### What problem does this PR solve? Improve oauth configuration documentation and examples. - Related pull requests: - #7379 - #7553 - #7587 - Related issues: - #3495 ### Type of change - [x] Documentation Update

5 месяцев назад · 205974c359
--- a/api/apps/auth/README.md
+++ b/api/apps/auth/README.md
@@ -17,16 +17,16 @@ oauth_config = {
    "type": "oauth2",
    "client_id": "your_client_id",
    "client_secret": "your_client_secret",
    "authorization_url": "https://provider.com/oauth/authorize",
    "token_url": "https://provider.com/oauth/token",
    "userinfo_url": "https://provider.com/oauth/userinfo",
    "authorization_url": "https://your-oauth-provider.com/oauth/authorize",
    "token_url": "https://your-oauth-provider.com/oauth/token",
    "userinfo_url": "https://your-oauth-provider.com/oauth/userinfo",
    "redirect_uri": "https://your-app.com/v1/user/oauth/callback/<channel>"
 }

 # OIDC configuration
 oidc_config = {
    "type": "oidc",
    "issuer": "https://provider.com/v1/oidc",
    "issuer": "https://your-oauth-provider.com/oidc",
    "client_id": "your_client_id",
    "client_secret": "your_client_secret",
    "redirect_uri": "https://your-app.com/v1/user/oauth/callback/<channel>"
--- a/conf/service_conf.yaml
+++ b/conf/service_conf.yaml
@@ -63,28 +63,28 @@ redis:
 #   api_key: 'sk-xxxxxxxxxxxxx'
 #   base_url: ''
 # oauth:
 #   oauth2:
 #     display_name: "OAuth2"
 #     client_id: "your_client_id"
 #     client_secret: "your_client_secret"
 #     authorization_url: "https://your-oauth-provider.com/oauth/authorize"
 #     token_url: "https://your-oauth-provider.com/oauth/token"
 #     userinfo_url: "https://your-oauth-provider.com/oauth/userinfo"
 #     redirect_uri: "https://your-app.com/v1/user/oauth/callback/oauth2"
 #   oidc:
 #     display_name: "OIDC"
 #     client_id: "your_client_id"
 #     client_secret: "your_client_secret"
 #     issuer: "https://your-oauth-provider.com/oidc"
 #     scope: "openid email profile"
 #     redirect_uri: "https://your-app.com/v1/user/oauth/callback/oidc"
 #   github:
 #     type: github
 #     icon: github
 #     type: "github"
 #     icon: "github"
 #     display_name: "Github"
 #     client_id: xxxxxxxxxxxxxxxxxxxxxxxxx
 #     client_secret: xxxxxxxxxxxxxxxxxxxxxxxx
 #     redirect_uri: https://your-app.com/v1/user/oauth/callback/github
 #   feishu:
 #     app_id: cli_xxxxxxxxxxxxxxxxxxx
 #     app_secret: xxxxxxxxxxxxxxxxxxxxxxxxxxxx
 #     app_access_token_url: https://open.feishu.cn/open-apis/auth/v3/app_access_token/internal
 #     user_access_token_url: https://open.feishu.cn/open-apis/authen/v1/oidc/access_token
 #     grant_type: 'authorization_code'
 #   custom_channel:
 #     type: oidc
 #     icon: sso
 #     display_name: "Custom Channel"
 #     issuer: https://provider.com/v1/oidc
 #     client_id: xxxxxxxxxxxxxxxxxxxxxxxxx
 #     client_secret: xxxxxxxxxxxxxxxxxxxxxxxx
 #     scope: "openid email profile"
 #     redirect_uri: https://your-app.com/v1/user/oauth/callback/custom_channel
 #     client_id: "your_client_id"
 #     client_secret: "your_client_secret"
 #     redirect_uri: "https://your-app.com/v1/user/oauth/callback/github"
 # authentication:
 #   client:
 #     switch: false
--- a/docker/README.md
+++ b/docker/README.md
@@ -154,9 +154,20 @@ The [.env](./.env) file contains important environment variables for Docker.
  - `addressing_style`: Optional. The style of addressing to use for the S3 endpoint. This can be `path` or `virtual`.
  - `prefix_path`: Optional. A prefix path to prepend to file names in the S3 bucket, which can help organize files within the bucket.

