Arvin Xu
81d2d76dda
* 🐛 fix(oauth): fix OAuth throws an error on Vercel deploy (#1277) * 🐛 fix(oauth): OAuth throws an error (#1274) * 🐛 fix(oauth): "ikm" argument must be of type string or an instance of SecretKeyObject * 📝 docs: Update Auth0 callback URLs in deployment docs The documentation for both the English and Chinese versions of the Authentication setup has been updated to include instructions on configuring the Allowed Callback URLs for Auth0. This step is crucial for ensuring that the authentication process works correctly after deployment. The notes added emphasize the importance of keeping the callback URLs consistent with the deployed service's URLs. * 📝 docs(oauth): Fix wiki documents * 🐛 fix: only add auth layout when enabled --------- Co-authored-by: 小云丨Arale <30863298+CloudPassenger@users.noreply.github.com>
6.1 KiB
Authentication Service
LobeChat supports configuring external identity verification services for internal use within enterprises/organizations, facilitating centralized management of user authorizations. Currently, Auth0 is supported. This article will guide you through the process of setting up the identity verification service.
TOC
- Creating an Auth0 Application
- Adding Users
- Configuring Environment Variables
- Advanced - Connecting to an Existing Single Sign-On Service
- Advanced - Configuring Social Login
Creating an Auth0 Application
To begin, register and log in to Auth0. Then, navigate to the Applications section in the left sidebar to access the application management interface. Click on Create Application in the top right corner to initiate the application creation process.
Next, fill in the desired application name to be displayed to organization users. You can choose any application type, then click on Create.
Once the application is successfully created, click on the respective application to access its details page. Switch to the Settings tab to view the corresponding configuration information.
On the application configuration page, you also need to configure the Allowed Callback URLs to be http(s)://<your-domain>/api/auth/callback/auth0
[!NOTE]
You can fill in or modify the Allowed Callback URLs after deployment, but make sure the URLs are consistent with the deployed URLs!
Adding Users
Navigate to the Users Management section in the left sidebar to access the user management interface. You can create new users for your organization to log in to LobeChat.
Configuring Environment Variables
When deploying LobeChat, you need to configure the following environment variables:
| Environment Variable | Required | Description | Default Value | Example |
|---|---|---|---|---|
ENABLE_OAUTH_SSO |
Yes | Enable single sign-on (SSO) for LobeChat. Set this value to 1 to enable single sign-on. |
- | 1 |
NEXTAUTH_SECRET |
Yes | The key used to encrypt the session token in Auth.js. You can generate a key using the following command: openssl rand -base64 32 |
- | Tfhi2t2pelSMEA8eaV61KaqPNEndFFdMIxDaJnS1CUI= |
AUTH0_CLIENT_ID |
Yes | Client ID of the Auth0 application | - | evCnOJP1UX8FMnXR9Xkj5t0NyFn5p70P |
AUTH0_CLIENT_SECRET |
Yes | Client Secret of the Auth0 application | - | wnX7UbZg85ZUzF6ioxPLnJVEQa1Elbs7aqBUSF16xleBS5AdkVfASS49-fQIC8Rm |
AUTH0_ISSUER |
Yes | Domain of the Auth0 application | - | https://example.auth0.com |
ACCESS_CODE |
Yes | Add a password to access this service. You can set a long random password to "disable" accessed by the code | - | awCT74 or e3@09! or code1,code2,code3 |
[!NOTE]
After successful deployment, users will be able to authenticate and use LobeChat using the users configured in Auth0.
Advanced - Connecting to an Existing Single Sign-On Service
If your enterprise or organization already has an existing unified identity verification infrastructure, you can connect to an existing single sign-on service in Applications -> SSO Integrations.
Auth0 supports single sign-on services such as Azure Active Directory, Slack, Google Workspace, Office 365, and Zoom. For a detailed list of supported services, refer to this page.
Advanced - Configuring Social Login
If your enterprise or organization needs to support external personnel login, you can configure social login services in Authentication -> Social.
[!NOTE]
Configuring social login services will allow anyone to authenticate by default, which may lead to abuse of LobeChat by external personnel. If you need to restrict login personnel, be sure to configure a blocking policy.
After enabling social login options, refer to this article to create an Action to set the deny/allow list.