Docs: Improve oauth configuration documentation and examples (#7675)

### What problem does this PR solve? Improve oauth configuration documentation and examples. - Related pull requests: - #7379 - #7553 - #7587 - Related issues: - #3495 ### Type of change - [x] Documentation Update
2025-06-26 22:19:57 +00:00 · 2025-05-16 14:17:39 +08:00 · 2025-05-16 14:17:39 +08:00 · 205974c359
commit 205974c359
parent 04edf9729f
5 changed files with 101 additions and 61 deletions
--- a/api/apps/auth/README.md
+++ b/api/apps/auth/README.md
@ -17,16 +17,16 @@ oauth_config = {
    "type": "oauth2",
    "client_id": "your_client_id",
    "client_secret": "your_client_secret",
-    "authorization_url": "https://provider.com/oauth/authorize",
-    "token_url": "https://provider.com/oauth/token",
-    "userinfo_url": "https://provider.com/oauth/userinfo",
+    "authorization_url": "https://your-oauth-provider.com/oauth/authorize",
+    "token_url": "https://your-oauth-provider.com/oauth/token",
+    "userinfo_url": "https://your-oauth-provider.com/oauth/userinfo",
    "redirect_uri": "https://your-app.com/v1/user/oauth/callback/<channel>"
 }

 # OIDC configuration
 oidc_config = {
    "type": "oidc",
-    "issuer": "https://provider.com/v1/oidc",
+    "issuer": "https://your-oauth-provider.com/oidc",
    "client_id": "your_client_id",
    "client_secret": "your_client_secret",
    "redirect_uri": "https://your-app.com/v1/user/oauth/callback/<channel>"
--- a/conf/service_conf.yaml
+++ b/conf/service_conf.yaml
@ -63,28 +63,28 @@ redis:
 #   api_key: 'sk-xxxxxxxxxxxxx'
 #   base_url: ''
 # oauth:
-#   github:
-#     type: github
-#     icon: github
-#     display_name: "Github"
-#     client_id: xxxxxxxxxxxxxxxxxxxxxxxxx
-#     client_secret: xxxxxxxxxxxxxxxxxxxxxxxx
-#     redirect_uri: https://your-app.com/v1/user/oauth/callback/github
-#   feishu:
-#     app_id: cli_xxxxxxxxxxxxxxxxxxx
-#     app_secret: xxxxxxxxxxxxxxxxxxxxxxxxxxxx
-#     app_access_token_url: https://open.feishu.cn/open-apis/auth/v3/app_access_token/internal
-#     user_access_token_url: https://open.feishu.cn/open-apis/authen/v1/oidc/access_token
-#     grant_type: 'authorization_code'
-#   custom_channel:
-#     type: oidc
-#     icon: sso
-#     display_name: "Custom Channel"
-#     issuer: https://provider.com/v1/oidc
-#     client_id: xxxxxxxxxxxxxxxxxxxxxxxxx
-#     client_secret: xxxxxxxxxxxxxxxxxxxxxxxx
+#   oauth2:
+#     display_name: "OAuth2"
+#     client_id: "your_client_id"
+#     client_secret: "your_client_secret"
+#     authorization_url: "https://your-oauth-provider.com/oauth/authorize"
+#     token_url: "https://your-oauth-provider.com/oauth/token"
+#     userinfo_url: "https://your-oauth-provider.com/oauth/userinfo"
+#     redirect_uri: "https://your-app.com/v1/user/oauth/callback/oauth2"
+#   oidc:
+#     display_name: "OIDC"
+#     client_id: "your_client_id"
+#     client_secret: "your_client_secret"
+#     issuer: "https://your-oauth-provider.com/oidc"
 #     scope: "openid email profile"
-#     redirect_uri: https://your-app.com/v1/user/oauth/callback/custom_channel
+#     redirect_uri: "https://your-app.com/v1/user/oauth/callback/oidc"
+#   github:
+#     type: "github"
+#     icon: "github"
+#     display_name: "Github"
+#     client_id: "your_client_id"
+#     client_secret: "your_client_secret"
+#     redirect_uri: "https://your-app.com/v1/user/oauth/callback/github"
 # authentication:
 #   client:
 #     switch: false
--- a/docker/README.md
+++ b/docker/README.md
@ -154,9 +154,20 @@ The [.env](./.env) file contains important environment variables for Docker.
  - `addressing_style`: Optional. The style of addressing to use for the S3 endpoint. This can be `path` or `virtual`.
  - `prefix_path`: Optional. A prefix path to prepend to file names in the S3 bucket, which can help organize files within the bucket.

