Skip to content

ritamAN77/claw-auth

BranchesTags
 
 

Repository files navigation

authsec-openclaw

authsec-openclaw runs OpenClaw behind AuthSec SSO.

The current working path in this repository is a local, single-user operator setup:

  • browser login goes through AuthSec
  • OpenClaw sees the logged-in user identity
  • who am I? can answer from the authenticated session context
  • browser, Discord, and Windows local-machine actions work after a Windows node is paired and unlocked

This is the guide to follow if you want the setup that is working in this repo today.

What Is In This Repo

  • cmd/authsec-openclaw-proxy/main.go: the AuthSec reverse proxy in front of OpenClaw
  • deploy/docker-compose/docker-compose.yml: the local Docker stack
  • deploy/docker-compose/openclaw-config/openclaw.json: the OpenClaw gateway config used by the stack
  • deploy/docker-compose/run-openclaw-node.ps1: helper for Windows node run, pairing, unlock, and status

Current Scope

Use this repository for:

  • local development on Windows
  • one operator using AuthSec SSO
  • OpenClaw in Docker
  • optional Discord bot integration
  • local Windows command and browser access through a paired OpenClaw node

Do not treat the current checked-in config as a hardened public deployment. The local setup intentionally relaxes some Control UI auth/device rules so http://localhost:8080 works during development.

Quick Start

  1. Install prerequisites.

    • Docker Desktop
    • PowerShell
    • Node.js + npm
    • Go if you want to rebuild the proxy locally

  2. Configure the environment file.

    • Copy deploy/docker-compose/.env.example to deploy/docker-compose/.env if needed.
    • Fill in AuthSec values, gateway token, session secret, and model/provider keys.

  3. Start the stack.

    cd deploy/docker-compose
docker compose up -d --build

  4. Open the proxy.

    • Local HTTP: http://localhost:8080

  5. Sign in through AuthSec.

    • After login, ask who am I?
    • The answer should include your AuthSec identity.

  6. Pair your Windows node if you want local-machine access.

    • Install the OpenClaw CLI:
    npm install -g openclaw@latest
    • From the repo root:
    powershell -ExecutionPolicy Bypass -File deploy/docker-compose/run-openclaw-node.ps1 -Mode run
    • If the first run says pairing required, approve the pending request from another terminal:
    docker exec openclaw-gateway sh -lc "node /app/openclaw.mjs devices list --json"
docker exec openclaw-gateway sh -lc "node /app/openclaw.mjs devices approve <request-id> --json"
    • Then start the node again:
    powershell -ExecutionPolicy Bypass -File deploy/docker-compose/run-openclaw-node.ps1 -Mode run

  7. Unlock node exec approvals for local-machine actions.

    powershell -ExecutionPolicy Bypass -File deploy/docker-compose/run-openclaw-node.ps1 -Mode unlock
powershell -ExecutionPolicy Bypass -File deploy/docker-compose/run-openclaw-node.ps1 -Mode status

  8. Test local tools in chat.

    • who am I?
    • Open Notepad on node RitamKrKundu
    • Open my Downloads folder on node RitamKrKundu
    • Use the browser on node RitamKrKundu and open https://authsec.ai

Full Runbook

Use the complete Docker and pairing guide in deploy/docker-compose/README.md.

Tooling Notes

  • Browser automation and Windows app/file opening require a connected Windows node. The Docker container alone is not enough.
  • /host-home is only a mounted filesystem path. It does not mean Linux-in-Docker can launch Windows GUI apps by itself.
  • Discord must target a real channel or user, for example channel:<id> or user:<id>.
  • Web search is different from browser automation. If you want search results through the search tool, configure a provider such as Brave Search.

Useful Commands

From deploy/docker-compose:

docker compose up -d --build
docker compose up -d --build --force-recreate openclaw proxy
docker compose logs -f openclaw proxy
docker compose down

From the repo root:

powershell -ExecutionPolicy Bypass -File deploy/docker-compose/run-openclaw-node.ps1 -Mode run
powershell -ExecutionPolicy Bypass -File deploy/docker-compose/run-openclaw-node.ps1 -Mode unlock
powershell -ExecutionPolicy Bypass -File deploy/docker-compose/run-openclaw-node.ps1 -Mode status
openclaw.cmd nodes status

Troubleshooting

  • If who am I? does not show your identity, check internal/auth/middleware.go and confirm the proxy is writing USER.md.
  • If local-machine commands fail with SYSTEM_RUN_DENIED: approval required, run: 
    powershell -ExecutionPolicy Bypass -File deploy/docker-compose/run-openclaw-node.ps1 -Mode unlock
  • If OpenClaw says the node is not connected, leave the -Mode run terminal open and verify: 
    openclaw.cmd nodes status
  • If Discord says the target is unknown, give it a channel or user target instead of only the server name.

Security Notes

  • Keep the gateway token, AuthSec secrets, provider keys, and Discord token out of commits and screenshots.
  • The local config currently allows insecure localhost Control UI auth for development convenience.
  • Before exposing this stack publicly over HTTPS, tighten the OpenClaw Control UI auth/device settings and review deploy/docker-compose/openclaw-config/openclaw.json.

Legacy Docs

Older scaffold-era docs were written before the current local single-user flow was stabilized. If something in this README conflicts with an older note elsewhere, follow this README and the Docker guide linked above.

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license

Security policy

Security policy
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages

  • Go 70.8%
  • Shell 25.3%
  • PowerShell 2.4%
  • Go Template 1.5%