authsec-openclaw runs OpenClaw behind AuthSec SSO.
The current working path in this repository is a local, single-user operator setup:
- browser login goes through AuthSec
- OpenClaw sees the logged-in user identity
who am I?can answer from the authenticated session context- browser, Discord, and Windows local-machine actions work after a Windows node is paired and unlocked
This is the guide to follow if you want the setup that is working in this repo today.
- cmd/authsec-openclaw-proxy/main.go: the AuthSec reverse proxy in front of OpenClaw
- deploy/docker-compose/docker-compose.yml: the local Docker stack
- deploy/docker-compose/openclaw-config/openclaw.json: the OpenClaw gateway config used by the stack
- deploy/docker-compose/run-openclaw-node.ps1: helper for Windows node run, pairing, unlock, and status
Use this repository for:
- local development on Windows
- one operator using AuthSec SSO
- OpenClaw in Docker
- optional Discord bot integration
- local Windows command and browser access through a paired OpenClaw node
Do not treat the current checked-in config as a hardened public deployment. The local setup intentionally relaxes some Control UI auth/device rules so http://localhost:8080 works during development.
-
Install prerequisites.
- Docker Desktop
- PowerShell
- Node.js + npm
- Go if you want to rebuild the proxy locally
-
Configure the environment file.
- Copy
deploy/docker-compose/.env.exampletodeploy/docker-compose/.envif needed. - Fill in AuthSec values, gateway token, session secret, and model/provider keys.
- Copy
-
Start the stack.
cd deploy/docker-compose docker compose up -d --build
-
Open the proxy.
- Local HTTP:
http://localhost:8080
- Local HTTP:
-
Sign in through AuthSec.
- After login, ask
who am I? - The answer should include your AuthSec identity.
- After login, ask
-
Pair your Windows node if you want local-machine access.
- Install the OpenClaw CLI:
npm install -g openclaw@latest
- From the repo root:
powershell -ExecutionPolicy Bypass -File deploy/docker-compose/run-openclaw-node.ps1 -Mode run
- If the first run says
pairing required, approve the pending request from another terminal:
docker exec openclaw-gateway sh -lc "node /app/openclaw.mjs devices list --json" docker exec openclaw-gateway sh -lc "node /app/openclaw.mjs devices approve <request-id> --json"
- Then start the node again:
powershell -ExecutionPolicy Bypass -File deploy/docker-compose/run-openclaw-node.ps1 -Mode run
-
Unlock node exec approvals for local-machine actions.
powershell -ExecutionPolicy Bypass -File deploy/docker-compose/run-openclaw-node.ps1 -Mode unlock powershell -ExecutionPolicy Bypass -File deploy/docker-compose/run-openclaw-node.ps1 -Mode status
-
Test local tools in chat.
who am I?Open Notepad on node RitamKrKunduOpen my Downloads folder on node RitamKrKunduUse the browser on node RitamKrKundu and open https://authsec.ai
Use the complete Docker and pairing guide in deploy/docker-compose/README.md.
- Browser automation and Windows app/file opening require a connected Windows node. The Docker container alone is not enough.
/host-homeis only a mounted filesystem path. It does not mean Linux-in-Docker can launch Windows GUI apps by itself.- Discord must target a real channel or user, for example
channel:<id>oruser:<id>. - Web search is different from browser automation. If you want search results through the search tool, configure a provider such as Brave Search.
From deploy/docker-compose:
docker compose up -d --build
docker compose up -d --build --force-recreate openclaw proxy
docker compose logs -f openclaw proxy
docker compose downFrom the repo root:
powershell -ExecutionPolicy Bypass -File deploy/docker-compose/run-openclaw-node.ps1 -Mode run
powershell -ExecutionPolicy Bypass -File deploy/docker-compose/run-openclaw-node.ps1 -Mode unlock
powershell -ExecutionPolicy Bypass -File deploy/docker-compose/run-openclaw-node.ps1 -Mode status
openclaw.cmd nodes status- If
who am I?does not show your identity, check internal/auth/middleware.go and confirm the proxy is writingUSER.md. - If local-machine commands fail with
SYSTEM_RUN_DENIED: approval required, run:powershell -ExecutionPolicy Bypass -File deploy/docker-compose/run-openclaw-node.ps1 -Mode unlock
- If OpenClaw says the node is not connected, leave the
-Mode runterminal open and verify:openclaw.cmd nodes status - If Discord says the target is unknown, give it a channel or user target instead of only the server name.
- Keep the gateway token, AuthSec secrets, provider keys, and Discord token out of commits and screenshots.
- The local config currently allows insecure localhost Control UI auth for development convenience.
- Before exposing this stack publicly over HTTPS, tighten the OpenClaw Control UI auth/device settings and review deploy/docker-compose/openclaw-config/openclaw.json.
