@lobehub/chat
Version:
Lobe Chat - an open-source, high-performance chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Supports one-click free deployment of your private ChatGPT/LLM web application.
154 lines (115 loc) • 7.18 kB
text/mdx
---
title: Configuring Casdoor Authentication Service in LobeChat
description: >-
Learn how to configure the Casdoor authentication service in LobeChat, including deployment, creation, permission settings, and environment variables.
tags:
- Casdoor Authentication
- Environment Variable Configuration
- Single Sign-On
- LobeChat
---
# Configuring Casdoor Authentication Service
[Casdoor](https://github.com/casdoor/casdoor) is an open-source authentication service that is rich in features and easy to use.
<Callout type={'tip'}>
If you want to privately deploy Casdoor, we recommend using Docker Compose to deploy it together
with the LobeChat database version, allowing LobeChat to share the same Postgres instance.
</Callout>
## Casdoor Configuration Process
If you are deploying using a local network IP, the following assumptions apply:
- Your LobeChat database version IP/port is `http://LOBECHAT_IP:3210`.
- You privately deploy Casdoor, and its domain is `http://CASDOOR_IP:8000`.
If you are deploying using a public network, the following assumptions apply:
- Your LobeChat database version domain is `https://lobe.example.com`.
- You privately deploy Casdoor, and its domain is `https://lobe-auth-api.example.com`.
<Steps>
### Create a Casdoor Application
Access your privately deployed Casdoor WebUI (default is `http://localhost:8000/`) to enter the console. The default account is `admin`, and the password is `123`.
Go to `Authentication` -> `Applications`, create a `LobeChat` application or directly modify the built-in `built-in` application. You can explore other fields, but you must configure at least the following fields:
- Name, Display Name: `LobeChat`
- Redirect URLs:
- Local Development Environment: `http://localhost:3210/api/auth/callback/casdoor`
- Local Network IP Deployment: `http://LOBECHAT_IP:3210/api/auth/callback/casdoor`
- Public Network Environment: `https://lobe.example.com/api/auth/callback/casdoor`
There are also some optional fields that can enhance user experience:
- Logo: `https://lobehub.com/icon-192x192.png`
- Form CSS, Form CSS (Mobile):
```html
<style>
.login-panel {
padding: 40px 70px 0 70px;
border-radius: 10px;
background-color: #ffffff;
box-shadow: rgba(17, 12, 46, 0.15) 0px 48px 100px 0px;
}
.panel-logo {
width: 64px;
}
.login-logo-box {
margin-top: 20px;
}
#parent-area
> main
> div
> div.login-content
> div.login-panel
> div.login-form
> div
> div
> button {
box-shadow: none !important;
border-radius: 10px !important;
transition-property: all;
transition-timing-function: cubic-bezier(0.4, 0, 0.2, 1);
transition-duration: 150ms;
border: 1px solid #eee !important;
}
@media (max-width: 640px) {
.login-panel {
padding: 40px 0 0 0;
box-shadow: none;
}
}
</style>
```
Then, copy the `Client ID` and `Client Secret` and save them.
### Disable User Registration
Go to `Identity` -> `Applications`, select the `LobeChat` application, and set `Allow Register` to `false`.
<Callout type={'warning'}>
Disabling user registration is necessary to prevent users from registering through the Casdoor
login page.
</Callout>
### Configure Webhook (Optional)
> Available on Casdoor `>=1.843.0`.
Configure the Casdoor webhook so that LobeChat can receive notifications when user information is updated.
Go to `Admin` -> `Webhooks`, add a webhook, and fill in the following fields:
- URL: `https://lobe.example.com/api/webhooks/casdoor`
- Method: `POST`
- Content Type: `application/json`
- Headers: `casdoor-secret`: `Your Webhook Secret`
> The secret is generated by yourself, you can visit [https://generate-secret.vercel.app/10](https://generate-secret.vercel.app/10) to generate a 10 bit secret.
- Event: `update-user`
Save and Exit, then copy the Webhook secret and fill it in the environment variable \`CASDOOR\_WEBHOOK\_SECRET.
### Configure Environment Variables
Set the obtained `Client ID` and `Client Secret` as `AUTH_CASDOOR_ID` and `AUTH_CASDOOR_SECRET` in the LobeChat environment variables.
Configure `AUTH_CASDOOR_ISSUER` in the LobeChat environment variables as follows:
- `http://localhost:8000/` if you are in a local development environment.
- `http://CASDOOR_IP:8000/` if you are privately deploying Casdoor in a local network.
- `https://lobe-auth-api.example.com/` if you are deploying Casdoor in a public network environment.
When deploying LobeChat, you need to configure the following environment variables:
| Environment Variable | Type | Description |
| ------------------------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `NEXT_AUTH_SECRET` | Required | A key for encrypting Auth.js session tokens. You can generate a key using the command: `openssl rand -base64 32`. |
| `NEXT_AUTH_SSO_PROVIDERS` | Required | Select the single sign-on provider for LobeChat. Fill in `casdoor` for using Casdoor. |
| `AUTH_CASDOOR_ID` | Required | The client ID from the Casdoor application details page. |
| `AUTH_CASDOOR_SECRET` | Required | The client secret from the Casdoor application details page. |
| `AUTH_CASDOOR_ISSUER` | Required | The OpenID Connect issuer for the Casdoor provider. |
| `NEXTAUTH_URL` | Required | This URL specifies the callback address for Auth.js during OAuth verification and needs to be set only if the default generated redirect address is incorrect. `https://lobe.example.com/api/auth` |
| `CASDOOR_WEBHOOK_SECRET` | Optional | A key used to verify whether the request sent by Casdoor is legal. |
<Callout type={'tip'}>
Visit [📘 Environment Variables](/docs/self-hosting/environment-variables/auth#casdoor) for
details on related variables.
</Callout>
</Steps>
<Callout type={'info'}>
Once deployed successfully, users will be able to authenticate via Casdoor and use LobeChat.
</Callout>