Skip to content

Commit

Permalink
📝docs: add casdoor docker compose document (lobehub#4338)
Browse files Browse the repository at this point in the history
* 📝docs: Casdoor

* 📝docs: Docker-compose

* 📝docs: Docker-compose

* 📝docs: English ver.

* 📝docs: Incorporate review suggestions

* 📝docs: Incorporate review suggestions
  • Loading branch information
zhuozhiyongde authored Oct 13, 2024
1 parent 1873cc2 commit 62cbf1c
Show file tree
Hide file tree
Showing 29 changed files with 710 additions and 656 deletions.
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Logto secret
LOGTO_CLIENT_ID=
LOGTO_CLIENT_SECRET=
AUTH_LOGTO_CLIENT_ID=
AUTH_LOGTO_CLIENT_SECRET=

# MinIO S3 configuration
MINIO_ROOT_USER=YOUR_MINIO_USER
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Logto secret
LOGTO_CLIENT_ID=
LOGTO_CLIENT_SECRET=
# Logto 鉴权相关
AUTH_LOGTO_CLIENT_ID=
AUTH_LOGTO_CLIENT_SECRET=

# MinIO S3 配置
MINIO_ROOT_USER=YOUR_MINIO_USER
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ services:
- 'KEY_VAULTS_SECRET=Kix2wcUONd4CX51E/ZPAd36BqM4wzJgKjPtz2sGztqQ='
- 'NEXT_AUTH_SECRET=NX2kaPE923dt6BL2U8e9oSre5RfoT7hg'
- 'NEXTAUTH_URL=http://localhost:${LOBE_PORT}/api/auth'
- 'LOGTO_ISSUER=http://localhost:${LOGTO_PORT}/oidc'
- 'AUTH_LOGTO_ISSUER=http://localhost:${LOGTO_PORT}/oidc'
- 'DATABASE_URL=postgresql://postgres:${POSTGRES_PASSWORD}@postgresql:5432/${LOBE_DB_NAME}'
- 'S3_ENDPOINT=http://localhost:${MINIO_PORT}'
- 'S3_BUCKET=${MINIO_LOBE_BUCKET}'
Expand Down
1 change: 1 addition & 0 deletions docker-compose/local/setup.sh
Original file line number Diff line number Diff line change
Expand Up @@ -232,6 +232,7 @@ download_file "$SOURCE_URL/${FILES[3]}" "s3_data.tar.gz"

# Extract .tar.gz file without output
extract_file "s3_data.tar.gz" "."
rm s3_data.tar.gz

# Display final message
printf "\n%s\n\n" "$(show_message "tips_run_command")"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,9 +23,9 @@ NEXTAUTH_URL=https://lobe.example.com/api/auth

# NextAuth providers configuration (example using Logto)
# For other providers, see: https://lobehub.com/docs/self-hosting/environment-variables/auth
LOGTO_CLIENT_ID=YOUR_LOGTO_CLIENT_ID
LOGTO_CLIENT_SECRET=YOUR_LOGTO_CLIENT_SECRET
LOGTO_ISSUER=https://lobe-auth-api.example.com/oidc
AUTH_LOGTO_CLIENT_ID=YOUR_LOGTO_CLIENT_ID
AUTH_LOGTO_CLIENT_SECRET=YOUR_LOGTO_CLIENT_SECRET
AUTH_LOGTO_ISSUER=https://lobe-auth-api.example.com/oidc

# Proxy settings (if needed, e.g., when using GitHub as an auth provider)
# HTTP_PROXY=http://localhost:7890
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,9 @@ NEXTAUTH_URL=https://lobe.example.com/api/auth

# NextAuth 鉴权服务提供商部分,以 Logto 为例
# 其他鉴权服务提供商所需的环境变量,请参考:https://lobehub.com/zh/docs/self-hosting/environment-variables/auth
LOGTO_CLIENT_ID=YOUR_LOGTO_CLIENT_ID
LOGTO_CLIENT_SECRET=YOUR_LOGTO_CLIENT_SECRET
LOGTO_ISSUER=https://lobe-auth-api.example.com/oidc
AUTH_LOGTO_CLIENT_ID=YOUR_LOGTO_CLIENT_ID
AUTH_LOGTO_CLIENT_SECRET=YOUR_LOGTO_CLIENT_SECRET
AUTH_LOGTO_ISSUER=https://lobe-auth-api.example.com/oidc

