owner` role](https://zitadel.com/docs/guides/manage/console/managers#roles), navigate to (or [create](https://zitadel.com/docs/guides/manage/console/projects#create-a-project)) the project you'd like to host your application in, and click the **New** button to create an application.

<Image alt="Create ZITADEL Application S1" inStep src="https://github.com/lobehub/lobe-chat/assets/8692892/b05473ad-04a6-4ebc-9810-116c778d4448" />

Fill in the name, choose **Web** as the application type, and click **Continue**.

<Image alt="Create ZITADEL Application S2" inStep src="https://github.com/lobehub/lobe-chat/assets/8692892/5a0e6c58-9e6f-4ffb-8af2-32e48cfb45b0" />

Choose **Code** as the authentication method.

<Image alt="Create ZITADEL Application S3" inStep src="https://github.com/lobehub/lobe-chat/assets/8692892/14ecaa12-74a1-4e2f-b171-9d9ac09d3d63" />

In the **Redirect URIs** field, fill in:

```
http(s)://your-domain/api/auth/callback/zitadel
```

<Image alt="Create ZITADEL Application S4" inStep src="https://github.com/lobehub/lobe-chat/assets/8692892/4ff3c3a0-9ca0-45ff-8f3a-219f4445098b" />

<Callout type={'important'}>
- You can fill in or modify redirect URIs after creating the application, but make sure the filled URL is consistent with the deployed URL.
- Replace `http(s)://your-domain` with the actual URL that LobeChat is deployed to.
</Callout>

Confirm the configuration and click **Create**.

<Image alt="Create ZITADEL Application S5" inStep src="https://github.com/lobehub/lobe-chat/assets/8692892/bee24764-aa42-47d9-ad43-bcb8e7b35bc3" />

Save the **ClientId** and **ClientSecret** for later use.

<Image alt="Create ZITADEL Application S6" inStep src="https://github.com/lobehub/lobe-chat/assets/8692892/407b4eed-7f21-4aa6-b68f-9bae2faf09d0" />

In the application settings page, navigate to the **URLs** tab, and save the **issuer** URL.

<Image alt="Create ZITADEL Application S7" inStep src="https://github.com/lobehub/lobe-chat/assets/8692892/d12a2661-7b98-484f-8f3d-07e84d42ae08" />

### Configure Environment Variables

When deploying LobeChat, you need to configure the following environment variables:

| Environment Variable | Type | Description |
| ----------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `ENABLE_OAUTH_SSO` | Required | Enable single sign-on (SSO) for LobeChat. Set to `1` to enable single sign-on. |
| `NEXTAUTH_SECRET` | Required | Key used to encrypt Auth.js session tokens. You can generate a key using the following command: `openssl rand -base64 32` |
| `SSO_PROVIDERS` | Optional | Select the single sign-on provider for LoboChat. Use `zitadel` for ZITADEL. |
| `ZITADEL_CLIENT_ID` | Required | Client ID (`ClientId` as shown in ZITADEL) of the ZITADEL application |
| `ZITADEL_CLIENT_SECRET` | Required | Client Secret (`ClientSecret` as shown in ZITADEL) of the ZITADEL application |
| `ZITADEL_ISSUER` | Required | Issuer URL of the ZITADEL application |
| `ACCESS_CODE` | Required | Add a password to access this service. You can set a sufficiently long random password to "disable" access code authorization. |
| `NEXTAUTH_URL` | Optional | The URL is used to specify the callback address for the execution of OAuth authentication in Auth.js. It needs to be set only when the default address is incorrect. `https://example.com/api/auth` |

<Callout type={'tip'}>
You can refer to the related variable details at [📘Environment Variables](/en/self-hosting/environment-variables/auth#zitadel).
</Callout>
</Steps>

<Callout>
After successful deployment, users will be able to authenticate and use LobeChat using existing users configured in ZITADEL.
</Callout>
65 changes: 65 additions & 0 deletions docs/self-hosting/advanced/sso-providers/zitadel.zh-CN.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
# 配置 ZITADEL 身份验证服务

<Steps>
### 创建 ZITADEL 应用

使用具有 [`Project Owner` 角色](https://zitadel.com/docs/guides/manage/console/managers#roles)的账户登录到 ZITADEL 实例控制台,进入(或[创建](https://zitadel.com/docs/guides/manage/console/projects#create-a-project))该应用所属的项目,点击「创建」按钮创建应用。

