ContextQMD
Back to Lobehub

Configuring Cloudflare Zero Trust Authentication Service for LobeHub

docs/self-hosting/auth/next-auth/cloudflare-zero-trust.mdx

2.1.564.1 KB
Original Source

Configuring Cloudflare Zero Trust Authentication Service

Cloudflare Zero Trust Configuration Flow

<Steps> ### Creating an Application in Cloudflare Zero Trust

We assume you are already familiar with using the Cloudflare Zero Trust platform and that your LobeHub instance is deployed at https://chat.example.com.

First, we need to visit https://one.dash.cloudflare.com/ and navigate to Access - Applications.

Now, on the current page, click Add an application and select SaaS.

In the Application text box, enter the application name, such as LobeHub SSO. Then click Select OIDC, followed by clicking Add application.

At this point, you have successfully created a SaaS application named LobeHub SSO in Cloudflare Zero Trust.

Next, we need to enter https://chat.example.com/api/auth/callback/cloudflare-zero-trust in the Redirect URLs field (note that chat.example.com should be replaced with your instance's address).

Finally, scroll down the page and record the following three values: Client secret, Client ID, and Issuer. You will need these for setting the environment variables when deploying LobeHub.

Configure Environment Variables

When deploying LobeHub, you need to configure the following environment variables:

Environment VariableTypeDescription
AUTH_SECRETRequiredThe secret used to encrypt Auth.js session tokens. You can generate a secret using the following command: openssl rand -base64 32
NEXT_AUTH_SSO_PROVIDERSRequiredSelect the SSO provider for LoboChat. Use cloudflare-zero-trust for Cloudflare Zero Trust.
AUTH_CLOUDFLARE_ZERO_TRUST_IDRequiredThe Client ID from the Cloudflare Zero Trust application provider details page
AUTH_CLOUDFLARE_ZERO_TRUST_SECRETRequiredThe Client Secret from the Cloudflare Zero Trust application provider details page
AUTH_CLOUDFLARE_ZERO_TRUST_ISSUERRequiredThe OpenID Configuration Issuer from the Cloudflare Zero Trust application provider details page
AUTH_URLRequiredThis URL is used to specify the callback address for Auth.js when performing OAuth authentication. It only needs to be set when the default generated redirect address is incorrect. https://example.com/api/auth

<Callout type={'tip'}> Go to 📘 Environment Variables for details about the variables. </Callout> </Steps>

<Callout type={'info'}> After a successful deployment, users will be able to use LobeHub by authenticating with the users configured in Cloudflare Zero Trust. </Callout>