-
Created by
虚拟的现实, last updated on May 20, 2025
3 minute read
简介
环境搭建参照docker-部署安装 keycloak和docker-本地部署 outline
之前是用了 Azure Active Directory,在手机的 EDGE 浏览器登录的时候,非要拉起微软自己的 APP,华为手机还不支持。所以我们现在要干掉 Azure Active Directory,改为自己的群晖 AD 用户。
配置步骤
KeyCloak中创建新的Realm
首先,我建议是单独创建一个realm,不要使用KeyCloak默认的master,好处是可以做到用户数据和应用的隔离,保证KeyCloak的安全性。
登录KeyCloak的后台,左上角有个下拉,默认是master,点击下拉菜单,然后点击『Create Realm』
realm name自己起一个,要用英文小写(因为大小写区分,用大写容易出错)。
比如写一个app吧。然后点击Create。
创建完以后,URL就会类似于https://<域名>/realms/<realm name>/protocol/openid-connect/auth
KeyCloak 中配置 User Federation,使用 Synology Directory Server
因为每个realm都是单独隔离的,新创建的realm不能复用master的用户数据,所以用户的数据源需要重新配置。参考 Keycloak 使用群晖 Synology Directory Server 作为AD/LDAP用户数据源
KeyCloak 中创建新的 Client
左侧菜单点击『Clients』,然后右侧点击『Create Client』
Client type 选择 OpenID Connect,Client ID 输入小写的outline(和前面 realm name 一样,因为要用于验证,所以小写,避免搞错),Name 可以输入大写的 Outline,点击 Next。
Client authentication 选上,Direct access grants 去掉,点击 Save
参考下面的图片填写三个框,填完后点击 Save 保存
点击 Credentials,然后点击 Client secret 右侧的拷贝小按钮,把秘钥拷贝出来备用
修改 Outline 的配置,添加 KeyCloak 作为 OIDC
如果你是按照《本地快速部署Outline》来安装 Outline 的,那么修改 docker.env 文件,找到 OIDC 这段,修改成下面的样子
# To configure generic OIDC auth, you'll need some kind of identity provider. # See documentation for whichever IdP you use to acquire the following info: # Redirect URI is https://<URL>/auth/oidc.callback OIDC_CLIENT_ID=outline OIDC_CLIENT_SECRET=<前面拷贝出来的Client secret> OIDC_AUTH_URI=https://<KeyCloak域名>/realms/<realm名字>/protocol/openid-connect/auth OIDC_TOKEN_URI=https://<KeyCloak域名>/realms/<realm名字>/protocol/openid-connect/token OIDC_USERINFO_URI=https://<KeyCloak域名>/realms/<realm名字>/protocol/openid-connect/userinfo # Specify which claims to derive user information from # Supports any valid JSON path with the JWT payload OIDC_USERNAME_CLAIM=email # Display name for OIDC authentication OIDC_DISPLAY_NAME=<用来给Outline显示登录的文案,比如『Bra SSO Server』> # Space separated auth scopes. OIDC_SCOPES=email openid profile
outline.yml
services:
outline_redis:
image: redis:7.0.10
restart: always
container_name: outline_redis
networks:
outline-net:
ipv4_address: ${SUBNET_PREFIX}.2
cap_drop:
- net_raw
outline_postgres:
image: postgres:15.2
restart: always
container_name: outline_postgres
security_opt:
- label:disable
environment:
- POSTGRES_PASSWORD=0da68
- POSTGRES_USER=outline
- POSTGRES_DB=outline
networks:
outline-net:
ipv4_address: ${SUBNET_PREFIX}.3
cap_drop:
- net_raw
volumes:
- /data/outline/db:/var/lib/postgresql/data
- /etc/localtime:/etc/localtime:ro
outline:
image: outlinewiki/outline:0.84.0
user: root
restart: always
container_name: outline
command: sh -c "yarn start --env=production-ssl-disabled"
environment:
- DATABASE_URL=postgres://outline:0da68@outline_postgres:5432/outline
- REDIS_URL=redis://outline_redis:6379
depends_on:
- outline_postgres
- outline_redis
volumes:
- /data/outline/file:/var/lib/outline/data
- /etc/localtime:/etc/localtime:ro
env_file:
- .env
ports:
- 10081:3000
networks:
outline-net:
ipv4_address: ${SUBNET_PREFIX}.4
cap_drop:
- net_raw
networks:
outline-net:
name: outline-net
driver: bridge
ipam:
driver: default
config:
- gateway: ${SUBNET_PREFIX:?SUBNET_PREFIX required}.1
subnet: ${SUBNET_PREFIX}.0/24
driver_opts:
com.docker.network.bridge.name: outline-net
.env
SUBNET_PREFIX=172.22.225
NODE_ENV=production
SECRET_KEY=93d039f2
UTILS_SECRET=9b8c3dc9
#DATABASE_URL=postgres://outline:${POSTGRES_PASSWORD}@outline-postgres/outline
DATABASE_CONNECTION_POOL_MIN=
DATABASE_CONNECTION_POOL_MAX=
#REDIS_URL=redis://outline-redis:6379
URL=https://outline.waringid.me
PORT=3000
# See [documentation](docs/SERVICES.md) on running a separate collaboration
# server, for normal operation this does not need to be set.
COLLABORATION_URL=
FILE_STORAGE=local
FILE_STORAGE_LOCAL_ROOT_DIR=/var/lib/outline/data
FILE_STORAGE_UPLOAD_MAX_SIZE=262144000
FILE_STORAGE_IMPORT_MAX_SIZE=
FILE_STORAGE_WORKSPACE_IMPORT_MAX_SIZE=
OIDC_CLIENT_ID=outline
OIDC_CLIENT_SECRET=6ErNI9g
OIDC_AUTH_URI=https://key.waringid.me/realms/app/protocol/openid-connect/auth
OIDC_TOKEN_URI=https://key.waringid.me/realms/app/protocol/openid-connect/token
OIDC_USERINFO_URI=https://key.waringid.me/realms/app/protocol/openid-connect/userinfo
#OIDC_LOGOUT_URI=https://key.waringid.me/realms/app/protocol/openid-connect/logout?redirect_uri=https://outline.waringid.me/
OIDC_LOGOUT_URI=https://key.waringid.me/realms/app/protocol/openid-connect/logout?client_id=outline
OIDC_USERNAME_CLAIM=preferred_username
OIDC_DISPLAY_NAME=Outline App OIDC
OIDC_SCOPES=openid profile email
CDN_URL=https://outline.waringid.me
PGSSLMODE=disable
FORCE_HTTPS=false
ENABLE_UPDATES=true
WEB_CONCURRENCY=1
DEBUG=http
LOG_LEVEL=info
SMTP_HOST=smtp.139.com
SMTP_PORT=465
SMTP_USERNAME=13600000000@139.com
SMTP_PASSWORD=epassword
SMTP_FROM_EMAIL=1360000000@139.com
SMTP_REPLY_EMAIL=
SMTP_TLS_CIPHERS=
SMTP_SECURE=true
AWS_S3_ACL=private
LANGUAGE_CODE=en-us
TIME_ZONE=Asia/Shanghai
DEFAULT_LANGUAGE=zh_CN
Add Comment