ContextQMD
Back to Lobehub

Configuring Authelia Authentication Service for LobeHub

docs/self-hosting/auth/next-auth/authelia.mdx

2.1.564.3 KB
Original Source

Configuring Authelia Authentication Service

Authelia Configuration Flow

<Steps> ### Create an Authelia Identity Provider

We assume you are already familiar with using Authelia. Let's say your LobeHub instance is deployed at https://lobe.example.com/. Note that currently only localhost supports HTTP access; other domains need to enable TLS, otherwise Authelia will actively interrupt authentication by default.

Now, let's open and edit the configuration file of your Authelia instance:

Add a new lobehub item under identity_providers -> oidc:

yaml
identity_providers:
  oidc:
    ...
    ## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
    ## See: https://www.authelia.com/c/oidc
    - id: lobehub
      description: LobeHub
      secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng'  # The digest of 'insecure_secret'.
      public: false
      authorization_policy: two_factor
      redirect_uris:
        - https://chat.example.com/api/auth/callback/authelia
      scopes:
        - openid
        - profile
        - email
      userinfo_signing_algorithm: none

Make sure to replace secret and redirect_urls with your own values. Note! The secret configured in Authelia is ciphertext, i.e., a salted hash value. Its corresponding plaintext needs to be filled in LobeHub later.

Save the configuration file and restart the Authelia service. Now we have completed the Authelia configuration.

Configure Environment Variables

When deploying LobeHub, you need to configure the following environment variables:

Environment VariableTypeDescription
AUTH_SECRETRequiredThe secret used to encrypt Auth.js session tokens. You can generate a secret using the following command: openssl rand -base64 32
NEXT_AUTH_SSO_PROVIDERSRequiredSelect the SSO provider for LoboChat. Use authentik for Authentik.
AUTH_AUTHELIA_IDRequiredThe id just configured in Authelia, example value is lobehub
AUTH_AUTHELIA_SECRETRequiredThe plaintext corresponding to the secret just configured in Authelia, example value is insecure_secret
AUTH_AUTHELIA_ISSUERRequiredYour Authelia URL, for example https://sso.example.com
AUTH_URLRequiredThis URL is used to specify the callback address for Auth.js when performing OAuth verification. It only needs to be set when the default generated redirect address is incorrect. https://chat.example.com/api/auth

<Callout type={'tip'}> Go to 📘 Environment Variables for details about the variables. </Callout> </Steps>

<Callout type={'info'}> After a successful deployment, users will be able to use LobeHub by authenticating with the users configured in Authelia. </Callout>