search

lobehub / lobe-chat

🤯 Lobe Chat - an open-source, modern-design AI chat framework. Supports Multi AI Providers( OpenAI / Claude 3 / Gemini / Ollama / Azure / DeepSeek), Knowledge Base (file upload / knowledge management / RAG ), Multi-Modals (Vision/TTS) and plugin system. One-click FREE deployment of your private ChatGPT/ Claude application.
https://chat-preview.lobehub.com
Other
44.95k stars 10.12k forks source link

[Bug] Authentication with Microsoft-entra-id and nginx/docker configuration does not work #4749

Open krauhen opened 4 days ago

krauhen commented 4 days ago

📦 部署环境

Docker

📌 软件版本

Authentication, Microsoft Entra ID, nginx, Microsoft Azure

💻 系统环境

Ubuntu

🌐 浏览器

Firefox

🐛 问题描述

Hi

I hope i fill out the right fields, i can't read chinese signs. I want to deploy a lobe-chat instance to use it company wide with our company credentials via SSO.

Setup

Configuration

My nginx config with DOMAIN in the format of DOMAIN=my-domain.com

server {
    root /var/www/html;
    index index.html index.htm index.nginx-debian.html;
    server_name DOMAIN;

    listen [::]:443 ssl ipv6only=on;
    listen 443 ssl;
    ssl_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/DOMAIN/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
        proxy_pass http://lobechat:3210;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $host:$server_port;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

server {
    if ($host = DOMAIN) {
        return 301 https://$host$request_uri;
    }

    listen 80;
    listen [::]:80;
    server_name DOMAIN;
}

My docker-compose.yml:

services:
  lobe-chat:
    image: lobehub/lobe-chat:v1.32.2
    container_name: lobe-chat
    hostname: lobechat
    ports:
      - "3210:3210"
    environment:
      - APP_URL=https://DOMAIN/
      - ACCESS_CODE=SAjlTtoQq...XXX
      - NEXT_AUTH_SECRET=sD8G2S...XXX
      - NEXT_AUTH_SSO_PROVIDERS=microsoft-entra-id
      - AUTH_MICROSOFT_ENTRA_ID_ID=e8022992...XXX
      - AUTH_MICROSOFT_ENTRA_ID_SECRET=J_R8Q~zYG4...XXX
      - AUTH_MICROSOFT_ENTRA_ID_TENANT_ID=55a2bc67...XXX
      - NEXTAUTH_URL=https://DOMAIN/api/auth
    restart: always
    networks:
      - cert_network

networks:
   cert_network:
      name: cert_network

Login

If I start the login process everything works fine: lobechat_error_7 lobechat_error_4 lobechat_error_5 lobechat_error_6 lobechat_error_2

but something is wrong with the session and i am not showed as logged in: lobechat_error_1

This is the dev console output. lobechat_error_8

The docker logs show no error: lobechat_error_3

Also i am confused to the max how APP_URL, NEXT_AUTH_URL and/or PROXY_URL should be set the right way.

I beg for somebody to create an example for this generic use case.

Thanks in advance.

📷 复现步骤

No response

🚦 期望结果

No response

📝 补充信息

No response

lobehubbot commented 4 days ago

👀 @krauhen

Thank you for raising an issue. We will investigate into the matter and get back to you as soon as possible. Please make sure you have given us as much context as possible.\ 非常感谢您提交 issue。我们会尽快调查此事,并尽快回复您。 请确保您已经提供了尽可能多的背景信息。

dosubot[bot] commented 4 days ago

Hey @krauhen! I'm here to help you with your bug and technical questions. Let's figure this out together!

To address the issue with Microsoft Entra ID authentication not working correctly in your LobeChat setup, here are some steps and considerations based on similar discussions and configurations:

  1. Ensure Correct Environment Variables:

    • Make sure that the APP_URL, NEXTAUTH_URL, and PROXY_URL (if used) are set correctly. They should all point to your domain, ensuring consistency. For example: 
      APP_URL=https://your-domain/
NEXTAUTH_URL=https://your-domain/api/auth

  2. Nginx Configuration:

    • Your Nginx configuration seems mostly correct, but ensure that the proxy_set_header directives are properly set to forward headers correctly. You might want to add or adjust: 
      proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;

  3. Check Microsoft Entra ID Setup:

    • Verify that the Redirect URI in your Microsoft Entra ID application matches exactly with https://your-domain/api/auth/callback/microsoft-entra-id.
    • Ensure that the Client ID, Client Secret, and Tenant ID are correctly set in your environment variables.

  4. Session Management:

    • If the session is not showing the user as logged in, it might be related to how sessions are managed or cookies are set. Ensure that your domain settings allow cookies to be set and that there are no issues with cross-domain cookies.

  5. Docker Logs and Debugging:

    • Since the Docker logs show no errors, consider increasing the verbosity of the logs if possible to capture more detailed information about the authentication process.

  6. Example Configuration:

    • For a generic use case, ensure that all URLs and domain names are consistent across your configuration files and environment variables. This consistency is crucial for the authentication flow to work correctly.

If these steps do not resolve the issue, you might want to look into any specific error messages or logs from the browser's developer console during the authentication process, as they can provide more insights into what might be going wrong.

To continue talking to Dosu, mention @dosu.

SpeedupMaster commented 4 days ago

You need to deploy the database version https://lobehub.com/docs/self-hosting/server-database/docker-compose

krauhen commented 4 days ago

You need to deploy the database version https://lobehub.com/docs/self-hosting/server-database/docker-compose

@SpeedupMaster I only want to use Microsoft Entra ID authentication with SSO, does the lobe-chat version not support that?

SpeedupMaster commented 4 days ago

You need to deploy the database version https://lobehub.com/docs/self-hosting/server-database/docker-compose

@SpeedupMaster I only want to use Microsoft Entra ID authentication with SSO, does the lobe-chat version not support that?

Not sure, it seems it's not supported.

gemnioo commented 2 days ago

@krauhen lobechat-database also have little Microsoft Entra ID login error for NEXT_AUTH_URL

https://github.com/lobehub/lobe-chat/issues/4723

might need Application Security Specialist @EINDEX Help

the PROXY_URL and other Environment Variables you can find here:

https://lobehub.com/docs/self-hosting/environment-variables/basic

PROXY_URL

    Type: Optional
    Description: Used to specify the proxy URL for connecting to external services. The value of this variable should be different in different deployment environments.
    Default: -
    Example: http://127.0.0.1:7890 or socks5://localhost:7891

it is different with OPENAI_PROXY_URL or ANTHROPIC_PROXY_URL ,which is a working around through with API mega gateway like LiteLLM or others.

EINDEX commented 2 days ago

Hay @krauhen

I see the response code is 502 and the API you are calling is /API/auth/session, which means your SSO with entra id was successful, but authjs(lobe) cannot get your profile. This is too strange, cause your token exchange is finished.

And I see your login page have custom branding setting up, may is some firewall setting up issues. Could you check your network connection between the Lobe docker container and Microsoft?

Just run below commands to check the network:

If those two connections are running well. For further troubleshooting, the docker log is necessary when you log in.