- `oauth`  
-  The OAuth configuration for signing up or signing in to RAGFlow using a third-party account.  It is disabled by default. To enable this feature, uncomment the corresponding lines in **service_conf.yaml.template**.
-  - `github`: The GitHub authentication settings for your application. Visit the [Github Developer Settings page](https://github.com/settings/developers) to obtain your client_id and secret_key.
+- `oauth`
+  The OAuth configuration for signing up or signing in to RAGFlow using a third-party account.
+  - `<channel>`: Custom channel ID.
+    - `type`: Authentication type, options include `oauth2`, `oidc`, `github`. Default is `oauth2`, when `issuer` parameter is provided, defaults to `oidc`.
+    - `icon`: Icon ID, options include `github`, `sso`, default is `sso`.
+    - `display_name`: Channel name, defaults to the Title Case format of the channel ID.
+    - `client_id`: Required, unique identifier assigned to the client application.
+    - `client_secret`: Required, secret key for the client application, used for communication with the authentication server.
+    - `authorization_url`: Base URL for obtaining user authorization.
+    - `token_url`: URL for exchanging authorization code and obtaining access token.
+    - `userinfo_url`: URL for obtaining user information (username, email, etc.).
+    - `issuer`: Base URL of the identity provider. OIDC clients can dynamically obtain the identity provider's metadata (`authorization_url`, `token_url`, `userinfo_url`) through `issuer`.
+    - `scope`: Requested permission scope, a space-separated string. For example, `openid profile email`.
+    - `redirect_uri`: Required, URI to which the authorization server redirects during the authentication flow to return results. Must match the callback URI registered with the authentication server. Format: `https://your-app.com/v1/user/oauth/callback/<channel>`. For local configuration, you can directly use `http://127.0.0.1:80/v1/user/oauth/callback/<channel>`.

 - `user_default_llm`  
  The default LLM to use for a new RAGFlow user. It is disabled by default. To enable this feature, uncomment the corresponding lines in **service_conf.yaml.template**.  
--- a/docker/service_conf.yaml.template
+++ b/docker/service_conf.yaml.template
@ -75,28 +75,28 @@ redis:
 #     asr_model: ''
 #     image2text_model: ''
 # oauth:
-#   github:
-#     type: github
-#     icon: github
-#     display_name: "Github"
-#     client_id: xxxxxxxxxxxxxxxxxxxxxxxxx
-#     client_secret: xxxxxxxxxxxxxxxxxxxxxxxx
-#     redirect_uri: https://your-app.com/v1/user/oauth/callback/github
-#   feishu:
-#     app_id: cli_xxxxxxxxxxxxxxxxxxx
-#     app_secret: xxxxxxxxxxxxxxxxxxxxxxxxxxxx
-#     app_access_token_url: https://open.feishu.cn/open-apis/auth/v3/app_access_token/internal
-#     user_access_token_url: https://open.feishu.cn/open-apis/authen/v1/oidc/access_token
-#     grant_type: 'authorization_code'
-#   custom_channel:
-#     type: oidc
-#     icon: sso
-#     display_name: "Custom Channel"
-#     issuer: https://provider.com/v1/oidc
-#     client_id: xxxxxxxxxxxxxxxxxxxxxxxxx
-#     client_secret: xxxxxxxxxxxxxxxxxxxxxxxx
+#   oauth2:
+#     display_name: "OAuth2"
+#     client_id: "your_client_id"
+#     client_secret: "your_client_secret"
+#     authorization_url: "https://your-oauth-provider.com/oauth/authorize"
+#     token_url: "https://your-oauth-provider.com/oauth/token"
+#     userinfo_url: "https://your-oauth-provider.com/oauth/userinfo"
+#     redirect_uri: "https://your-app.com/v1/user/oauth/callback/oauth2"
+#   oidc:
+#     display_name: "OIDC"
+#     client_id: "your_client_id"
+#     client_secret: "your_client_secret"
+#     issuer: "https://your-oauth-provider.com/oidc"
 #     scope: "openid email profile"
-#     redirect_uri: https://your-app.com/v1/user/oauth/callback/custom_channel
+#     redirect_uri: "https://your-app.com/v1/user/oauth/callback/oidc"
+#   github:
+#     type: "github"
+#     icon: "github"
+#     display_name: "Github"
+#     client_id: "your_client_id"
+#     client_secret: "your_client_secret"
+#     redirect_uri: "https://your-app.com/v1/user/oauth/callback/github"
 # authentication:
 #   client:
 #     switch: false
--- a/docs/configurations.md
+++ b/docs/configurations.md
@ -164,23 +164,52 @@ If you cannot download the RAGFlow Docker image, try the following mirrors.

