5.8 KiB
5.8 KiB
SSO 연동 현황 (Authentik)
Authentik:
https://auth.du5t.xyz| 버전: 2025.12 Embedded Outpost PK:999d7409-0ec6-4e81-ab37-cb4cd4b1557c
Provider 목록
| PK | Provider명 | 타입 | 연결 Application |
|---|---|---|---|
| 2 | grafana-oidc |
OAuth2/OIDC | Grafana |
| 3 | gitea-oidc |
OAuth2/OIDC | Gitea |
| 4 | nextcloud-oidc |
OAuth2/OIDC | Nextcloud |
| 5 | open-webui-oidc |
OAuth2/OIDC | Open WebUI |
| 6 | prometheus-proxy |
Proxy | Prometheus |
| 7 | filebrowser-proxy |
Proxy | FileBrowser |
| 8 | comfyui-proxy |
Proxy | ComfyUI |
| 9 | wikijs-provider |
OAuth2/OIDC | Wiki.js |
OIDC 연동 상세
Grafana (grafana.ini)
[auth.generic_oauth]
enabled = true
name = authentik
client_id = gO2Rk6LOyDU9CZc7DdXqNlEwfK8lTZmGb2nnBJOk
scopes = openid profile email
auth_url = https://auth.du5t.xyz/application/o/authorize/
token_url = https://auth.du5t.xyz/application/o/token/
api_url = https://auth.du5t.xyz/application/o/userinfo/
role_attribute_path = contains(groups[*], 'grafana-admins') && 'Admin' || 'Viewer'
signout_redirect_url = https://auth.du5t.xyz/application/o/grafana/end-session/
use_pkce = true
Gitea
podman exec --user git gitea gitea admin auth add-oauth \
--name "authentik" \
--provider "openidConnect" \
--key "<CLIENT_ID>" \
--secret "<CLIENT_SECRET>" \
--auto-discover-url "https://auth.du5t.xyz/application/o/gitea/.well-known/openid-configuration"
Nextcloud
podman exec --user www-data nextcloud-app php occ app:install user_oidc
podman exec --user www-data nextcloud-app php occ user_oidc:provider authentik \
--clientid="<CLIENT_ID>" \
--clientsecret="<CLIENT_SECRET>" \
--discoveryuri="https://auth.du5t.xyz/application/o/nextcloud/.well-known/openid-configuration" \
--unique-uid=1
Open WebUI (환경변수)
Environment=ENABLE_OAUTH_SIGNUP=true
Environment=OAUTH_PROVIDER_NAME=authentik
Environment=OPENID_PROVIDER_URL=https://auth.du5t.xyz/application/o/open-webui/.well-known/openid-configuration
Environment=OAUTH_CLIENT_ID=<CLIENT_ID>
Environment=OAUTH_CLIENT_SECRET=<CLIENT_SECRET>
Environment=OAUTH_SCOPES=openid email profile
Wiki.js
Wiki.js의 passport-openidconnect v0.1.2가 Authentik과 호환되지 않아 oidc 대신 oauth2 전략을 사용한다.
| 항목 | 값 |
|---|---|
| Provider PK | 9 |
| Strategy | oauth2 (passport-oauth2, Wiki.js 내장) |
| Strategy UUID | a2d864cd-dfc4-4a75-a891-d768fd8d173a |
| Callback URL | https://wiki.du5t.xyz/login/a2d864cd-dfc4-4a75-a891-d768fd8d173a/callback |
| Authorization Flow | implicit-consent |
필수 설정: Provider PK=9에 아래 property_mappings 3개가 없으면 userinfo 엔드포인트에서 Scope mismatch 오류 발생.
| Mapping UUID | Scope |
|---|---|
aa970463-7f63-4091-9a94-839178f7ba0a |
openid |
ce7b7b24-e441-4905-ae84-83819e2a4f07 |
profile |
12009db0-10be-4dff-b181-4111c9113c2c |
AUTHENTIK_TOKEN="<token>"
curl -s -X PATCH -H "Authorization: Bearer $AUTHENTIK_TOKEN" \
-H "Content-Type: application/json" \
"https://auth.du5t.xyz/api/v3/providers/oauth2/9/" \
-d '{"property_mappings":["aa970463-7f63-4091-9a94-839178f7ba0a","ce7b7b24-e441-4905-ae84-83819e2a4f07","12009db0-10be-4dff-b181-4111c9113c2c"]}'
전략은 Wiki.js GraphQL API(updateStrategies mutation)로 등록한다. 자세한 내용은 gm/wikijs 참고.
Proxy Provider 연동 상세
NPM의 백엔드를 10.89.0.20:9000 (Authentik Embedded Outpost)으로 설정한다.
Outpost가 Host 헤더를 보고 어느 Proxy Provider를 적용할지 결정한다.
NPM (443) ─→ Authentik Outpost (10.89.0.20:9000)
│
├─ Host: prometheus.du5t.xyz → 10.89.0.30:9090
├─ Host: file.du5t.xyz → 10.89.0.5:8080
└─ Host: comfy.du5t.xyz → 10.89.0.1:8188
인증되지 않은 요청:
302 → https://<domain>/outpost.goauthentik.io/start?rd=<original_url>
→ https://auth.du5t.xyz/flows/default-authentication-flow/
API 토큰 재발급
Authentik API 토큰은 Bearer 방식이며, auth.du5t.xyz 경유 시에만 유효하다 (내부 IP 직접 호출 불가).
podman exec authentik-worker python -m manage shell -c "
from authentik.core.models import Token, TokenIntents, User
u = User.objects.get(username='gm')
Token.objects.filter(identifier='claude-api').delete()
t = Token.objects.create(identifier='claude-api', user=u, intent=TokenIntents.INTENT_API, expiring=False)
print(t.key)
"
# 사용: curl -H "Authorization: Bearer <token>" https://auth.du5t.xyz/api/v3/...
신규 서비스 Authentik 연동 절차
OIDC 방식
- Authentik API:
POST /api/v3/providers/oauth2/— Provider 생성 - Authentik API:
POST /api/v3/core/applications/— Application 생성 - 서비스 측 OIDC 설정 (Discovery URL 패턴:
https://auth.du5t.xyz/application/o/<slug>/.well-known/openid-configuration)
Proxy Provider 방식
- Authentik API:
POST /api/v3/providers/proxy/— Provider 생성 (external_host,internal_host지정) - Authentik API:
POST /api/v3/core/applications/— Application 생성 - Authentik API:
PATCH /api/v3/outposts/instances/999d7409-.../— Outpost providers 배열에 추가 - NPM DB:
UPDATE proxy_host SET forward_host='10.89.0.20', forward_port=9000 WHERE domain_names='...' - NPM nginx conf 파일 직접 수정 후
podman exec npm-app nginx -s reload
미적용 서비스 (향후 계획)
| 서비스 | 권장 방식 | 비고 |
|---|---|---|
| JupyterHub | OIDC (oauthenticator.GenericOAuthenticator) |
jupyterhub_config.py 수정 필요 |
| SFTPGo | OIDC (Web Admin > Settings > OIDC) | 웹 UI에서 설정 가능 |
| Jellyfin | OIDC (SSO Plugin) | 플러그인 설치 필요 |
| Ollama API | Proxy Provider | 현재 무인증 노출 상태 |