# 代理相关,如果你需要的话(比如你使用 GitHub 作为鉴权服务提供商)
# HTTP_PROXY=http://localhost:7890
Expand Down
6 changes: 5 additions & 1 deletion docs/self-hosting/advanced/auth.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -63,9 +63,13 @@ The order corresponds to the display order of the SSO providers.
| SSO Provider | Value |
| ------------------ | ----------- |
| Auth0 | `auth0` |
| Microsoft Entra ID | `azure-ad` |
| Authenlia | `authenlia` |
| Authentik | `authentik` |
| Casdoor | `casdoor` |
| Cloudflare Zero Trust | `cloudflare-zero-trust` |
| Github | `github` |
| Logto | `logto` |
| Microsoft Entra ID | `azure-ad` |
| ZITADEL | `zitadel` |

## Other SSO Providers
Expand Down
6 changes: 5 additions & 1 deletion docs/self-hosting/advanced/auth.zh-CN.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -60,9 +60,13 @@ LobeChat 与 Clerk 做了深度集成,能够为用户提供一个更加安全
| SSO 提供商 ||
| ------------------ | ----------- |
| Auth0 | `auth0` |
| Microsoft Entra ID | `azure-ad` |
| Authenlia | `authenlia` |
| Authentik | `authentik` |
| Casdoor | `casdoor` |
| Cloudflare Zero Trust | `cloudflare-zero-trust` |
| Github | `github` |
| Logto | `logto` |
| Microsoft Entra ID | `azure-ad` |
| ZITADEL | `zitadel` |

## 其他 SSO 提供商
Expand Down
4 changes: 2 additions & 2 deletions docs/self-hosting/advanced/auth/next-auth/authentik.zh-CN.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,8 @@ https://your-domain/api/auth/callback/authentik
```

<Callout type={'info'}>
- 可以之后再填写或修改 `重定向 URL/Origin(正则)`,但是务必保证填写的 URL 与部署的 URL 一致。 -
your-domain 请替换为自己的域名
- 可以之后再填写或修改 `重定向 URL/Origin(正则)`,但是务必保证填写的 URL 与部署的 URL 一致。
- your-domain 请替换为自己的域名
</Callout>

<Image
Expand Down
120 changes: 120 additions & 0 deletions docs/self-hosting/advanced/auth/next-auth/casdoor.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,120 @@
---
title: Configuring Casdoor Authentication Service in LobeChat
description: Learn how to configure the Casdoor authentication service in LobeChat, including deployment, creation, permission settings, and environment variables.
tags:
- Casdoor Authentication
- Environment Variable Configuration
- Single Sign-On
- LobeChat
---

# Configuring Casdoor Authentication Service

[Casdoor](https://github.com/casdoor/casdoor) is an open-source authentication service that is rich in features and easy to use.

<Callout type={'tip'}>
If you want to privately deploy Casdoor, we recommend using Docker Compose to deploy it together with the LobeChat database version, allowing LobeChat to share the same Postgres instance.
</Callout>

## Casdoor Configuration Process

If you are deploying using a local network IP, the following assumptions apply:

- Your LobeChat database version IP/port is `http://LOBECHAT_IP:3210`.
- You privately deploy Casdoor, and its domain is `http://CASDOOR_IP:8000`.

If you are deploying using a public network, the following assumptions apply:

- Your LobeChat database version domain is `https://lobe.example.com`.
- You privately deploy Casdoor, and its domain is `https://lobe-auth-api.example.com`.

<Steps>
### Create a Casdoor Application

Access your privately deployed Casdoor WebUI (default is `http://localhost:8000/`) to enter the console. The default account is `admin`, and the password is `123`.

Go to `Authentication` -> `Applications`, create a `LobeChat` application or directly modify the built-in `built-in` application. You can explore other fields, but you must configure at least the following fields:

- Name, Display Name: `LobeChat`
- Redirect URLs:
- Local Development Environment: `http://localhost:3210/api/auth/callback/casdoor`
- Local Network IP Deployment: `http://LOBECHAT_IP:3210/api/auth/callback/casdoor`
- Public Network Environment: `https://lobe.example.com/api/auth/callback/casdoor`

There are also some optional fields that can enhance user experience:

- Logo: `https://lobehub.com/icon-192x192.png`
- Form CSS, Form CSS (Mobile):

