refactor(keycloak): remove authentik naming and switch to keycloak-only paths
This commit is contained in:
Chris
@@ -11,60 +11,23 @@ cp .env.example .env
|
||||
./scripts/start_dev.sh
|
||||
```
|
||||
|
||||
## Required DB setup
|
||||
## Keycloak env
|
||||
|
||||
1. Initialize API client whitelist table with `docs/API_CLIENTS_SQL.sql`.
|
||||
2. Initialize core tables with `backend/scripts/init_schema.sql`.
|
||||
3. Generate `api_key_hash` and update `api_clients` records, e.g.:
|
||||
|
||||
```bash
|
||||
python scripts/generate_api_key_hash.py 'YOUR_PLAIN_KEY'
|
||||
```
|
||||
|
||||
## IdP JWT setup(Keycloak 優先)
|
||||
|
||||
- 若設定 `KEYCLOAK_BASE_URL` + `KEYCLOAK_REALM`,後端會優先走 Keycloak。
|
||||
- 未設定 Keycloak 時,才走 `AUTHENTIK_*`。
|
||||
|
||||
### Keycloak
|
||||
- 必填:
|
||||
- Required:
|
||||
- `KEYCLOAK_BASE_URL`
|
||||
- `KEYCLOAK_REALM`
|
||||
- `KEYCLOAK_CLIENT_ID`
|
||||
- `KEYCLOAK_CLIENT_SECRET`
|
||||
- 可選:
|
||||
- `KEYCLOAK_ISSUER`(預設:`<base>/realms/<realm>`)
|
||||
- `KEYCLOAK_JWKS_URL`(預設:`<issuer>/protocol/openid-connect/certs`)
|
||||
- `KEYCLOAK_TOKEN_ENDPOINT`(預設:`<issuer>/protocol/openid-connect/token`)
|
||||
- `KEYCLOAK_USERINFO_ENDPOINT`(預設:`<issuer>/protocol/openid-connect/userinfo`)
|
||||
- `KEYCLOAK_AUDIENCE`
|
||||
- `KEYCLOAK_VERIFY_TLS`(預設 true)
|
||||
|
||||
### Authentik(備援)
|
||||
|
||||
- Configure at least one of:
|
||||
- `AUTHENTIK_JWKS_URL`
|
||||
- `AUTHENTIK_ISSUER` (the service infers `<issuer>/jwks/`)
|
||||
- Optional:
|
||||
- `AUTHENTIK_AUDIENCE` (enables audience claim validation)
|
||||
- `AUTHENTIK_CLIENT_ID` (used by `/auth/login`, fallback to `AUTHENTIK_AUDIENCE`)
|
||||
- `AUTHENTIK_CLIENT_SECRET` (required if your access/id token uses HS256 signing)
|
||||
- `AUTHENTIK_TOKEN_ENDPOINT` (default: `<AUTHENTIK_BASE_URL>/application/o/token/`)
|
||||
- `AUTHENTIK_USERINFO_ENDPOINT` (optional, default inferred from issuer/base URL; used to fill missing email/name claims)
|
||||
|
||||
## IdP Admin API setup
|
||||
|
||||
- Keycloak(優先)
|
||||
- `KEYCLOAK_BASE_URL`
|
||||
- `KEYCLOAK_REALM`
|
||||
- `KEYCLOAK_ADMIN_CLIENT_ID`
|
||||
- `KEYCLOAK_ADMIN_CLIENT_SECRET`
|
||||
- `KEYCLOAK_ADMIN_REALM`(可選,預設同 `KEYCLOAK_REALM`)
|
||||
|
||||
- Authentik(備援)
|
||||
- `AUTHENTIK_BASE_URL`
|
||||
- `AUTHENTIK_ADMIN_TOKEN`
|
||||
- `AUTHENTIK_VERIFY_TLS`
|
||||
- Optional:
|
||||
- `KEYCLOAK_ADMIN_REALM` (default = `KEYCLOAK_REALM`)
|
||||
- `KEYCLOAK_ISSUER`
|
||||
- `KEYCLOAK_JWKS_URL`
|
||||
- `KEYCLOAK_TOKEN_ENDPOINT`
|
||||
- `KEYCLOAK_USERINFO_ENDPOINT`
|
||||
- `KEYCLOAK_AUDIENCE`
|
||||
- `KEYCLOAK_VERIFY_TLS`
|
||||
|
||||
## Main APIs
|
||||
|
||||
@@ -75,19 +38,4 @@ python scripts/generate_api_key_hash.py 'YOUR_PLAIN_KEY'
|
||||
- `GET /me/permissions/snapshot` (Bearer token required)
|
||||
- `POST /internal/users/upsert-by-sub`
|
||||
- `GET /internal/permissions/{user_sub}/snapshot`
|
||||
- `POST /internal/idp/users/ensure`(相容:`/internal/authentik/users/ensure`)
|
||||
- `POST /admin/permissions/grant`
|
||||
- `POST /admin/permissions/revoke`
|
||||
- `GET|POST /admin/systems`
|
||||
- `GET|POST /admin/modules`
|
||||
- `GET|POST /admin/companies`
|
||||
- `GET|POST /admin/sites`
|
||||
- `GET /admin/members`
|
||||
- `GET|POST /admin/permission-groups`
|
||||
- `POST|DELETE /admin/permission-groups/{group_key}/members/{user_sub}`
|
||||
- `POST /admin/permission-groups/{group_key}/permissions/grant|revoke`
|
||||
- `GET /internal/systems`
|
||||
- `GET /internal/modules`
|
||||
- `GET /internal/companies`
|
||||
- `GET /internal/sites`
|
||||
- `GET /internal/members`
|
||||
- `POST /internal/idp/users/ensure`
|
||||
|
||||
Reference in New Issue
Block a user