ContextQMD
Back to Lobehub

Configuring Authentik Authentication Service for LobeHub

docs/self-hosting/auth/next-auth/authentik.mdx

2.1.563.8 KB
Original Source

Configuring Authentik Authentication Service

Authentik Configuration Flow

<Steps> ### Create an Authentik Application Provider

In your Authentik instance, use the administrator account to go to Admin Interface -> Applications -> Providers and create a new provider.

Select OAuth2/OpenID Provider as the provider type. Fill in the provider name, select the authentication flow and authorization flow.

In the Redirect URL/Origin (regex) field, fill in:

bash
https://your-domain/api/auth/callback/authentik

<Callout type={'info'}> - You can fill in or modify the Redirect URL/Origin (regex) later, but make sure the filled in URL matches the deployed URL. - Replace your-domain with your own domain name </Callout>

<Image alt="Create Authentik Provider" inStep src="/blog/assets67304509/4244634e-5f68-48d5-aac0-e5f4b06d1c4b.webp" />

Click Done

After the creation is successful, click Applications on the left -> Create, fill in the name and Slug, select the provider created in the previous step, and click Create.

After the application provider is created, click the corresponding provider to enter the details page, click Edit, and save the Client ID and Client Secret.

Copy the URL of OpenID Configuration Issuer and save it.

Configure Environment Variables

When deploying LobeHub, you need to configure the following environment variables:

Environment VariableTypeDescription
AUTH_SECRETRequiredThe secret used to encrypt Auth.js session tokens. You can generate a secret using the following command: openssl rand -base64 32
NEXT_AUTH_SSO_PROVIDERSRequiredSelect the SSO provider for LoboChat. Use authentik for Authentik.
AUTH_AUTHENTIK_IDRequiredThe Client ID from the Authentik application provider details page
AUTH_AUTHENTIK_SECRETRequiredThe Client Secret from the Authentik application provider details page
AUTH_AUTHENTIK_ISSUERRequiredThe OpenID Configuration Issuer from the Authentik application provider details page
AUTH_URLRequiredThis URL is used to specify the callback address for Auth.js when performing OAuth authentication. It only needs to be set when the default generated redirect address is incorrect. https://example.com/api/auth

<Callout type={'tip'}> Go to 📘 Environment Variables for details about the variables. </Callout> </Steps>

<Callout type={'info'}> After a successful deployment, users will be able to use LobeHub by authenticating with the users configured in Authentik. </Callout>