SSO示例 sso Example

用于与各种 OAuth 2.0、OpenID 和 SAML 平台集成的示例 Directus 配置的集合。

以下是用于与各种 OAuth 2.0 和 OpenID 平台集成的示例 Directus 配置集合。

由于可用的 SSO 平台数量众多,此列表将仅涵盖最常见的配置。 鼓励为扩展和维护列表做出贡献。

Google

js
AUTH_GOOGLE_DRIVER="openid"
AUTH_GOOGLE_CLIENT_ID="..."
AUTH_GOOGLE_CLIENT_SECRET="..."
AUTH_GOOGLE_ISSUER_URL="https://accounts.google.com/.well-known/openid-configuration"
AUTH_GOOGLE_IDENTIFIER_KEY="email"

Facebook

js
AUTH_FACEBOOK_DRIVER="oauth2"
AUTH_FACEBOOK_CLIENT_ID="..."
AUTH_FACEBOOK_CLIENT_SECRET="..."
AUTH_FACEBOOK_AUTHORIZE_URL="https://www.facebook.com/dialog/oauth"
AUTH_FACEBOOK_ACCESS_URL="https://graph.facebook.com/oauth/access_token"
AUTH_FACEBOOK_PROFILE_URL="https://graph.facebook.com/me?fields=email"

Twitter

js
AUTH_TWITTER_DRIVER="oauth2"
AUTH_TWITTER_CLIENT_ID="..."
AUTH_TWITTER_CLIENT_SECRET="-..."
AUTH_TWITTER_AUTHORIZE_URL="https://twitter.com/i/oauth2/authorize"
AUTH_TWITTER_ACCESS_URL="https://api.twitter.com/2/oauth2/token"
AUTH_TWITTER_PROFILE_URL="https://api.twitter.com/2/users/me"
AUTH_TWITTER_IDENTIFIER_KEY="data.username"
AUTH_TWITTER_SCOPE="tweet.read users.read"

Twitter 不提供“电子邮件”,因此我们将“用户名”定义为标识符。

Microsoft Azure

js
AUTH_MICROSOFT_DRIVER="openid"
AUTH_MICROSOFT_CLIENT_ID="..."
AUTH_MICROSOFT_CLIENT_SECRET="..."
AUTH_MICROSOFT_ISSUER_URL="https://login.microsoftonline.com/<your_tenant_id>/v2.0/.well-known/openid-configuration"
AUTH_MICROSOFT_IDENTIFIER_KEY="email"

Okta

js
AUTH_OKTA_DRIVER="openid"
AUTH_OKTA_CLIENT_ID="..."
AUTH_OKTA_CLIENT_SECRET= "..."
AUTH_OKTA_ISSUER_URL="https://<your_okta_domain>/.well-known/openid-configuration"
AUTH_OKTA_IDENTIFIER_KEY="email"

Auth0

js
AUTH_AUTH0_DRIVER="openid"
AUTH_AUTH0_CLIENT_ID="..."
AUTH_AUTH0_CLIENT_SECRET="..."
AUTH_AUTH0_ISSUER_URL="https://<your_auth0_domain>/.well-known/openid-configuration"
AUTH_AUTH0_IDENTIFIER_KEY="email"

Keycloak

js
AUTH_KEYCLOAK_DRIVER="openid"
AUTH_KEYCLOAK_CLIENT_ID="..."
AUTH_KEYCLOAK_CLIENT_SECRET="..."
AUTH_KEYCLOAK_ISSUER_URL="http://<your_keycloak_domain>/realms/<your_keycloak_realm>/.well-known/openid-configuration"
AUTH_KEYCLOAK_IDENTIFIER_KEY="email"

GitHub

js
AUTH_GITHUB_DRIVER="oauth2"
AUTH_GITHUB_CLIENT_ID="..."
AUTH_GITHUB_CLIENT_SECRET="..."
AUTH_GITHUB_AUTHORIZE_URL="https://github.com/login/oauth/authorize"
AUTH_GITHUB_ACCESS_URL="https://github.com/login/oauth/access_token"
AUTH_GITHUB_PROFILE_URL="https://api.github.com/user"

如果验证用户没有在 GitHub 中将他们的电子邮件标记为“公开”,Directus 将无法访问它。

Discord

js
AUTH_DISCORD_DRIVER="oauth2"
AUTH_DISCORD_CLIENT_ID="..."
AUTH_DISCORD_CLIENT_SECRET="..."
AUTH_DISCORD_AUTHORIZE_URL="https://discord.com/api/oauth2/authorize"
AUTH_DISCORD_ACCESS_URL="https://discord.com/api/oauth2/token"
AUTH_DISCORD_PROFILE_URL="https://discord.com/api/users/@me"

Twitch

js
AUTH_TWITCH_DRIVER="openid"
AUTH_TWITCH_CLIENT_ID="..."
AUTH_TWITCH_CLIENT_SECRET="..."
AUTH_TWITCH_ISSUER_URL="https://id.twitch.tv/oauth2/.well-known/openid-configuration"
AUTH_TWITCH_SCOPE="openid user:read:email"
AUTH_TWITCH_PARAMS__CLAIMS="string:{"id_token":{"email":null}}"
AUTH_TWITCH_IDENTIFIER_KEY="email"

Apple

js
AUTH_APPLE_DRIVER="openid"
AUTH_APPLE_CLIENT_ID="..."
AUTH_APPLE_CLIENT_SECRET="..."
AUTH_APPLE_ISSUER_URL="https://appleid.apple.com/.well-known/openid-configuration"
AUTH_APPLE_IDENTIFIER_KEY="email"
AUTH_APPLE_SCOPE="name email"
AUTH_APPLE_PARAMS="{"response_mode":"form_post"}"

SAML Examples

AWS SSO

AUTH_SSO_DRIVER=saml
AUTH_PROVIDERS="AWSSSO"
AUTH_AWSSSO_idp_metadata='{Your IAM Identity Center SAML metadata file}'
AUTH_AWSSSO_sp_metadata=''
AUTH_AWSSSO_ALLOW_PUBLIC_REGISTRATION=true
AUTH_AWSSSO_DEFAULT_ROLE_ID='needs-to-be-a-valid-role-on-the-instance'
AUTH_AWSSSO_IDENTIFIER_KEY=email
AUTH_AWSSSO_EMAIL_KEY=email
  • AWS SSO 文档并不那么冗长。 用户发现您可以提供 sp_metadata ENV var 作为 EMPTY。
  • 用户发现替换<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://your-soo-portal-url"/> 在带有您的 AWS 门户 URL 的 IAM 身份中心 SAML 元数据文件中,修复了 Directus 上的“使用 SSO 登录”按钮的工作,而不是来自 AWS 的默认重定向。
  • Directus 期望从 XML 的开头删除<?xml version="1.0" encoding="UTF-8"?>

Mapping:

将电子邮件地址映射到 Directus 作为 external_identifier:

| 应用程序中的用户属性 | 映射到 IAM Identity Center 中的此字符串值或用户属性 | type |
| --- | ----------- | --- |
| Subject | ${user:email} | emailAddress |
| email | ${user:email} | unspecified |

Config:

Relay state - admin/login Application ACS URL - https://you-directus-instance/auth/login/awssso/acs