# SSO 연동 현황 (Authentik) > Authentik: `https://auth.du5t.xyz` | 버전: 2025.12 > Embedded Outpost PK: `999d7409-0ec6-4e81-ab37-cb4cd4b1557c` ## Provider 목록 | PK | Provider명 | 타입 | 연결 Application | |---|---|---|---| | 2 | `grafana-oidc` | OAuth2/OIDC | Grafana | | 3 | `gitea-oidc` | OAuth2/OIDC | Gitea | | 4 | `nextcloud-oidc` | OAuth2/OIDC | Nextcloud | | 5 | `open-webui-oidc` | OAuth2/OIDC | Open WebUI | | 6 | `prometheus-proxy` | Proxy | Prometheus | | 7 | `filebrowser-proxy` | Proxy | FileBrowser | | 8 | `comfyui-proxy` | Proxy | ComfyUI | | 9 | `wikijs-provider` | OAuth2/OIDC | Wiki.js | ## OIDC 연동 상세 ### Grafana (`grafana.ini`) ```ini [auth.generic_oauth] enabled = true name = authentik client_id = gO2Rk6LOyDU9CZc7DdXqNlEwfK8lTZmGb2nnBJOk scopes = openid profile email auth_url = https://auth.du5t.xyz/application/o/authorize/ token_url = https://auth.du5t.xyz/application/o/token/ api_url = https://auth.du5t.xyz/application/o/userinfo/ role_attribute_path = contains(groups[*], 'grafana-admins') && 'Admin' || 'Viewer' signout_redirect_url = https://auth.du5t.xyz/application/o/grafana/end-session/ use_pkce = true ``` ### Gitea ```bash podman exec --user git gitea gitea admin auth add-oauth \ --name "authentik" \ --provider "openidConnect" \ --key "" \ --secret "" \ --auto-discover-url "https://auth.du5t.xyz/application/o/gitea/.well-known/openid-configuration" ``` ### Nextcloud ```bash podman exec --user www-data nextcloud-app php occ app:install user_oidc podman exec --user www-data nextcloud-app php occ user_oidc:provider authentik \ --clientid="" \ --clientsecret="" \ --discoveryuri="https://auth.du5t.xyz/application/o/nextcloud/.well-known/openid-configuration" \ --unique-uid=1 ``` ### Open WebUI (환경변수) ```ini Environment=ENABLE_OAUTH_SIGNUP=true Environment=OAUTH_PROVIDER_NAME=authentik Environment=OPENID_PROVIDER_URL=https://auth.du5t.xyz/application/o/open-webui/.well-known/openid-configuration Environment=OAUTH_CLIENT_ID= Environment=OAUTH_CLIENT_SECRET= Environment=OAUTH_SCOPES=openid email profile ``` ### Wiki.js Wiki.js의 `passport-openidconnect` v0.1.2가 Authentik과 호환되지 않아 `oidc` 대신 `oauth2` 전략을 사용한다. | 항목 | 값 | |---|---| | Provider PK | `9` | | Strategy | `oauth2` (passport-oauth2, Wiki.js 내장) | | Strategy UUID | `a2d864cd-dfc4-4a75-a891-d768fd8d173a` | | Callback URL | `https://wiki.du5t.xyz/login/a2d864cd-dfc4-4a75-a891-d768fd8d173a/callback` | | Authorization Flow | `implicit-consent` | **필수 설정**: Provider PK=9에 아래 property_mappings 3개가 없으면 userinfo 엔드포인트에서 `Scope mismatch` 오류 발생. | Mapping UUID | Scope | |---|---| | `aa970463-7f63-4091-9a94-839178f7ba0a` | openid | | `ce7b7b24-e441-4905-ae84-83819e2a4f07` | profile | | `12009db0-10be-4dff-b181-4111c9113c2c` | email | ```bash AUTHENTIK_TOKEN="" curl -s -X PATCH -H "Authorization: Bearer $AUTHENTIK_TOKEN" \ -H "Content-Type: application/json" \ "https://auth.du5t.xyz/api/v3/providers/oauth2/9/" \ -d '{"property_mappings":["aa970463-7f63-4091-9a94-839178f7ba0a","ce7b7b24-e441-4905-ae84-83819e2a4f07","12009db0-10be-4dff-b181-4111c9113c2c"]}' ``` 전략은 Wiki.js GraphQL API(`updateStrategies` mutation)로 등록한다. 자세한 내용은 [gm/wikijs](https://git.du5t.xyz/gm/wikijs) 참고. ## Proxy Provider 연동 상세 NPM의 백엔드를 `10.89.0.20:9000` (Authentik Embedded Outpost)으로 설정한다. Outpost가 `Host` 헤더를 보고 어느 Proxy Provider를 적용할지 결정한다. ``` NPM (443) ─→ Authentik Outpost (10.89.0.20:9000) │ ├─ Host: prometheus.du5t.xyz → 10.89.0.30:9090 ├─ Host: file.du5t.xyz → 10.89.0.5:8080 └─ Host: comfy.du5t.xyz → 10.89.0.1:8188 ``` 인증되지 않은 요청: ``` 302 → https:///outpost.goauthentik.io/start?rd= → https://auth.du5t.xyz/flows/default-authentication-flow/ ``` ## API 토큰 재발급 Authentik API 토큰은 Bearer 방식이며, `auth.du5t.xyz` 경유 시에만 유효하다 (내부 IP 직접 호출 불가). ```bash podman exec authentik-worker python -m manage shell -c " from authentik.core.models import Token, TokenIntents, User u = User.objects.get(username='gm') Token.objects.filter(identifier='claude-api').delete() t = Token.objects.create(identifier='claude-api', user=u, intent=TokenIntents.INTENT_API, expiring=False) print(t.key) " # 사용: curl -H "Authorization: Bearer " https://auth.du5t.xyz/api/v3/... ``` ## 신규 서비스 Authentik 연동 절차 ### OIDC 방식 1. Authentik API: `POST /api/v3/providers/oauth2/` — Provider 생성 2. Authentik API: `POST /api/v3/core/applications/` — Application 생성 3. 서비스 측 OIDC 설정 (Discovery URL 패턴: `https://auth.du5t.xyz/application/o//.well-known/openid-configuration`) ### Proxy Provider 방식 1. Authentik API: `POST /api/v3/providers/proxy/` — Provider 생성 (`external_host`, `internal_host` 지정) 2. Authentik API: `POST /api/v3/core/applications/` — Application 생성 3. Authentik API: `PATCH /api/v3/outposts/instances/999d7409-.../` — Outpost providers 배열에 추가 4. NPM DB: `UPDATE proxy_host SET forward_host='10.89.0.20', forward_port=9000 WHERE domain_names='...'` 5. NPM nginx conf 파일 직접 수정 후 `podman exec npm-app nginx -s reload` ## 미적용 서비스 (향후 계획) | 서비스 | 권장 방식 | 비고 | |---|---|---| | JupyterHub | OIDC (`oauthenticator.GenericOAuthenticator`) | `jupyterhub_config.py` 수정 필요 | | SFTPGo | OIDC (Web Admin > Settings > OIDC) | 웹 UI에서 설정 가능 | | Jellyfin | OIDC (SSO Plugin) | 플러그인 설치 필요 | | Ollama API | Proxy Provider | 현재 무인증 노출 상태 |