 - `oauth`  
  The OAuth configuration for signing up or signing in to RAGFlow using a third-party account.  It is disabled by default. To enable this feature, uncomment the corresponding lines in **service_conf.yaml.template**.
  - `github`: The GitHub authentication settings for your application. Visit the [Github Developer Settings page](https://github.com/settings/developers) to obtain your client_id and secret_key.
 - `oauth`
  The OAuth configuration for signing up or signing in to RAGFlow using a third-party account.
  - `<channel>`: Custom channel ID.
    - `type`: Authentication type, options include `oauth2`, `oidc`, `github`. Default is `oauth2`, when `issuer` parameter is provided, defaults to `oidc`.
    - `icon`: Icon ID, options include `github`, `sso`, default is `sso`.
    - `display_name`: Channel name, defaults to the Title Case format of the channel ID.
    - `client_id`: Required, unique identifier assigned to the client application.
    - `client_secret`: Required, secret key for the client application, used for communication with the authentication server.
    - `authorization_url`: Base URL for obtaining user authorization.
    - `token_url`: URL for exchanging authorization code and obtaining access token.
    - `userinfo_url`: URL for obtaining user information (username, email, etc.).
    - `issuer`: Base URL of the identity provider. OIDC clients can dynamically obtain the identity provider's metadata (`authorization_url`, `token_url`, `userinfo_url`) through `issuer`.
    - `scope`: Requested permission scope, a space-separated string. For example, `openid profile email`.
    - `redirect_uri`: Required, URI to which the authorization server redirects during the authentication flow to return results. Must match the callback URI registered with the authentication server. Format: `https://your-app.com/v1/user/oauth/callback/<channel>`. For local configuration, you can directly use `http://127.0.0.1:80/v1/user/oauth/callback/<channel>`.

 - `user_default_llm`  
  The default LLM to use for a new RAGFlow user. It is disabled by default. To enable this feature, uncomment the corresponding lines in **service_conf.yaml.template**.  
--- a/docker/service_conf.yaml.template
+++ b/docker/service_conf.yaml.template
@@ -75,28 +75,28 @@ redis:
 #     asr_model: ''
 #     image2text_model: ''
 # oauth:
 #   oauth2:
 #     display_name: "OAuth2"
 #     client_id: "your_client_id"
 #     client_secret: "your_client_secret"
 #     authorization_url: "https://your-oauth-provider.com/oauth/authorize"
 #     token_url: "https://your-oauth-provider.com/oauth/token"
 #     userinfo_url: "https://your-oauth-provider.com/oauth/userinfo"
 #     redirect_uri: "https://your-app.com/v1/user/oauth/callback/oauth2"
 #   oidc:
 #     display_name: "OIDC"
 #     client_id: "your_client_id"
 #     client_secret: "your_client_secret"
 #     issuer: "https://your-oauth-provider.com/oidc"
 #     scope: "openid email profile"
 #     redirect_uri: "https://your-app.com/v1/user/oauth/callback/oidc"
 #   github:
 #     type: github
 #     icon: github
 #     type: "github"
 #     icon: "github"
 #     display_name: "Github"
 #     client_id: xxxxxxxxxxxxxxxxxxxxxxxxx
 #     client_secret: xxxxxxxxxxxxxxxxxxxxxxxx
 #     redirect_uri: https://your-app.com/v1/user/oauth/callback/github
 #   feishu:
 #     app_id: cli_xxxxxxxxxxxxxxxxxxx
 #     app_secret: xxxxxxxxxxxxxxxxxxxxxxxxxxxx
 #     app_access_token_url: https://open.feishu.cn/open-apis/auth/v3/app_access_token/internal
 #     user_access_token_url: https://open.feishu.cn/open-apis/authen/v1/oidc/access_token
 #     grant_type: 'authorization_code'
 #   custom_channel:
 #     type: oidc
 #     icon: sso
 #     display_name: "Custom Channel"
 #     issuer: https://provider.com/v1/oidc
 #     client_id: xxxxxxxxxxxxxxxxxxxxxxxxx
 #     client_secret: xxxxxxxxxxxxxxxxxxxxxxxx
 #     scope: "openid email profile"
 #     redirect_uri: https://your-app.com/v1/user/oauth/callback/custom_channel
 #     client_id: "your_client_id"
 #     client_secret: "your_client_secret"
 #     redirect_uri: "https://your-app.com/v1/user/oauth/callback/github"
 # authentication:
 #   client:
 #     switch: false
--- a/docs/configurations.md
+++ b/docs/configurations.md
@@ -164,23 +164,52 @@ If you cannot download the RAGFlow Docker image, try the following mirrors.