```html
<style>
.login-panel {
padding: 40px 70px 0 70px;
border-radius: 10px;
background-color: #ffffff;
box-shadow: rgba(17, 12, 46, 0.15) 0px 48px 100px 0px;
}
.panel-logo {
width: 64px;
}
.login-logo-box {
margin-top: 20px;
}
#parent-area
> main
> div
> div.login-content
> div.login-panel
> div.login-form
> div
> div
> button {
box-shadow: none !important;
border-radius: 10px !important;
transition-property: all;
transition-timing-function: cubic-bezier(0.4, 0, 0.2, 1);
transition-duration: 150ms;
border: 1px solid #eee !important;
}
@media (max-width: 640px) {
.login-panel {
padding: 40px 0 0 0;
box-shadow: none;
}
}
</style>
```

Then, copy the `Client ID` and `Client Secret` and save them.

### Configure Environment Variables

Set the obtained `Client ID` and `Client Secret` as `AUTH_CASDOOR_ID` and `AUTH_CASDOOR_SECRET` in the LobeChat environment variables.

Configure `AUTH_CASDOOR_ISSUER` in the LobeChat environment variables as follows:

- `http://localhost:8000/` if you are in a local development environment.
- `http://CASDOOR_IP:8000/` if you are privately deploying Casdoor in a local network.
- `https://lobe-auth-api.example.com/` if you are deploying Casdoor in a public network environment.

When deploying LobeChat, you need to configure the following environment variables:

| Environment Variable | Type | Description |
| --- | --- | --- |
| `NEXT_AUTH_SECRET` | Required | A key for encrypting Auth.js session tokens. You can generate a key using the command: `openssl rand -base64 32`. |
| `NEXT_AUTH_SSO_PROVIDERS` | Required | Select the single sign-on provider for LobeChat. Fill in `casdoor` for using Casdoor. |
| `AUTH_CASDOOR_ID` | Required | The client ID from the Casdoor application details page. |
| `AUTH_CASDOOR_SECRET` | Required | The client secret from the Casdoor application details page. |
| `AUTH_CASDOOR_ISSUER` | Required | The OpenID Connect issuer for the Casdoor provider. |
| `NEXTAUTH_URL` | Required | This URL specifies the callback address for Auth.js during OAuth verification and needs to be set only if the default generated redirect address is incorrect. `https://lobe.example.com/api/auth` |

<Callout type={'tip'}>
Visit [📘 Environment Variables](/docs/self-hosting/environment-variables/auth#casdoor) for details on related variables.

</Callout>
</Steps>

<Callout type={'info'}>Once deployed successfully, users will be able to authenticate via Casdoor and use LobeChat.</Callout>
121 changes: 121 additions & 0 deletions docs/self-hosting/advanced/auth/next-auth/casdoor.zh-CN.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,121 @@
---
title: 在 LobeChat 中配置 Casdoor 身份验证服务
description: 学习如何在 LobeChat 中配置 Casdoor 身份验证服务,包括部署、创建、设置权限和环境变量。
tags:
- Casdoor 身份验证
- 环境变量配置
- 单点登录
- LobeChat
---

# 配置 Casdoor 身份验证服务

[Casdoor](https://github.com/casdoor/casdoor) 是一个开源的身份验证服务,功能配置丰富且易于上手。

<Callout type={'tip'}>
若你想要私有部署 Casdoor,我们建议你将之与 LobeChat 数据库版本一同使用 Docker Compose 部署,此时
LobeChat 可以与之共用同一个 Postgres 实例。
</Callout>

## Casdoor 配置流程

若你使用局域网 IP 部署,下文假设:

- 你的 LobeChat 数据库版本 IP / 端口为 `http://LOBECHAT_IP:3210`
- 你私有部署 Casdoor,其域名为 `http://CASDOOR_IP:8000`

若你使用公网部署,下文假设:

- 你的 LobeChat 数据库版本域名为 `https://lobe.example.com`
- 你私有部署 Casdoor,其域名为 `https://lobe-auth-api.example.com`

<Steps>
### 创建 Casdoor 应用

访问你私有部署的 Casdoor WebUI(默认为 `http://localhost:8000/`) 进入控制台,默认账号为 `admin`,密码为 `123`

前往 `身份认证` -> `应用`,创建一个 `LobeChat` 应用或直接修改内置的 `built-in` 应用,其他字段可以自行探索,但你至少需要配置以下字段:

- 名称、显示名称:`LobeChat`
- 重定向 URLs:
- 本地开发环境:`http://localhost:3210/api/auth/callback/casdoor`
- 局域网 IP 部署:`http://LOBECHAT_IP:3210/api/auth/callback/casdoor`
- 公网环境:`https://lobe.example.com/api/auth/callback/casdoor`

还有一些不必需但是可以提高用户体验的字段:

- Logo:`https://lobehub.com/icon-192x192.png`
- 表单 CSS、表单 CSS(移动端):

