diff --git a/docs/sso.md b/docs/sso.md new file mode 100644 index 0000000..0786afe --- /dev/null +++ b/docs/sso.md @@ -0,0 +1,128 @@ +# SSO 연동 현황 (Authentik) + +> Authentik: `https://auth.du5t.xyz` | 버전: 2025.12 +> Embedded Outpost PK: `999d7409-0ec6-4e81-ab37-cb4cd4b1557c` + +## Provider 목록 + +| PK | Provider명 | 타입 | 연결 Application | +|---|---|---|---| +| 2 | `grafana-oidc` | OAuth2/OIDC | Grafana | +| 3 | `gitea-oidc` | OAuth2/OIDC | Gitea | +| 4 | `nextcloud-oidc` | OAuth2/OIDC | Nextcloud | +| 5 | `open-webui-oidc` | OAuth2/OIDC | Open WebUI | +| 6 | `prometheus-proxy` | Proxy | Prometheus | +| 7 | `filebrowser-proxy` | Proxy | FileBrowser | +| 8 | `comfyui-proxy` | Proxy | ComfyUI | + +## OIDC 연동 상세 + +### Grafana (`grafana.ini`) + +```ini +[auth.generic_oauth] +enabled = true +name = authentik +client_id = gO2Rk6LOyDU9CZc7DdXqNlEwfK8lTZmGb2nnBJOk +scopes = openid profile email +auth_url = https://auth.du5t.xyz/application/o/authorize/ +token_url = https://auth.du5t.xyz/application/o/token/ +api_url = https://auth.du5t.xyz/application/o/userinfo/ +role_attribute_path = contains(groups[*], 'grafana-admins') && 'Admin' || 'Viewer' +signout_redirect_url = https://auth.du5t.xyz/application/o/grafana/end-session/ +use_pkce = true +``` + +### Gitea + +```bash +podman exec --user git gitea gitea admin auth add-oauth \ + --name "authentik" \ + --provider "openidConnect" \ + --key "" \ + --secret "" \ + --auto-discover-url "https://auth.du5t.xyz/application/o/gitea/.well-known/openid-configuration" +``` + +### Nextcloud + +```bash +podman exec --user www-data nextcloud-app php occ app:install user_oidc +podman exec --user www-data nextcloud-app php occ user_oidc:provider authentik \ + --clientid="" \ + --clientsecret="" \ + --discoveryuri="https://auth.du5t.xyz/application/o/nextcloud/.well-known/openid-configuration" \ + --unique-uid=1 +``` + +### Open WebUI (환경변수) + +```ini +Environment=ENABLE_OAUTH_SIGNUP=true +Environment=OAUTH_PROVIDER_NAME=authentik +Environment=OPENID_PROVIDER_URL=https://auth.du5t.xyz/application/o/open-webui/.well-known/openid-configuration +Environment=OAUTH_CLIENT_ID= +Environment=OAUTH_CLIENT_SECRET= +Environment=OAUTH_SCOPES=openid email profile +``` + +## Proxy Provider 연동 상세 + +NPM의 백엔드를 `10.89.0.20:9000` (Authentik Embedded Outpost)으로 설정한다. +Outpost가 `Host` 헤더를 보고 어느 Proxy Provider를 적용할지 결정한다. + +``` +NPM (443) ─→ Authentik Outpost (10.89.0.20:9000) + │ + ├─ Host: prometheus.du5t.xyz → 10.89.0.30:9090 + ├─ Host: file.du5t.xyz → 10.89.0.5:8080 + └─ Host: comfy.du5t.xyz → 10.89.0.1:8188 +``` + +인증되지 않은 요청: +``` +302 → https:///outpost.goauthentik.io/start?rd= + → https://auth.du5t.xyz/flows/default-authentication-flow/ +``` + +## API 토큰 재발급 + +Authentik API 토큰은 만료 시 재발급이 필요하다. + +```bash +podman exec authentik-worker python -m manage shell -c " +from authentik.core.models import Token, TokenIntents, User +user = User.objects.get(username='akadmin') +t = Token.objects.filter(identifier='cli-admin-token').first() +if t: t.delete() +token = Token.objects.create( + identifier='cli-admin-token', user=user, intent=TokenIntents.INTENT_API +) +print(token.key) +" +``` + +## 신규 서비스 Authentik 연동 절차 + +### OIDC 방식 + +1. Authentik API: `POST /api/v3/providers/oauth2/` — Provider 생성 +2. Authentik API: `POST /api/v3/core/applications/` — Application 생성 +3. 서비스 측 OIDC 설정 (Discovery URL 패턴: `https://auth.du5t.xyz/application/o//.well-known/openid-configuration`) + +### Proxy Provider 방식 + +1. Authentik API: `POST /api/v3/providers/proxy/` — Provider 생성 (`external_host`, `internal_host` 지정) +2. Authentik API: `POST /api/v3/core/applications/` — Application 생성 +3. Authentik API: `PATCH /api/v3/outposts/instances/999d7409-.../` — Outpost providers 배열에 추가 +4. NPM DB: `UPDATE proxy_host SET forward_host='10.89.0.20', forward_port=9000 WHERE domain_names='...'` +5. NPM nginx conf 파일 직접 수정 후 `podman exec npm-app nginx -s reload` + +## 미적용 서비스 (향후 계획) + +| 서비스 | 권장 방식 | 비고 | +|---|---|---| +| JupyterHub | OIDC (`oauthenticator.GenericOAuthenticator`) | `jupyterhub_config.py` 수정 필요 | +| SFTPGo | OIDC (Web Admin > Settings > OIDC) | 웹 UI에서 설정 가능 | +| Jellyfin | OIDC (SSO Plugin) | 플러그인 설치 필요 | +| Ollama API | Proxy Provider | 현재 무인증 노출 상태 |