<Image alt="创建 ZITADEL 应用 1" inStep src="https://github.com/lobehub/lobe-chat/assets/8692892/3564110d-bef9-47f3-b775-e5f28b4275b2" />

填写应用名称,应用类型选择「Web」,点击「继续」。

<Image alt="创建 ZITADEL 应用 2" inStep src="https://github.com/lobehub/lobe-chat/assets/8692892/12451b47-8dcd-40a9-b18d-2806b07efecc" />

选择「Code」作为身份验证方式。

<Image alt="创建 ZITADEL 应用 3" inStep src="https://github.com/lobehub/lobe-chat/assets/8692892/9d5cb651-ad10-47c7-8c8b-2256163c5521" />

在「重定向 URLs」字段中填写:

```
http(s)://your-domain/api/auth/callback/zitadel
```

<Image alt="创建 ZITADEL 应用 4" inStep src="https://github.com/lobehub/lobe-chat/assets/8692892/1699bf46-0c8d-4238-9eb5-34282bfe529a" />

<Callout type={'important'}>
- 可以创建应用后再填写或修改重定向 URL,但请确保填写的 URL 与部署的 URL 一致。
- 请将 `http(s)://your-domain` 替换为 LobeChat 部署的实际 URL。
</Callout>

确认配置并点击「创建」。

<Image alt="创建 ZITADEL 应用 5" inStep src="https://github.com/lobehub/lobe-chat/assets/8692892/375b3d73-6796-465c-9063-f2762093f763" />

记录下「ClientId」和「ClientSecret」备用。

<Image alt="创建 ZITADEL 应用 6" inStep src="https://github.com/lobehub/lobe-chat/assets/8692892/40bb6b4c-18e0-4ae5-abae-ae0cf202cf08" />

在应用设置页面中,切换到「URLs」选项卡,记录下「issuer」URL。

<Image alt="创建 ZITADEL 应用 7" inStep src="https://github.com/lobehub/lobe-chat/assets/8692892/79c55d44-8dcb-429c-a072-d3eb014bbceb" />

### 配置环境变量

部署 LobeChat 时,您需要配置以下环境变量:

| 环境变量 | 类型 | 描述 |
| ----------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `ENABLE_OAUTH_SSO` | 必选 | 为 LobeChat 启用单点登录(SSO)。设置为 `1` 以启用单点登录。 |
| `NEXTAUTH_SECRET` | 必选 | 用于加密 Auth.js 会话令牌的密钥。您可以使用以下命令生成密钥:`openssl rand -base64 32` |
| `SSO_PROVIDERS` | 可选 | 为 LobeChat 选择单点登录提供程序。对于 ZITADEL,请填写 `zitadel`。 |
| `ZITADEL_CLIENT_ID` | 必选 | ZITADEL 应用的 Client ID(`ClientId`)。 |
| `ZITADEL_CLIENT_SECRET` | 必选 | ZITADEL 应用的 Client Secret(`ClientSecret`)。 |
| `ZITADEL_ISSUER` | 必选 | ZITADEL 应用的 OpenID Connect 颁发者(issuer)URL。 |
| `ACCESS_CODE` | 必选 | 添加访问此服务的代码。您可以设置一个足够长的随机密码以「禁用」访问码授权。 |
| `NEXTAUTH_URL` | 可选 | 该 URL 用于指定 Auth.js 中执行 OAuth 认证的回调地址。仅当默认地址不正确时才需要设置。`https://example.com/api/auth` |

<Callout type={'tip'}>
您可以在 [📘 环境变量](/zh/self-hosting/environment-variables/auth#zitadel) 中查看相关变量的详细信息。
</Callout>
</Steps>

<Callout>
部署成功后,用户将能够通过 ZITADEL 中配置的用户进行身份验证并使用 LobeChat。
</Callout>
23 changes: 23 additions & 0 deletions docs/self-hosting/environment-variables/auth.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,29 @@ LobeChat provides a complete authentication service capability when deployed. Th
- Default: `-`
- Example: `dd262976ac0931d947e104891586a053f3d3750b`

## ZITADEL

### `ZITADEL_CLIENT_ID`

- Type: Required
- Description: Client ID of the ZITADEL application. This can be found under your application in the ZITADEL console.
- Default: `-`
- Example: `123456789012345678@your-project`