```html
<style>
.login-panel {
padding: 40px 70px 0 70px;
border-radius: 10px;
background-color: #ffffff;
box-shadow: rgba(17, 12, 46, 0.15) 0px 48px 100px 0px;
}
.panel-logo {
width: 64px;
}
.login-logo-box {
margin-top: 20px;
}
#parent-area
> main
> div
> div.login-content
> div.login-panel
> div.login-form
> div
> div
> button {
box-shadow: none !important;
border-radius: 10px !important;
transition-property: all;
transition-timing-function: cubic-bezier(0.4, 0, 0.2, 1);
transition-duration: 150ms;
border: 1px solid #eee !important;
}
@media (max-width: 640px) {
.login-panel {
padding: 40px 0 0 0;
box-shadow: none;
}
}
</style>
```

随后,复制 `客户端 ID` 和 `客户端密钥`,并保存。

### 配置环境变量

将获取到的 `客户端 ID` 和 `客户端`,设为 LobeChat 环境变量中的 `AUTH_CASDOOR_ID` 和 `AUTH_CASDOOR_SECRET`。

配置 LobeChat 环境变量中 `AUTH_CASDOOR_ISSUER` 为:

- `http://localhost:8000/`,若你是本地开发环境
- `http://CASDOOR_IP:8000/`,若你是局域网私有部署的 Casdoor
- `https://lobe-auth-api.example.com/`,若你是公网环境部署的 Casdoor

在部署 LobeChat 时,你需要配置以下环境变量:

| 环境变量 | 类型 | 描述 |
| --- | --- | --- |
| `NEXT_AUTH_SECRET` | 必选 | 用于加密 Auth.js 会话令牌的密钥。您可以使用以下命令生成秘钥: `openssl rand -base64 32` |
| `NEXT_AUTH_SSO_PROVIDERS` | 必选 | 选择 LoboChat 的单点登录提供商。使用 Casdoor 请填写 `casdoor`。 |
| `AUTH_CASDOOR_ID` | 必选 | Casdoor 应用详情页的客户端 ID |
| `AUTH_CASDOOR_SECRET` | 必选 | Casdoor 应用详情页的客户端密钥 |
| `AUTH_CASDOOR_ISSUER` | 必选 | Casdoor 提供程序的 OpenID Connect 颁发者。 |
| `NEXTAUTH_URL` | 必选 | 该 URL 用于指定 Auth.js 在执行 OAuth 验证时的回调地址,当默认生成的重定向地址发生不正确时才需要设置。`https://lobe.example.com/api/auth` |

<Callout type={'tip'}>
前往 [📘 环境变量](/zh/docs/self-hosting/environment-variables/auth#casdoor) 可查阅相关变量详情。

</Callout>
</Steps>

<Callout type={'info'}>部署成功后,用户将可以通过 Casdoor 身份认证并使用 LobeChat。</Callout>
Original file line number Diff line number Diff line change
Expand Up @@ -49,9 +49,9 @@ tags:
| --- | --- | --- |
| `NEXT_AUTH_SECRET` | 必选 | 用于加密 Auth.js 会话令牌的密钥。您可以使用以下命令生成秘钥: `openssl rand -base64 32` |
| `NEXT_AUTH_SSO_PROVIDERS` | 必选 | 选择 LoboChat 的单点登录提供商。使用 Cloudflare Zero Trust 请填写 `cloudflare-zero-trust`|
| `CLOUDFLARE_ZERO_TRUST_CLIENT_ID` | 必选 | 在 Cloudflare Zero Trust 生成的 `Client ID`,示例值是 `lobe-chat` |
| `CLOUDFLARE_ZERO_TRUST_CLIENT_SECRET` | 必选 | 在 Cloudflare Zero Trust 生成的 `Client secret`,示例值是 `insecure_secret` |
| `CLOUDFLARE_ZERO_TRUST_ISSUER` | 必选 | 在 Cloudflare Zero Trust 生成的 `Issuer`,例如 `https://example.cloudflareaccess.com/cdn-cgi/access/sso/oidc/7db0f` |
| `AUTH_CLOUDFLARE_ZERO_TRUST_CLIENT_ID` | 必选 | 在 Cloudflare Zero Trust 生成的 `Client ID`,示例值是 `lobe-chat` |
| `AUTH_CLOUDFLARE_ZERO_TRUST_CLIENT_SECRET` | 必选 | 在 Cloudflare Zero Trust 生成的 `Client secret`,示例值是 `insecure_secret` |
| `AUTH_CLOUDFLARE_ZERO_TRUST_ISSUER` | 必选 | 在 Cloudflare Zero Trust 生成的 `Issuer`,例如 `https://example.cloudflareaccess.com/cdn-cgi/access/sso/oidc/7db0f` |
| `NEXTAUTH_URL` | 必选 | 该 URL 用于指定 Auth.js 在执行 OAuth 验证时的回调地址,当默认生成的重定向地址发生不正确时才需要设置。`https://chat.example.com/api/auth` |

<Callout type={'tip'}>
Expand Down
Loading

0 comments on commit 62cbf1c

Please sign in to comment.