之前一篇博文介紹到通過outline的部署，全程使用github上這個腳本實(shí)現(xiàn)，部署過程自動化程度高。但OIDC服務(wù)不支持OTP，同時沒有會話超時于是決定更換OIDC服務(wù)，在原項(xiàng)目上修改比較麻煩本博文介紹如何單獨(dú)部署keycloak OIDC服務(wù)器和outline

部署過程分二步

• 部署keycloak OIDC服務(wù)器
• 部署outline

一、keycloak OIDC部署

1.創(chuàng)建keycloak文件夾，新建文件docker-compose.yaml

services:
  keycloak-db:
      container_name: keycloak-db
      image: postgres:15
      restart: always
      volumes:
        - ./data/keycloak-db/:/var/lib/postgresql/data
        - /etc/localtime:/etc/localtime:ro
      environment:
        POSTGRES_DB: keycloak
        POSTGRES_USER: keycloak
        POSTGRES_PASSWORD: 123456.com
      healthcheck:
        test: [ "CMD", "pg_isready", "-q", "-d", "keycloak", "-U", "keycloak" ]
        interval: 10s
        timeout: 5s
        retries: 3
        start_period: 60s
    #   ports:
        # - 5432:5432
      networks:
        - keycloak-nw

  keycloak:
      container_name: keycloak
      image: quay.io/keycloak/keycloak:26.3.3
      restart: always
      environment:
        KC_DB: postgres
        KC_DB_URL: jdbc:postgresql://keycloak-db:5432/keycloak
        KC_DB_USER: keycloak
        KC_DB_SCHEMA: public
        KC_DB_PASSWORD: 123456.com
        KEYCLOAK_ADMIN: ID404
        KEYCLOAK_ADMIN_PASSWORD: 123456.com
      volumes:
        - /etc/localtime:/etc/localtime:ro
      ports:
        - 4430:8080
      depends_on:
        - keycloak-db
      networks:
        - reverseproxy-nw
        - keycloak-nw
      command:
        - start
        #- --spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true
        - --proxy-headers=xforwarded
        - --http-enabled=true
        - --hostname=https://wiki.fly-one.cn/keycloak
        - --hostname-backchannel-dynamic=false
        - --hostname-admin=https://wiki.fly-one.cn/keycloak
      #command: start --spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true  --proxy edge  --hostname http://wiki.test.cn:4430/ --hostname-backchannel-dynamic false --hostname-admin http://wiki.test.cn:4430


networks:
    keycloak-nw:
    reverseproxy-nw:
        external: true

替換docker-compose.yaml文件中域名wiki.test.cn自己的域名

執(zhí)行docker network create reverseproxy-nw 創(chuàng)建docker 網(wǎng)絡(luò)

2.執(zhí)行docker compose up -d 運(yùn)行keycloak

3.登錄http://wiki.test.cn:4430/ ,進(jìn)入administratoration Console

1.1 添加client

注意Valid redirect URIs 內(nèi)容為http://wiki.test.cn/auth/oidc.callback 也可以寫成http://wiki.test.cn/*

保存后進(jìn)入outline 的Credentials 查看并記錄下client Secret

1.2 添加用戶

進(jìn)入 Users-->Add user
注意需要填寫好郵箱，郵件需要和前面的域名一致，如XXX@test.cn ,否則outline無法登錄。若需要二步驗(yàn)證可在Required user actions選擇OTP

給用戶添加密碼

二、outline部署

配置修改

• 創(chuàng)建outline文件夾，新建.env文件。 文件內(nèi)容如下

#secrets/passwords
#Gen by 'openssl rand -hex 32`
SECRET_KEY=e65a91c3e21ab302ba213b642cafff79686ead5ecc7bf57a0301a0c811df94cd
UTILS_SECRET=738c832f466050226896f78b6c3579722218866c458ba6c7eaad2f36ec59abc5


MINIO_ROOT_PASSWORD=
POSTGRES_PASSWORD=

#domains

URL=http://wiki.test.cn
CDN_URL=http://wiki.test.cn

ENABLE_UPDATES=true
DEBUG=cache,presenters,events,emails,mailer,utils,multiplayer,server,services
AWS_S3_ACL=private

LANGUAGE_CODE=en-us
TIME_ZONE=Asia/Shanghai

# See translate.getoutline.com for a list of available language codes and their
# percentage translated.
DEFAULT_LANGUAGE=zh_CN

# Specify what storage system to use. Possible value is one of "s3" or "local".
# For "local", the avatar images and document attachments will be saved on local disk.
FILE_STORAGE=local

# If "local" is configured for FILE_STORAGE above, then this sets the parent directory under
# which all attachments/images go. Make sure that the process has permissions to create
# this path and also to write files to it.
FILE_STORAGE_LOCAL_ROOT_DIR=/var/lib/outline/data

# Maximum allowed size for the uploaded attachment.
FILE_STORAGE_UPLOAD_MAX_SIZE=26214400
FILE_STORAGE_IMPORT_MAX_SIZE=26214400
FILE_STORAGE_WORKSPACE_IMPORT_MAX_SIZ6=26214400
MAXIMUM_IMPORT_SIZE=26214400

