From b382d99800e7a7cb177ecd163300c31dad13538c Mon Sep 17 00:00:00 2001 From: gm Date: Tue, 26 May 2026 16:21:27 +0900 Subject: [PATCH] =?UTF-8?q?docs:=20Wiki.js=20oauth2=20=EC=97=B0=EB=8F=99?= =?UTF-8?q?=20=EC=B6=94=EA=B0=80=20(Provider=20PK=3D9,=20property=5Fmappin?= =?UTF-8?q?gs)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docs/sso.md | 45 +++++++++++++++++++++++++++++++++++++-------- 1 file changed, 37 insertions(+), 8 deletions(-) diff --git a/docs/sso.md b/docs/sso.md index 0786afe..2a0540b 100644 --- a/docs/sso.md +++ b/docs/sso.md @@ -14,6 +14,7 @@ | 6 | `prometheus-proxy` | Proxy | Prometheus | | 7 | `filebrowser-proxy` | Proxy | FileBrowser | | 8 | `comfyui-proxy` | Proxy | ComfyUI | +| 9 | `wikijs-provider` | OAuth2/OIDC | Wiki.js | ## OIDC 연동 상세 @@ -66,6 +67,36 @@ Environment=OAUTH_CLIENT_SECRET= Environment=OAUTH_SCOPES=openid email profile ``` +### Wiki.js + +Wiki.js의 `passport-openidconnect` v0.1.2가 Authentik과 호환되지 않아 `oidc` 대신 `oauth2` 전략을 사용한다. + +| 항목 | 값 | +|---|---| +| Provider PK | `9` | +| Strategy | `oauth2` (passport-oauth2, Wiki.js 내장) | +| Strategy UUID | `a2d864cd-dfc4-4a75-a891-d768fd8d173a` | +| Callback URL | `https://wiki.du5t.xyz/login/a2d864cd-dfc4-4a75-a891-d768fd8d173a/callback` | +| Authorization Flow | `implicit-consent` | + +**필수 설정**: Provider PK=9에 아래 property_mappings 3개가 없으면 userinfo 엔드포인트에서 `Scope mismatch` 오류 발생. + +| Mapping UUID | Scope | +|---|---| +| `aa970463-7f63-4091-9a94-839178f7ba0a` | openid | +| `ce7b7b24-e441-4905-ae84-83819e2a4f07` | profile | +| `12009db0-10be-4dff-b181-4111c9113c2c` | email | + +```bash +AUTHENTIK_TOKEN="" +curl -s -X PATCH -H "Authorization: Bearer $AUTHENTIK_TOKEN" \ + -H "Content-Type: application/json" \ + "https://auth.du5t.xyz/api/v3/providers/oauth2/9/" \ + -d '{"property_mappings":["aa970463-7f63-4091-9a94-839178f7ba0a","ce7b7b24-e441-4905-ae84-83819e2a4f07","12009db0-10be-4dff-b181-4111c9113c2c"]}' +``` + +전략은 Wiki.js GraphQL API(`updateStrategies` mutation)로 등록한다. 자세한 내용은 [gm/wikijs](https://git.du5t.xyz/gm/wikijs) 참고. + ## Proxy Provider 연동 상세 NPM의 백엔드를 `10.89.0.20:9000` (Authentik Embedded Outpost)으로 설정한다. @@ -87,19 +118,17 @@ NPM (443) ─→ Authentik Outpost (10.89.0.20:9000) ## API 토큰 재발급 -Authentik API 토큰은 만료 시 재발급이 필요하다. +Authentik API 토큰은 Bearer 방식이며, `auth.du5t.xyz` 경유 시에만 유효하다 (내부 IP 직접 호출 불가). ```bash podman exec authentik-worker python -m manage shell -c " from authentik.core.models import Token, TokenIntents, User -user = User.objects.get(username='akadmin') -t = Token.objects.filter(identifier='cli-admin-token').first() -if t: t.delete() -token = Token.objects.create( - identifier='cli-admin-token', user=user, intent=TokenIntents.INTENT_API -) -print(token.key) +u = User.objects.get(username='gm') +Token.objects.filter(identifier='claude-api').delete() +t = Token.objects.create(identifier='claude-api', user=u, intent=TokenIntents.INTENT_API, expiring=False) +print(t.key) " +# 사용: curl -H "Authorization: Bearer " https://auth.du5t.xyz/api/v3/... ``` ## 신규 서비스 Authentik 연동 절차