简介

环境搭建参照docker-部署安装 keycloakdocker-本地部署 outline

之前是用了 Azure Active Directory,在手机的 EDGE 浏览器登录的时候,非要拉起微软自己的 APP,华为手机还不支持。所以我们现在要干掉 Azure Active Directory,改为自己的群晖 AD 用户。

配置步骤

KeyCloak中创建新的Realm

首先,我建议是单独创建一个realm,不要使用KeyCloak默认的master,好处是可以做到用户数据和应用的隔离,保证KeyCloak的安全性。

登录KeyCloak的后台,左上角有个下拉,默认是master,点击下拉菜单,然后点击『Create Realm』

realm name自己起一个,要用英文小写(因为大小写区分,用大写容易出错)。

比如写一个app吧。然后点击Create。

创建完以后,URL就会类似于https://<域名>/realms/<realm name>/protocol/openid-connect/auth

KeyCloak 中配置 User Federation,使用 Synology Directory Server

因为每个realm都是单独隔离的,新创建的realm不能复用master的用户数据,所以用户的数据源需要重新配置。参考 Keycloak 使用群晖 Synology Directory Server 作为AD/LDAP用户数据源

KeyCloak 中创建新的 Client

左侧菜单点击『Clients』,然后右侧点击『Create Client』

Client type 选择 OpenID Connect,Client ID 输入小写的outline(和前面 realm name 一样,因为要用于验证,所以小写,避免搞错),Name 可以输入大写的 Outline,点击 Next。

Client authentication 选上,Direct access grants 去掉,点击 Save

参考下面的图片填写三个框,填完后点击 Save 保存

点击 Credentials,然后点击 Client secret 右侧的拷贝小按钮,把秘钥拷贝出来备用

修改 Outline 的配置,添加 KeyCloak 作为 OIDC

如果你是按照《本地快速部署Outline》来安装 Outline 的,那么修改 docker.env 文件,找到 OIDC 这段,修改成下面的样子

# To configure generic OIDC auth, you'll need some kind of identity provider.
# See documentation for whichever IdP you use to acquire the following info:
# Redirect URI is https://<URL>/auth/oidc.callback
OIDC_CLIENT_ID=outline
OIDC_CLIENT_SECRET=<前面拷贝出来的Client secret>
OIDC_AUTH_URI=https://<KeyCloak域名>/realms/<realm名字>/protocol/openid-connect/auth
OIDC_TOKEN_URI=https://<KeyCloak域名>/realms/<realm名字>/protocol/openid-connect/token
OIDC_USERINFO_URI=https://<KeyCloak域名>/realms/<realm名字>/protocol/openid-connect/userinfo

# Specify which claims to derive user information from
# Supports any valid JSON path with the JWT payload
OIDC_USERNAME_CLAIM=email

# Display name for OIDC authentication
OIDC_DISPLAY_NAME=<用来给Outline显示登录的文案,比如『Bra SSO Server』>

# Space separated auth scopes.
OIDC_SCOPES=email openid profile

outline.yml

services:
  outline_redis:
    image: redis:7.0.10
    restart: always
    container_name: outline_redis
    networks:
      outline-net:
        ipv4_address: ${SUBNET_PREFIX}.2
    cap_drop:
      - net_raw

  outline_postgres:
    image: postgres:15.2
    restart: always
    container_name: outline_postgres
    security_opt:
      - label:disable
    environment:
      - POSTGRES_PASSWORD=0da68
      - POSTGRES_USER=outline
      - POSTGRES_DB=outline
    networks:
      outline-net:
        ipv4_address: ${SUBNET_PREFIX}.3
    cap_drop:
      - net_raw
    volumes:
      - /data/outline/db:/var/lib/postgresql/data
      - /etc/localtime:/etc/localtime:ro

  outline:
    image: outlinewiki/outline:0.84.0
    user: root
    restart: always
    container_name: outline
    command: sh -c "yarn start --env=production-ssl-disabled"
    environment:
      - DATABASE_URL=postgres://outline:0da68@outline_postgres:5432/outline
      - REDIS_URL=redis://outline_redis:6379
    depends_on:
      - outline_postgres
      - outline_redis
    volumes:
      - /data/outline/file:/var/lib/outline/data
      - /etc/localtime:/etc/localtime:ro
    env_file:
      - .env
    ports:
      - 10081:3000
    networks:
      outline-net:
        ipv4_address: ${SUBNET_PREFIX}.4
    cap_drop:
      - net_raw
networks:
  outline-net:
    name: outline-net
    driver: bridge
    ipam:
      driver: default
      config:
        - gateway: ${SUBNET_PREFIX:?SUBNET_PREFIX required}.1
          subnet: ${SUBNET_PREFIX}.0/24
    driver_opts:
      com.docker.network.bridge.name: outline-net

.env

SUBNET_PREFIX=172.22.225

NODE_ENV=production

SECRET_KEY=93d039f2
UTILS_SECRET=9b8c3dc9
#DATABASE_URL=postgres://outline:${POSTGRES_PASSWORD}@outline-postgres/outline
DATABASE_CONNECTION_POOL_MIN=
DATABASE_CONNECTION_POOL_MAX=

#REDIS_URL=redis://outline-redis:6379
URL=https://outline.waringid.me
PORT=3000

# See [documentation](docs/SERVICES.md) on running a separate collaboration
# server, for normal operation this does not need to be set.
COLLABORATION_URL=

FILE_STORAGE=local
FILE_STORAGE_LOCAL_ROOT_DIR=/var/lib/outline/data
FILE_STORAGE_UPLOAD_MAX_SIZE=262144000
FILE_STORAGE_IMPORT_MAX_SIZE=
FILE_STORAGE_WORKSPACE_IMPORT_MAX_SIZE=


OIDC_CLIENT_ID=outline
OIDC_CLIENT_SECRET=6ErNI9g
OIDC_AUTH_URI=https://key.waringid.me/realms/app/protocol/openid-connect/auth
OIDC_TOKEN_URI=https://key.waringid.me/realms/app/protocol/openid-connect/token
OIDC_USERINFO_URI=https://key.waringid.me/realms/app/protocol/openid-connect/userinfo
#OIDC_LOGOUT_URI=https://key.waringid.me/realms/app/protocol/openid-connect/logout?redirect_uri=https://outline.waringid.me/
OIDC_LOGOUT_URI=https://key.waringid.me/realms/app/protocol/openid-connect/logout?client_id=outline
OIDC_USERNAME_CLAIM=preferred_username
OIDC_DISPLAY_NAME=Outline App OIDC
OIDC_SCOPES=openid profile email


CDN_URL=https://outline.waringid.me

PGSSLMODE=disable
FORCE_HTTPS=false
ENABLE_UPDATES=true
WEB_CONCURRENCY=1
DEBUG=http
LOG_LEVEL=info


SMTP_HOST=smtp.139.com
SMTP_PORT=465
SMTP_USERNAME=13600000000@139.com
SMTP_PASSWORD=epassword
SMTP_FROM_EMAIL=1360000000@139.com
SMTP_REPLY_EMAIL=
SMTP_TLS_CIPHERS=
SMTP_SECURE=true

AWS_S3_ACL=private

LANGUAGE_CODE=en-us
TIME_ZONE=Asia/Shanghai
DEFAULT_LANGUAGE=zh_CN


  • 无标签
写评论...