### `ZITADEL_CLIENT_SECRET`

- Type: Required
- Description: Client Secret of the ZITADEL application.
- Default: `-`
- Example: `9QF1n5ATzU7Z3mHp2Iw4gKX8kY6oR7uW1DnKcV3LqX2jF6iG3fBmJ1kV7nS5zE6A`

### `ZITADEL_ISSUER`

- Type: Required
- Description: Issuer of the ZITADEL application. This is usually the URL of the ZITADEL instance, and can be found in `URLs` tab of your application in the console.
- Default: `-`
- Example: `https://your-instance-abc123.zitadel.cloud`

<Callout>
Currently, we only support providers above. If you need to use other identity verification service
providers, you can submit a [feature
Expand Down
23 changes: 23 additions & 0 deletions docs/self-hosting/environment-variables/auth.zh-CN.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,29 @@ LobeChat 在部署时提供了完善的身份验证服务能力,以下是相
- Default: `-`
- Example: `dd262976ac0931d947e104891586a053f3d3750b`

## ZITADEL

### `ZITADEL_CLIENT_ID`

- 类型:必选
- 描述:ZITADEL 应用的 Client ID。您可以在 ZITADEL 控制台应用设置中找到 Client ID。
- 默认值:`-`
- 示例:`123456789012345678@your-project`

### `ZITADEL_CLIENT_SECRET`

- 类型:必选
- 描述:ZITADEL 应用的 Client Secret。
- 默认值:`-`
- 示例:`9QF1n5ATzU7Z3mHp2Iw4gKX8kY6oR7uW1DnKcV3LqX2jF6iG3fBmJ1kV7nS5zE6A`

### `ZITADEL_ISSUER`

- 类型:必选
- 描述:ZITADEL 应用的 OpenID Connect 颁发者(issuer),通常为 ZITADEL 实例的 URL。您可以在 ZITADEL 控制台应用设置中的 `URLs` 选项卡中找到 issuer。
- 默认值:`-`
- 示例:`https://your-instance-abc123.zitadel.cloud`

<Callout>
如果您需要使用其他身份验证服务提供商,可以提交
[功能请求](https://github.com/lobehub/lobe-chat/issues/new/choose) 或 Pull Request。
Expand Down
3 changes: 2 additions & 1 deletion src/app/api/auth/sso-providers/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -2,5 +2,6 @@ import Auth0 from './auth0';
import Authentik from './authentik';
import AzureAD from './azure-ad';
import Github from './github';
import Zitadel from './zitadel';

export const ssoProviders = [Auth0, Authentik, AzureAD, Github];
export const ssoProviders = [Auth0, Authentik, AzureAD, Github, Zitadel];
18 changes: 18 additions & 0 deletions src/app/api/auth/sso-providers/zitadel.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
import Zitadel from 'next-auth/providers/zitadel';

import { getServerConfig } from '@/config/server';

const { ZITADEL_CLIENT_ID, ZITADEL_CLIENT_SECRET, ZITADEL_ISSUER } = getServerConfig();

const provider = {
id: 'zitadel',
provider: Zitadel({
// Available scopes in ZITADEL: https://zitadel.com/docs/apis/openidoauth/scopes
authorization: { params: { scope: 'openid email profile' } },
clientId: ZITADEL_CLIENT_ID,
clientSecret: ZITADEL_CLIENT_SECRET,
issuer: ZITADEL_ISSUER,
}),
};

export default provider;
3 changes: 3 additions & 0 deletions src/config/server/app.ts
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,9 @@ export const getAppConfig = () => {
AUTHENTIK_CLIENT_ID: process.env.AUTHENTIK_CLIENT_ID || '',
AUTHENTIK_CLIENT_SECRET: process.env.AUTHENTIK_CLIENT_SECRET || '',
AUTHENTIK_ISSUER: process.env.AUTHENTIK_ISSUER || '',
ZITADEL_CLIENT_ID: process.env.ZITADEL_CLIENT_ID || '',
ZITADEL_CLIENT_SECRET: process.env.ZITADEL_CLIENT_SECRET || '',
ZITADEL_ISSUER: process.env.ZITADEL_ISSUER || '',
NEXTAUTH_SECRET: process.env.NEXTAUTH_SECRET || '',

ENABLE_LANGFUSE: process.env.ENABLE_LANGFUSE === '1',
Expand Down
Loading