From 918c76be4af07dfcd0c2ce251a474899cb6df96b Mon Sep 17 00:00:00 2001 From: Kreeblah Date: Sun, 13 Oct 2024 09:35:08 -0700 Subject: [PATCH] Add instructions for Keycloak --- manual/deploy/oauth.md | 44 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/manual/deploy/oauth.md b/manual/deploy/oauth.md index 39f58607d..d6f333838 100644 --- a/manual/deploy/oauth.md +++ b/manual/deploy/oauth.md @@ -200,3 +200,47 @@ OAUTH_ATTRIBUTE_MAP = { ``` Please see [this tutorial](https://forum.seafile.com/t/oauth-authentification-against-microsoft-office365-azure-cloud/7999) for the complete deployment process of OAuth against Azure Cloud. + +#### Sample settings for Keycloak + +In order to set up Keycloak for use with Seafile, we'll need to create a client for it in a realm. To do that, create a client with the following settings: + +- Client type: OpenID Connect + +- Client ID: Anything you like, as long as it's unique within the realm + +- Client authentication: On + +- Authentication flow: Standard flow + +- Root URL: https://your-seafile + +- Home URL: /accounts/login + +- Valid redirect URLs: /oauth/callback/ + +- Web origins: https://your-seafile + +After creating the client, we'll need to copy the Client Secret from the Credentials tab on the client and save it somewhere. After we have this information, we can add the following to `seahub_settings.py`: + +```python +ENABLE_OAUTH = True +OAUTH_CREATE_UNKNOWN_USER = True +OAUTH_ACTIVATE_USER_AFTER_CREATION = True +OAUTH_CLIENT_ID = "your-client-id" +OAUTH_CLIENT_SECRET = "your-client-secret" +OAUTH_REDIRECT_URL = "https://your-seafile/oauth/callback/" + +OAUTH_PROVIDER_DOMAIN = 'your-seafile' +OAUTH_AUTHORIZATION_URL = 'https://your-keycloak/realms/YOUR-KEYCLOAK-REALM/protocol/openid-connect/auth' +OAUTH_TOKEN_URL = 'https://your-keycloak/realms/YOUR-KEYCLOAK-REALM/protocol/openid-connect/token' +OAUTH_USER_INFO_URL = 'https://your-keycloak/realms/YOUR-KEYCLOAK-REALM/protocol/openid-connect/userinfo' +OAUTH_SCOPE = ["openid", "profile", "email"] +OAUTH_ATTRIBUTE_MAP = { + "sub": (True, "uid"), + "email": (False, "contact_email"), + "name": (False, "name") +} +``` + +See [this forum post](https://forum.seafile.com/t/setting-up-keycloak-for-sso/22520) for additional information including screenshots.