以下是用于与各种 OAuth 2.0 和 OpenID 平台集成的示例 Directus 配置集合。
由于可用的 SSO 平台数量众多,此列表将仅涵盖最常见的配置。 鼓励为扩展和维护列表做出贡献。
js
AUTH_GOOGLE_DRIVER = 'openid'
AUTH_GOOGLE_CLIENT_ID = '...'
AUTH_GOOGLE_CLIENT_SECRET = '...'
AUTH_GOOGLE_ISSUER_URL = 'https://accounts.google.com/.well-known/openid-configuration'
AUTH_GOOGLE_IDENTIFIER_KEY = 'email'
js
AUTH_FACEBOOK_DRIVER = 'oauth2'
AUTH_FACEBOOK_CLIENT_ID = '...'
AUTH_FACEBOOK_CLIENT_SECRET = '...'
AUTH_FACEBOOK_AUTHORIZE_URL = 'https://www.facebook.com/dialog/oauth'
AUTH_FACEBOOK_ACCESS_URL = 'https://graph.facebook.com/oauth/access_token'
AUTH_FACEBOOK_PROFILE_URL = 'https://graph.facebook.com/me?fields=email'
js
AUTH_TWITTER_DRIVER = 'oauth2'
AUTH_TWITTER_CLIENT_ID = '...'
AUTH_TWITTER_CLIENT_SECRET = '-...'
AUTH_TWITTER_AUTHORIZE_URL = 'https://twitter.com/i/oauth2/authorize'
AUTH_TWITTER_ACCESS_URL = 'https://api.twitter.com/2/oauth2/token'
AUTH_TWITTER_PROFILE_URL = 'https://api.twitter.com/2/users/me'
AUTH_TWITTER_IDENTIFIER_KEY = 'data.username'
AUTH_TWITTER_SCOPE = 'tweet.read users.read'
Twitter 不提供“电子邮件”,因此我们将“用户名”定义为标识符。
Microsoft Azure
js
AUTH_MICROSOFT_DRIVER = 'openid'
AUTH_MICROSOFT_CLIENT_ID = '...'
AUTH_MICROSOFT_CLIENT_SECRET = '...'
AUTH_MICROSOFT_ISSUER_URL = 'https://login.microsoftonline.com/<your_tenant_id>/v2.0/.well-known/openid-configuration'
AUTH_MICROSOFT_IDENTIFIER_KEY = 'email'
Okta
js
AUTH_OKTA_DRIVER = 'openid'
AUTH_OKTA_CLIENT_ID = '...'
AUTH_OKTA_CLIENT_SECRET = '...'
AUTH_OKTA_ISSUER_URL = 'https://<your_okta_domain>/.well-known/openid-configuration'
AUTH_OKTA_IDENTIFIER_KEY = 'email'
Auth0
js
AUTH_AUTH0_DRIVER = 'openid'
AUTH_AUTH0_CLIENT_ID = '...'
AUTH_AUTH0_CLIENT_SECRET = '...'
AUTH_AUTH0_ISSUER_URL = 'https://<your_auth0_domain>/.well-known/openid-configuration'
AUTH_AUTH0_IDENTIFIER_KEY = 'email'
Keycloak
js
AUTH_KEYCLOAK_DRIVER = 'openid'
AUTH_KEYCLOAK_CLIENT_ID = '...'
AUTH_KEYCLOAK_CLIENT_SECRET = '...'
AUTH_KEYCLOAK_ISSUER_URL = 'http://<your_keycloak_domain>/realms/<your_keycloak_realm>/.well-known/openid-configuration'
AUTH_KEYCLOAK_IDENTIFIER_KEY = 'email'
GitHub
js
AUTH_GITHUB_DRIVER = 'oauth2'
AUTH_GITHUB_CLIENT_ID = '...'
AUTH_GITHUB_CLIENT_SECRET = '...'
AUTH_GITHUB_AUTHORIZE_URL = 'https://github.com/login/oauth/authorize'
AUTH_GITHUB_ACCESS_URL = 'https://github.com/login/oauth/access_token'
AUTH_GITHUB_PROFILE_URL = 'https://api.github.com/user'
如果验证用户没有在 GitHub 中将他们的电子邮件标记为“公开”,Directus 将无法访问它。
Discord
js
AUTH_DISCORD_DRIVER = 'oauth2'
AUTH_DISCORD_CLIENT_ID = '...'
AUTH_DISCORD_CLIENT_SECRET = '...'
AUTH_DISCORD_AUTHORIZE_URL = 'https://discord.com/api/oauth2/authorize'
AUTH_DISCORD_ACCESS_URL = 'https://discord.com/api/oauth2/token'
AUTH_DISCORD_PROFILE_URL = 'https://discord.com/api/users/@me'
Twitch
js
AUTH_TWITCH_DRIVER="openid"
AUTH_TWITCH_CLIENT_ID="..."
AUTH_TWITCH_CLIENT_SECRET="..."
AUTH_TWITCH_ISSUER_URL="https://id.twitch.tv/oauth2/.well-known/openid-configuration"
AUTH_TWITCH_SCOPE="openid user:read:email"
AUTH_TWITCH_PARAMS__CLAIMS="string:{"id_token":{"email":null}}"
AUTH_TWITCH_IDENTIFIER_KEY="email"
Apple
js
AUTH_APPLE_DRIVER="openid"
AUTH_APPLE_CLIENT_ID="..."
AUTH_APPLE_CLIENT_SECRET="..."
AUTH_APPLE_ISSUER_URL="https://appleid.apple.com/.well-known/openid-configuration"
AUTH_APPLE_IDENTIFIER_KEY="email"
AUTH_APPLE_SCOPE="name email"
AUTH_APPLE_PARAMS="{"response_mode":"form_post"}"
SAML Examples
AWS SSO
AUTH_SSO_DRIVER=saml
AUTH_PROVIDERS="AWSSSO"
AUTH_AWSSSO_idp_metadata='{Your IAM Identity Center SAML metadata file}'
AUTH_AWSSSO_sp_metadata=''
AUTH_AWSSSO_ALLOW_PUBLIC_REGISTRATION=true
AUTH_AWSSSO_DEFAULT_ROLE_ID='needs-to-be-a-valid-role-on-the-instance'
AUTH_AWSSSO_IDENTIFIER_KEY=email
AUTH_AWSSSO_EMAIL_KEY=email
- AWS SSO 文档并不那么冗长。 用户发现您可以提供
sp_metadata
ENV var 作为 EMPTY。 - 用户发现替换
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://your-soo-portal-url"/>
在带有您的 AWS 门户 URL 的 IAM 身份中心 SAML 元数据文件中,修复了 Directus 上的“使用 SSO 登录”按钮的工作,而不是来自 AWS 的默认重定向。 - Directus 期望从 XML 的开头删除
<?xml version="1.0" encoding="UTF-8"?>
。
Mapping:
将电子邮件地址映射到 Directus 作为 external_identifier:
| 应用程序中的用户属性 | 映射到 IAM Identity Center 中的此字符串值或用户属性 | type |
| --- | ----------- | --- |
| Subject | ${user:email} | emailAddress |
| email | ${user:email} | unspecified |
Config:
Relay state - admin/login
Application ACS URL - https://you-directus-instance/auth/login/awssso/acs