Older scaffold-era docs were written before the current local single-user flow was stabilized. If something in this README conflicts with an older note elsewhere, follow this README and the Docker guide linked above.
authsec-openclaw 在 AuthSec SSO 后面运行 OpenClaw。
本仓库当前的工作路径是本地单用户操作员设置:
- 浏览器登录通过 AuthSec 进行
- OpenClaw 能看到已登录的用户身份
who am I?可以从已认证的会话上下文中作出回答- 在 Windows 节点配对并解锁后,浏览器、Discord 及 Windows 本机操作均可使用
如果你想使用本仓库目前正常运行的配置,请按照本指南操作。
- cmd/authsec-openclaw-proxy/main.go:位于 OpenClaw 前面的 AuthSec 反向代理
- deploy/docker-compose/docker-compose.yml:本地 Docker 栈
- deploy/docker-compose/openclaw-config/openclaw.json:栈使用的 OpenClaw 网关配置
- deploy/docker-compose/run-openclaw-node.ps1:用于 Windows 节点运行、配对、解锁和状态查询的辅助脚本
本仓库适用于:
- Windows 上的本地开发
- 使用 AuthSec SSO 的单个操作员
- Docker 中运行的 OpenClaw
- 可选的 Discord 机器人集成
- 通过已配对的 OpenClaw 节点进行本地 Windows 命令和浏览器访问
请勿将当前提交的配置视为经过加固的公开部署。本地设置有意放宽了部分 Control UI 认证/设备规则,以便在开发期间 http://localhost:8080 能够正常工作。
-
安装必备工具。
- Docker Desktop
- PowerShell
- Node.js + npm
- 如需在本地重新构建代理,还需安装 Go
-
配置环境文件。
- 如有需要,将
deploy/docker-compose/.env.example复制为deploy/docker-compose/.env。 - 填写 AuthSec 值、网关令牌、会话密钥以及模型/提供商密钥。
- 如有需要,将
-
启动栈。
cd deploy/docker-compose docker compose up -d --build
-
打开代理。
- 本地 HTTP:
http://localhost:8080
- 本地 HTTP:
-
通过 AuthSec 登录。
- 登录后,询问
who am I? - 回答中应包含你的 AuthSec 身份信息。
- 登录后,询问
-
如需本机访问,配对你的 Windows 节点。
- 安装 OpenClaw CLI:
npm install -g openclaw@latest
- 在仓库根目录执行:
powershell -ExecutionPolicy Bypass -File deploy/docker-compose/run-openclaw-node.ps1 -Mode run
- 如果首次运行提示
pairing required,在另一个终端中批准待处理的请求:
docker exec openclaw-gateway sh -lc "node /app/openclaw.mjs devices list --json" docker exec openclaw-gateway sh -lc "node /app/openclaw.mjs devices approve <request-id> --json"
- 然后再次启动节点:
powershell -ExecutionPolicy Bypass -File deploy/docker-compose/run-openclaw-node.ps1 -Mode run
-
为本机操作解锁节点执行审批。
powershell -ExecutionPolicy Bypass -File deploy/docker-compose/run-openclaw-node.ps1 -Mode unlock powershell -ExecutionPolicy Bypass -File deploy/docker-compose/run-openclaw-node.ps1 -Mode status
-
在聊天中测试本地工具。
who am I?Open Notepad on node RitamKrKunduOpen my Downloads folder on node RitamKrKunduUse the browser on node RitamKrKundu and open https://authsec.ai
请参阅 deploy/docker-compose/README.md 中的完整 Docker 和配对指南。
- 浏览器自动化和 Windows 应用/文件打开需要已连接的 Windows 节点,仅凭 Docker 容器是不够的。
/host-home只是一个挂载的文件系统路径,并不意味着 Docker 中的 Linux 能自行启动 Windows GUI 应用。- Discord 必须指定真实的频道或用户,例如
channel:<id>或user:<id>。 - 网络搜索与浏览器自动化不同。如果你希望通过搜索工具获取搜索结果,请配置 Brave Search 等提供商。
在 deploy/docker-compose 目录下:
docker compose up -d --build
docker compose up -d --build --force-recreate openclaw proxy
docker compose logs -f openclaw proxy
docker compose down在仓库根目录下:
powershell -ExecutionPolicy Bypass -File deploy/docker-compose/run-openclaw-node.ps1 -Mode run
powershell -ExecutionPolicy Bypass -File deploy/docker-compose/run-openclaw-node.ps1 -Mode unlock
powershell -ExecutionPolicy Bypass -File deploy/docker-compose/run-openclaw-node.ps1 -Mode status
openclaw.cmd nodes status- 如果
who am I?未显示你的身份,请检查 internal/auth/middleware.go,并确认代理正在写入USER.md。 - 如果本机命令因
SYSTEM_RUN_DENIED: approval required失败,请执行:powershell -ExecutionPolicy Bypass -File deploy/docker-compose/run-openclaw-node.ps1 -Mode unlock
- 如果 OpenClaw 提示节点未连接,请保持
-Mode run终端处于打开状态,并验证:openclaw.cmd nodes status - 如果 Discord 提示目标未知,请提供频道或用户目标,而不仅仅是服务器名称。
- 不要在提交记录和截图中泄露网关令牌、AuthSec 密钥、提供商密钥和 Discord 令牌。
- 当前本地配置出于开发便利允许不安全的 localhost Control UI 认证。
- 在通过 HTTPS 公开暴露此栈之前,请收紧 OpenClaw Control UI 认证/设备设置,并检查 deploy/docker-compose/openclaw-config/openclaw.json。
较早的脚手架时代文档是在当前本地单用户流程稳定之前编写的。如果本 README 与其他地方的旧说明有冲突,请以本 README 和上面链接的 Docker 指南为准。