 ### `oauth`  

-The OAuth configuration for signing up or signing in to RAGFlow using a third-party account.  It is disabled by default. To enable this feature, uncomment the corresponding lines in **service_conf.yaml.template**.
+The OAuth configuration for signing up or signing in to RAGFlow using a third-party account.

- `github`: The GitHub authentication settings for your application. Visit the [GitHub Developer Settings](https://github.com/settings/developers) page to obtain your client_id and secret_key.
+- `<channel>`: Custom channel ID.
+  - `type`: Authentication type, options include `oauth2`, `oidc`, `github`. Default is `oauth2`, when `issuer` parameter is provided, defaults to `oidc`.
+  - `icon`: Icon ID, options include `github`, `sso`, default is `sso`.
+  - `display_name`: Channel name, defaults to the Title Case format of the channel ID.
+  - `client_id`: Required, unique identifier assigned to the client application.
+  - `client_secret`: Required, secret key for the client application, used for communication with the authentication server.
+  - `authorization_url`: Base URL for obtaining user authorization.
+  - `token_url`: URL for exchanging authorization code and obtaining access token.
+  - `userinfo_url`: URL for obtaining user information (username, email, etc.).
+  - `issuer`: Base URL of the identity provider. OIDC clients can dynamically obtain the identity provider's metadata (`authorization_url`, `token_url`, `userinfo_url`) through `issuer`.
+  - `scope`: Requested permission scope, a space-separated string. For example, `openid profile email`.
+  - `redirect_uri`: Required, URI to which the authorization server redirects during the authentication flow to return results. Must match the callback URI registered with the authentication server. Format: `https://your-app.com/v1/user/oauth/callback/<channel>`. For local configuration, you can directly use `http://127.0.0.1:80/v1/user/oauth/callback/<channel>`.

-#### OAuth/OIDC
+:::tip NOTE 
+The following are best practices for configuring various third-party authentication methods. You can configure one or multiple third-party authentication methods for Ragflow:
+```yaml
+oauth:
+  oauth2:
+    display_name: "OAuth2"
+    client_id: "your_client_id"
+    client_secret: "your_client_secret"
+    authorization_url: "https://your-oauth-provider.com/oauth/authorize"
+    token_url: "https://your-oauth-provider.com/oauth/token"
+    userinfo_url: "https://your-oauth-provider.com/oauth/userinfo"
+    redirect_uri: "https://your-app.com/v1/user/oauth/callback/oauth2"

-RAGFlow supports OAuth/OIDC authentication through the following routes:
+  oidc:
+    display_name: "OIDC"
+    client_id: "your_client_id"
+    client_secret: "your_client_secret"
+    issuer: "https://your-oauth-provider.com/oidc"
+    scope: "openid email profile"
+    redirect_uri: "https://your-app.com/v1/user/oauth/callback/oidc"

- `/login/<channel>`: Initiates the OAuth flow for the specified channel
- `/oauth/callback/<channel>`: Handles the OAuth callback after successful authentication
-
-The callback URL should be configured in your OAuth provider as:
+  github:
+    # https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/creating-an-oauth-app
+    type: "github"
+    icon: "github"
+    display_name: "Github"
+    client_id: "your_client_id"
+    client_secret: "your_client_secret"
+    redirect_uri: "https://your-app.com/v1/user/oauth/callback/github"
 ```
-https://your-app.com/oauth/callback/<channel>
-```
-
-For detailed instructions on configuring **service_conf.yaml.template**, please refer to [Usage](https://github.com/infiniflow/ragflow/blob/main/api/apps/auth/README.md#usage).
+:::

 ### `user_default_llm`