experiment with seafile sso

seafile/conf/seahub_settings.py

@@ -1,5 +1,86 @@
-# -*- coding: utf-8 -*-
+## General
 SECRET_KEY = "zt^$p=*-yzytt3)1lidvsfjrq7qe+3t^$nw6wp_+bqhttxy4c!"
-
 SERVICE_URL = "https://seafile.rik.veenboer.xyz/"
 
+
+## Remote User Authentication
+ENABLE_REMOTE_USER_AUTHENTICATION = False
+
+# Optional, HTTP header, which is configured in your web server conf file,
+# used for Seafile to get user's unique id, default value is 'HTTP_REMOTE_USER'.
+REMOTE_USER_HEADER = 'X-Seafile-User'
+
+# Optional, when the value of HTTP_REMOTE_USER is not a valid email address，
+# Seafile will build a email-like unique id from the value of 'REMOTE_USER_HEADER'
+# and this domain, e.g. user1@example.com.
+REMOTE_USER_DOMAIN = 'veenboer.xyz'
+
+# Optional, whether to create new user in Seafile system, default value is True.
+# If this setting is disabled, users doesn't preexist in the Seafile DB cannot login.
+# The admin has to first import the users from external systems like LDAP.
+REMOTE_USER_CREATE_UNKNOWN_USER = True
+
+# Optional, whether to activate new user in Seafile system, default value is True.
+# If this setting is disabled, user will be unable to login by default.
+# the administrator needs to manually activate this user.
+REMOTE_USER_ACTIVATE_USER_AFTER_CREATION = True
+
+# Optional, map user attribute in HTTP header and Seafile's user attribute.
+REMOTE_USER_ATTRIBUTE_MAP = {
+    'X-Authentik-Username': 'name',
+    'X-Seafile-User': 'contact_email',
+
+    # for user info
+    # "HTTP_GIVENNAME": 'givenname',
+    # "HTTP_SN": 'surname',
+    # "HTTP_ORGANIZATION": 'institution',
+
+    # for user role
+    # 'HTTP_Shibboleth-affiliation': 'affiliation',
+}
+
+# Map affiliation to user role. Though the config name is SHIBBOLETH_AFFILIATION_ROLE_MAP,
+# it is not restricted to Shibboleth
+SHIBBOLETH_AFFILIATION_ROLE_MAP = {
+    # 'employee@uni-mainz.de': 'staff',
+    # 'member@uni-mainz.de': 'staff',
+    # 'student@uni-mainz.de': 'student',
+    # 'employee@hu-berlin.de': 'guest',
+    # 'patterns': (
+    #     ('*@hu-berlin.de', 'guest1'),
+    #     ('*@*.de', 'guest2'),
+    #     ('*', 'guest'),
+    # ),
+}
+
+
+## OAuth Authentication
+ENABLE_OAUTH = True
+
+# If create new user when he/she logs in Seafile for the first time, defalut `True`.
+OAUTH_CREATE_UNKNOWN_USER = True
+
+# If active new user when he/she logs in Seafile for the first time, defalut `True`.
+OAUTH_ACTIVATE_USER_AFTER_CREATION = True
+
+# Usually OAuth works through SSL layer. If your server is not parametrized to allow HTTPS, some method will raise an "oauthlib.oauth2.rfc6749.errors.InsecureTransportError". Set this to `True` to avoid this error.
+OAUTH_ENABLE_INSECURE_TRANSPORT = True
+
+# Client id/secret generated by authorization server when you register your client application.
+OAUTH_CLIENT_ID = "ppPkXbiyxpYKOlHdKHNM69HlzrKBz1DB9eTgvfgh"
+OAUTH_CLIENT_SECRET = "G1F5UwQyMDFSZpo8OjMLdU7TbMniWzNDJqjGHsGo1Yr03MOMM5uAw4gHLRMdxM72DLZUWWgSllEOkHk8ifBH7FVhlNw9zwc5LNOFIoXzMNZAuaJhLDlWPjWrfMCiosNT"
+
+# Callback url when user authentication succeeded. Note, the redirect url you input when you register your client application MUST be exactly the same as this value.
+OAUTH_REDIRECT_URL = 'https://seafile.rik.veenboer.xyz/oauth/callback/'
+
+OAUTH_PROVIDER_DOMAIN = 'authentik.rik.veenboer.xyz'
+OAUTH_AUTHORIZATION_URL = 'https://authentik.rik.veenboer.xyz/application/o/authorize/'
+OAUTH_TOKEN_URL = 'https://authentik.rik.veenboer.xyz/application/o/token/'
+OAUTH_USER_INFO_URL = 'https://authentik.rik.veenboer.xyz/application/o/userinfo/'
+OAUTH_SCOPE = ["user",]
+OAUTH_ATTRIBUTE_MAP = {
+    # "id": (True, "email"),  # Please keep the 'email' option unchanged to be compatible with the login of users of version 11.0 and earlier.
+    "name": (False, "name"),
+    "email": (False, "contact_email"),
+    "uid": (True, "uid"),   # Seafile v11.0 +
+}