-
Created by
虚拟的现实, last updated on May 20, 2025 3 minute read
简介
环境搭建参照docker-部署安装 keycloak和docker-本地部署 outline
之前是用了 Azure Active Directory,在手机的 EDGE 浏览器登录的时候,非要拉起微软自己的 APP,华为手机还不支持。所以我们现在要干掉 Azure Active Directory,改为自己的群晖 AD 用户。
配置步骤
KeyCloak中创建新的Realm
首先,我建议是单独创建一个realm,不要使用KeyCloak默认的master,好处是可以做到用户数据和应用的隔离,保证KeyCloak的安全性。
登录KeyCloak的后台,左上角有个下拉,默认是master,点击下拉菜单,然后点击『Create Realm』
realm name自己起一个,要用英文小写(因为大小写区分,用大写容易出错)。
比如写一个app吧。然后点击Create。
创建完以后,URL就会类似于https://<域名>/realms/<realm name>/protocol/openid-connect/auth
KeyCloak 中配置 User Federation,使用 Synology Directory Server
因为每个realm都是单独隔离的,新创建的realm不能复用master的用户数据,所以用户的数据源需要重新配置。参考 Keycloak 使用群晖 Synology Directory Server 作为AD/LDAP用户数据源
KeyCloak 中创建新的 Client
左侧菜单点击『Clients』,然后右侧点击『Create Client』
Client type 选择 OpenID Connect,Client ID 输入小写的outline(和前面 realm name 一样,因为要用于验证,所以小写,避免搞错),Name 可以输入大写的 Outline,点击 Next。
Client authentication 选上,Direct access grants 去掉,点击 Save
参考下面的图片填写三个框,填完后点击 Save 保存
点击 Credentials,然后点击 Client secret 右侧的拷贝小按钮,把秘钥拷贝出来备用
修改 Outline 的配置,添加 KeyCloak 作为 OIDC
如果你是按照《本地快速部署Outline》来安装 Outline 的,那么修改 docker.env 文件,找到 OIDC 这段,修改成下面的样子
# To configure generic OIDC auth, you'll need some kind of identity provider. # See documentation for whichever IdP you use to acquire the following info: # Redirect URI is https://<URL>/auth/oidc.callback OIDC_CLIENT_ID=outline OIDC_CLIENT_SECRET=<前面拷贝出来的Client secret> OIDC_AUTH_URI=https://<KeyCloak域名>/realms/<realm名字>/protocol/openid-connect/auth OIDC_TOKEN_URI=https://<KeyCloak域名>/realms/<realm名字>/protocol/openid-connect/token OIDC_USERINFO_URI=https://<KeyCloak域名>/realms/<realm名字>/protocol/openid-connect/userinfo # Specify which claims to derive user information from # Supports any valid JSON path with the JWT payload OIDC_USERNAME_CLAIM=email # Display name for OIDC authentication OIDC_DISPLAY_NAME=<用来给Outline显示登录的文案,比如『Bra SSO Server』> # Space separated auth scopes. OIDC_SCOPES=email openid profile
outline.yml
services: outline_redis: image: redis:7.0.10 restart: always container_name: outline_redis networks: outline-net: ipv4_address: ${SUBNET_PREFIX}.2 cap_drop: - net_raw outline_postgres: image: postgres:15.2 restart: always container_name: outline_postgres security_opt: - label:disable environment: - POSTGRES_PASSWORD=0da68 - POSTGRES_USER=outline - POSTGRES_DB=outline networks: outline-net: ipv4_address: ${SUBNET_PREFIX}.3 cap_drop: - net_raw volumes: - /data/outline/db:/var/lib/postgresql/data - /etc/localtime:/etc/localtime:ro outline: image: outlinewiki/outline:0.84.0 user: root restart: always container_name: outline command: sh -c "yarn start --env=production-ssl-disabled" environment: - DATABASE_URL=postgres://outline:0da68@outline_postgres:5432/outline - REDIS_URL=redis://outline_redis:6379 depends_on: - outline_postgres - outline_redis volumes: - /data/outline/file:/var/lib/outline/data - /etc/localtime:/etc/localtime:ro env_file: - .env ports: - 10081:3000 networks: outline-net: ipv4_address: ${SUBNET_PREFIX}.4 cap_drop: - net_raw networks: outline-net: name: outline-net driver: bridge ipam: driver: default config: - gateway: ${SUBNET_PREFIX:?SUBNET_PREFIX required}.1 subnet: ${SUBNET_PREFIX}.0/24 driver_opts: com.docker.network.bridge.name: outline-net
.env
SUBNET_PREFIX=172.22.225 NODE_ENV=production SECRET_KEY=93d039f2 UTILS_SECRET=9b8c3dc9 #DATABASE_URL=postgres://outline:${POSTGRES_PASSWORD}@outline-postgres/outline DATABASE_CONNECTION_POOL_MIN= DATABASE_CONNECTION_POOL_MAX= #REDIS_URL=redis://outline-redis:6379 URL=https://outline.waringid.me PORT=3000 # See [documentation](docs/SERVICES.md) on running a separate collaboration # server, for normal operation this does not need to be set. COLLABORATION_URL= FILE_STORAGE=local FILE_STORAGE_LOCAL_ROOT_DIR=/var/lib/outline/data FILE_STORAGE_UPLOAD_MAX_SIZE=262144000 FILE_STORAGE_IMPORT_MAX_SIZE= FILE_STORAGE_WORKSPACE_IMPORT_MAX_SIZE= OIDC_CLIENT_ID=outline OIDC_CLIENT_SECRET=6ErNI9g OIDC_AUTH_URI=https://key.waringid.me/realms/app/protocol/openid-connect/auth OIDC_TOKEN_URI=https://key.waringid.me/realms/app/protocol/openid-connect/token OIDC_USERINFO_URI=https://key.waringid.me/realms/app/protocol/openid-connect/userinfo #OIDC_LOGOUT_URI=https://key.waringid.me/realms/app/protocol/openid-connect/logout?redirect_uri=https://outline.waringid.me/ OIDC_LOGOUT_URI=https://key.waringid.me/realms/app/protocol/openid-connect/logout?client_id=outline OIDC_USERNAME_CLAIM=preferred_username OIDC_DISPLAY_NAME=Outline App OIDC OIDC_SCOPES=openid profile email CDN_URL=https://outline.waringid.me PGSSLMODE=disable FORCE_HTTPS=false ENABLE_UPDATES=true WEB_CONCURRENCY=1 DEBUG=http LOG_LEVEL=info SMTP_HOST=smtp.139.com SMTP_PORT=465 SMTP_USERNAME=13600000000@139.com SMTP_PASSWORD=epassword SMTP_FROM_EMAIL=1360000000@139.com SMTP_REPLY_EMAIL= SMTP_TLS_CIPHERS= SMTP_SECURE=true AWS_S3_ACL=private LANGUAGE_CODE=en-us TIME_ZONE=Asia/Shanghai DEFAULT_LANGUAGE=zh_CN
- No labels
Add Comment