PGSSLMODE=disable
#ALLOWED_DOMAINS=
FORCE_HTTPS=false
#oidc information
OIDC_CLIENT_ID=outline
OIDC_CLIENT_SECRET=D8t8KFH6K127GCPW02PvAlbPc2Fo5zp4
OIDC_AUTH_URI=http://wiki.test.cn:4430/realms/master/protocol/openid-connect/auth
OIDC_TOKEN_URI=http://wiki.test.cn:4430/realms/master/protocol/openid-connect/token
OIDC_USERINFO_URI=http://wiki.test.cn:4430/realms/master/protocol/openid-connect/userinfo
#OIDC_LOGOUT_URI=http://wiki.test.cn:4430/realms/master/protocol/openid-connect/logout?redirect_uri=http%3A%2F%2Fwiki.test.cn%2F
OIDC_LOGOUT_URI=http://wiki.test.cn:4430/realms/master/protocol/openid-connect/logout?client_id=outline&post_logout_redirect_uri=http%3A%2F%2Fwiki.test.cn%2F
OIDC_DISABLE_REDIRECT=true

OIDC_DISPLAY_NAME=OpenID
OIDC_USERNAME_CLAIM=preferred_username
OIDC_SCOPES=openid profile email
#smtp information
SMTP_HOST=
SMTP_PORT=
SMTP_FROM_EMAIL=
SMTP_REPLY_EMAIL=
SMTP_SECURE=

替換wiki.test.cn域名為你自己的域名

• 修改.env文件中OIDC信息

替換OIDC_CLIENT_SECRET 為1.1中生成的client Secret

啟動outline

創(chuàng)建docker-compose.yaml文件，文件內(nèi)容如下：

services:
  outline_redis:
    image: redis
    restart: always
    container_name: outline_redis
    networks:
      - outline-internal

  outline_postgres:
    image: postgres:15
    restart: always
    container_name: outline_postgres
    security_opt:
      - label:disable
    environment:
      - POSTGRES_PASSWORD=0da68aed6bd2f275749d8750
      - POSTGRES_USER=outline
      - POSTGRES_DB=outline
    networks:
      - outline-internal
    volumes:
      - ./data/outline/db:/var/lib/postgresql/data
      - /etc/localtime:/etc/localtime:ro

  outline:
    image: outlinewiki/outline:0.77.1
    user: root
    restart: always
    container_name: outline
    command: sh -c "yarn start --env=production-ssl-disabled"
    environment:
      - DATABASE_URL=postgres://outline:0da68aed6bd2f275749d8750@outline_postgres:5432/outline
      - DATABASE_URL_TEST=postgres://outline:0da68aed6bd2f275749d8750@outline_postgres:5432/outline-test
      - REDIS_URL=redis://outline_redis:6379
    depends_on:
      - outline_postgres
      - outline_redis
    volumes:
      - ./data/outline/file:/var/lib/outline/data
      - /etc/localtime:/etc/localtime:ro
    env_file:
      - .env
    ports:
      - 80:3000
    networks:
      - outline-internal
      - reverseproxy-nw
networks:
  outline-internal:
  reverseproxy-nw:
    external: true

執(zhí)行 docker compose up -d 啟動outline

三、遇到的問題

3.1用戶修改密碼

用戶可自行可登錄 http://wiki.test.cn:4430/admin/outline/console 修改

3.2 用戶管理界面點(diǎn)擊Manage account 時提示failed to initialize keycloak

分別在master、outline中 client\account-console 選項(xiàng)web origin輸入+

參考：
鏈接1
鏈接2

3.3 退出outline及會話超時

當(dāng)退出outline后，重新登錄不需要重新輸入賬號密碼，這是由于退出outline退出信息沒有同步至keycloak。用戶信息在keycloak還是登錄狀態(tài)的所以不需要重新認(rèn)證。這似乎是一個bug，在outline的Issuse兩年前已經(jīng)有人提及了但一直沒有處理好，在Issuse中有人提及其實(shí)outline提供OIDC_LOGIN_LOGOUT_URI信息給OIDC服務(wù)器既可，但outline開發(fā)從員似乎一直沒有處理。

目前規(guī)避的方式是在keycloak中設(shè)置session timeout

在keylocak管理控制臺--realm setting--token--sso session idle 設(shè)置超時時間

參考 鏈接

四、 更新

4.1 2024-02-22更新

昨天發(fā)現(xiàn)的outline 0.75.1版本新增支持OIDC_LOGOUT_URI參數(shù)

在.env文件添加參數(shù) OIDC_LOGOUT_URI=http://wiki.test.cn:4430/realms/admin/protocol/openid-connect/logout?redirect_uri=http%3A%2F%2Fwiki.test.cn%2F

同時調(diào)整 keycloak 的docker compose文件，command部分添加參數(shù)--spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true

修改后如下

command: start --spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true  --proxy edge  --hostname=wiki.test.cn --hostname-port=4430 --hostname-strict-backchannel=true --hostname-admin-url=http://wiki.test.cn:4430/

參考：
鏈接1
鏈接2
鏈接3
鏈接4

4.2 2024-06-17 更新

keycloak 升級至25.0.0后，原h(huán)ostname v1的配置方式已不適用，需更改。 keycloak 的docker compose 文件，command部分參數(shù)修改如下 ：

command: start --spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true  --proxy edge  --hostname https://wiki.test.cn:4430/ --hostname-backchannel-dynamic false --hostname-admin https://wiki.test.cn:4430