 ### `oauth`  

 The OAuth configuration for signing up or signing in to RAGFlow using a third-party account.  It is disabled by default. To enable this feature, uncomment the corresponding lines in **service_conf.yaml.template**.

 - `github`: The GitHub authentication settings for your application. Visit the [GitHub Developer Settings](https://github.com/settings/developers) page to obtain your client_id and secret_key.

 #### OAuth/OIDC

 RAGFlow supports OAuth/OIDC authentication through the following routes:

 - `/login/<channel>`: Initiates the OAuth flow for the specified channel
 - `/oauth/callback/<channel>`: Handles the OAuth callback after successful authentication

 The callback URL should be configured in your OAuth provider as:
 ```
 https://your-app.com/oauth/callback/<channel>
 The OAuth configuration for signing up or signing in to RAGFlow using a third-party account.

 - `<channel>`: Custom channel ID.
  - `type`: Authentication type, options include `oauth2`, `oidc`, `github`. Default is `oauth2`, when `issuer` parameter is provided, defaults to `oidc`.
  - `icon`: Icon ID, options include `github`, `sso`, default is `sso`.
  - `display_name`: Channel name, defaults to the Title Case format of the channel ID.
  - `client_id`: Required, unique identifier assigned to the client application.
  - `client_secret`: Required, secret key for the client application, used for communication with the authentication server.
  - `authorization_url`: Base URL for obtaining user authorization.
  - `token_url`: URL for exchanging authorization code and obtaining access token.
  - `userinfo_url`: URL for obtaining user information (username, email, etc.).
  - `issuer`: Base URL of the identity provider. OIDC clients can dynamically obtain the identity provider's metadata (`authorization_url`, `token_url`, `userinfo_url`) through `issuer`.
  - `scope`: Requested permission scope, a space-separated string. For example, `openid profile email`.
  - `redirect_uri`: Required, URI to which the authorization server redirects during the authentication flow to return results. Must match the callback URI registered with the authentication server. Format: `https://your-app.com/v1/user/oauth/callback/<channel>`. For local configuration, you can directly use `http://127.0.0.1:80/v1/user/oauth/callback/<channel>`.

 :::tip NOTE 
 The following are best practices for configuring various third-party authentication methods. You can configure one or multiple third-party authentication methods for Ragflow:
 ```yaml
 oauth:
  oauth2:
    display_name: "OAuth2"
    client_id: "your_client_id"
    client_secret: "your_client_secret"
    authorization_url: "https://your-oauth-provider.com/oauth/authorize"
    token_url: "https://your-oauth-provider.com/oauth/token"
    userinfo_url: "https://your-oauth-provider.com/oauth/userinfo"
    redirect_uri: "https://your-app.com/v1/user/oauth/callback/oauth2"

  oidc:
    display_name: "OIDC"
    client_id: "your_client_id"
    client_secret: "your_client_secret"
    issuer: "https://your-oauth-provider.com/oidc"
    scope: "openid email profile"
    redirect_uri: "https://your-app.com/v1/user/oauth/callback/oidc"

  github:
    # https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/creating-an-oauth-app
    type: "github"
    icon: "github"
    display_name: "Github"
    client_id: "your_client_id"
    client_secret: "your_client_secret"
    redirect_uri: "https://your-app.com/v1/user/oauth/callback/github"
 ```

 For detailed instructions on configuring **service_conf.yaml.template**, please refer to [Usage](https://github.com/infiniflow/ragflow/blob/main/api/apps/auth/README.md#usage).
 :::

 ### `user_default_llm`