Files
server-infra/docs/sso.md

5.8 KiB

SSO 연동 현황 (Authentik)

Authentik: https://auth.du5t.xyz | 버전: 2025.12 Embedded Outpost PK: 999d7409-0ec6-4e81-ab37-cb4cd4b1557c

Provider 목록

PK Provider명 타입 연결 Application
2 grafana-oidc OAuth2/OIDC Grafana
3 gitea-oidc OAuth2/OIDC Gitea
4 nextcloud-oidc OAuth2/OIDC Nextcloud
5 open-webui-oidc OAuth2/OIDC Open WebUI
6 prometheus-proxy Proxy Prometheus
7 filebrowser-proxy Proxy FileBrowser
8 comfyui-proxy Proxy ComfyUI
9 wikijs-provider OAuth2/OIDC Wiki.js

OIDC 연동 상세

Grafana (grafana.ini)

[auth.generic_oauth]
enabled = true
name = authentik
client_id = gO2Rk6LOyDU9CZc7DdXqNlEwfK8lTZmGb2nnBJOk
scopes = openid profile email
auth_url = https://auth.du5t.xyz/application/o/authorize/
token_url = https://auth.du5t.xyz/application/o/token/
api_url = https://auth.du5t.xyz/application/o/userinfo/
role_attribute_path = contains(groups[*], 'grafana-admins') && 'Admin' || 'Viewer'
signout_redirect_url = https://auth.du5t.xyz/application/o/grafana/end-session/
use_pkce = true

Gitea

podman exec --user git gitea gitea admin auth add-oauth \
  --name "authentik" \
  --provider "openidConnect" \
  --key "<CLIENT_ID>" \
  --secret "<CLIENT_SECRET>" \
  --auto-discover-url "https://auth.du5t.xyz/application/o/gitea/.well-known/openid-configuration"

Nextcloud

podman exec --user www-data nextcloud-app php occ app:install user_oidc
podman exec --user www-data nextcloud-app php occ user_oidc:provider authentik \
  --clientid="<CLIENT_ID>" \
  --clientsecret="<CLIENT_SECRET>" \
  --discoveryuri="https://auth.du5t.xyz/application/o/nextcloud/.well-known/openid-configuration" \
  --unique-uid=1

Open WebUI (환경변수)

Environment=ENABLE_OAUTH_SIGNUP=true
Environment=OAUTH_PROVIDER_NAME=authentik
Environment=OPENID_PROVIDER_URL=https://auth.du5t.xyz/application/o/open-webui/.well-known/openid-configuration
Environment=OAUTH_CLIENT_ID=<CLIENT_ID>
Environment=OAUTH_CLIENT_SECRET=<CLIENT_SECRET>
Environment=OAUTH_SCOPES=openid email profile

Wiki.js

Wiki.js의 passport-openidconnect v0.1.2가 Authentik과 호환되지 않아 oidc 대신 oauth2 전략을 사용한다.

항목
Provider PK 9
Strategy oauth2 (passport-oauth2, Wiki.js 내장)
Strategy UUID a2d864cd-dfc4-4a75-a891-d768fd8d173a
Callback URL https://wiki.du5t.xyz/login/a2d864cd-dfc4-4a75-a891-d768fd8d173a/callback
Authorization Flow implicit-consent

필수 설정: Provider PK=9에 아래 property_mappings 3개가 없으면 userinfo 엔드포인트에서 Scope mismatch 오류 발생.

Mapping UUID Scope
aa970463-7f63-4091-9a94-839178f7ba0a openid
ce7b7b24-e441-4905-ae84-83819e2a4f07 profile
12009db0-10be-4dff-b181-4111c9113c2c email
AUTHENTIK_TOKEN="<token>"
curl -s -X PATCH -H "Authorization: Bearer $AUTHENTIK_TOKEN" \
  -H "Content-Type: application/json" \
  "https://auth.du5t.xyz/api/v3/providers/oauth2/9/" \
  -d '{"property_mappings":["aa970463-7f63-4091-9a94-839178f7ba0a","ce7b7b24-e441-4905-ae84-83819e2a4f07","12009db0-10be-4dff-b181-4111c9113c2c"]}'

전략은 Wiki.js GraphQL API(updateStrategies mutation)로 등록한다. 자세한 내용은 gm/wikijs 참고.

Proxy Provider 연동 상세

NPM의 백엔드를 10.89.0.20:9000 (Authentik Embedded Outpost)으로 설정한다. Outpost가 Host 헤더를 보고 어느 Proxy Provider를 적용할지 결정한다.

NPM (443) ─→ Authentik Outpost (10.89.0.20:9000)
                    │
                    ├─ Host: prometheus.du5t.xyz  → 10.89.0.30:9090
                    ├─ Host: file.du5t.xyz        → 10.89.0.5:8080
                    └─ Host: comfy.du5t.xyz       → 10.89.0.1:8188

인증되지 않은 요청:

302 → https://<domain>/outpost.goauthentik.io/start?rd=<original_url>
    → https://auth.du5t.xyz/flows/default-authentication-flow/

API 토큰 재발급

Authentik API 토큰은 Bearer 방식이며, auth.du5t.xyz 경유 시에만 유효하다 (내부 IP 직접 호출 불가).

podman exec authentik-worker python -m manage shell -c "
from authentik.core.models import Token, TokenIntents, User
u = User.objects.get(username='gm')
Token.objects.filter(identifier='claude-api').delete()
t = Token.objects.create(identifier='claude-api', user=u, intent=TokenIntents.INTENT_API, expiring=False)
print(t.key)
"
# 사용: curl -H "Authorization: Bearer <token>" https://auth.du5t.xyz/api/v3/...

신규 서비스 Authentik 연동 절차

OIDC 방식

  1. Authentik API: POST /api/v3/providers/oauth2/ — Provider 생성
  2. Authentik API: POST /api/v3/core/applications/ — Application 생성
  3. 서비스 측 OIDC 설정 (Discovery URL 패턴: https://auth.du5t.xyz/application/o/<slug>/.well-known/openid-configuration)

Proxy Provider 방식

  1. Authentik API: POST /api/v3/providers/proxy/ — Provider 생성 (external_host, internal_host 지정)
  2. Authentik API: POST /api/v3/core/applications/ — Application 생성
  3. Authentik API: PATCH /api/v3/outposts/instances/999d7409-.../ — Outpost providers 배열에 추가
  4. NPM DB: UPDATE proxy_host SET forward_host='10.89.0.20', forward_port=9000 WHERE domain_names='...'
  5. NPM nginx conf 파일 직접 수정 후 podman exec npm-app nginx -s reload

미적용 서비스 (향후 계획)

서비스 권장 방식 비고
JupyterHub OIDC (oauthenticator.GenericOAuthenticator) jupyterhub_config.py 수정 필요
SFTPGo OIDC (Web Admin > Settings > OIDC) 웹 UI에서 설정 가능
Jellyfin OIDC (SSO Plugin) 플러그인 설치 필요
Ollama API Proxy Provider 현재 무인증 노출 상태