IDP Service Configuration

Table of Contents

Introduction
Default Values
Configuration
- Environment Variables
- YAML Example

Introduction

The Infinite Scale IDP service provides a built-in minimal OpenID Connect provider.

The IDP service is mainly suitable for smaller installations. The recommendation for larger setups is to replace IDP with and external OpenID Connect Provider. See the Docker Compose Examples (ocis_keycloak) for more details.

By default, the IDP service is configured to use the Infinite Scale IDM service as its LDAP backend for looking up and authenticating users. Other backends like an external LDAP server can be configured via a set of environment variables. For details see below.

The IDP service is by design limited in its functionality:

IDP does NOT support branding or theming.
This also means that there is no possibility to customize the login screen.
IDP has no brute force protection like external IDP’s have.
This means that there is no "invalid credential" logged on consecutive failed login attempts.

Therefore the IDP service is not meant to replace an external OpenID Connect Provider.

To use the embedded IDP service, it must be accessed with https. Accessing it with http is not possible and generates an error that is logged.

Default Values

IDP listens on port 9130 by default.

Configuration

Environment Variables

The idp service is configured via the following environment variables. Read the Environment Variable Types documentation for important details.

4.0.5

Deprecation notes for the idp service
Deprecation Info	Deprecation Version	Removal Version	Deprecation Replacement
LDAP_BIND_PASSWORD changing name for consistency	4.0.2	5.0.0	OCIS_LDAP_BIND_PASSWORD

Environment variables for the idp service
Name	Type	Default Value	Description
`IDP_PASSWORD_RESET_URI`	string		The URI where a user can reset their password.
`OCIS_TRACING_ENABLED` `IDP_TRACING_ENABLED`	bool	false	Activates tracing.
`OCIS_TRACING_TYPE` `IDP_TRACING_TYPE`	string		The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.
`OCIS_TRACING_ENDPOINT` `IDP_TRACING_ENDPOINT`	string		The endpoint of the tracing agent.
`OCIS_TRACING_COLLECTOR` `IDP_TRACING_COLLECTOR`	string		The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.
`OCIS_LOG_LEVEL` `IDP_LOG_LEVEL`	string		The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.
`OCIS_LOG_PRETTY` `IDP_LOG_PRETTY`	bool	false	Activates pretty log output.
`OCIS_LOG_COLOR` `IDP_LOG_COLOR`	bool	false	Activates colorized log output.
`OCIS_LOG_FILE` `IDP_LOG_FILE`	string		The path to the log file. Activates logging to this file if set.
`IDP_DEBUG_ADDR`	string	127.0.0.1:9134	Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.
`IDP_DEBUG_TOKEN`	string		Token to secure the metrics endpoint.
`IDP_DEBUG_PPROF`	bool	false	Enables pprof, which can be used for profiling.
`IDP_DEBUG_ZPAGES`	bool	false	Enables zpages, which can be used for collecting and viewing in-memory traces.
`IDP_HTTP_ADDR`	string	127.0.0.1:9130	The bind address of the HTTP service.
`IDP_HTTP_ROOT`	string	/	Subdirectory that serves as the root for this HTTP service.
`IDP_TRANSPORT_TLS_CERT`	string	~/.ocis/idp/server.crt	Path/File name of the TLS server certificate (in PEM format) for the IDP service. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH:/idp.
`IDP_TRANSPORT_TLS_KEY`	string	~/.ocis/idp/server.key	Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the IDP service. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH:/idp.
`IDP_TLS`	bool	false	Disable or Enable HTTPS for the communication between the Proxy service and the IDP service. If set to 'true', the key and cert files need to be configured and present.
`OCIS_REVA_GATEWAY`	string	com.owncloud.api.gateway	The CS3 gateway endpoint.
`OCIS_GRPC_CLIENT_TLS_MODE`	string		TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.
`OCIS_GRPC_CLIENT_TLS_CACERT`	string		Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.
`OCIS_MACHINE_AUTH_API_KEY` `IDP_MACHINE_AUTH_API_KEY`	string		Machine auth API key used to validate internal requests necessary for the access to resources from other services.
`IDP_ASSET_PATH`	string		Serve IDP assets from a path on the filesystem instead of the builtin assets.
`OCIS_URL` `OCIS_OIDC_ISSUER` `IDP_ISS`	string	https://localhost:9200	The OIDC issuer URL to use.
`IDP_IDENTITY_MANAGER`	string	ldap	The identity manager implementation to use. Supported identity managers are 'ldap', 'cs3', 'libregraph' and 'guest'.
`IDP_URI_BASE_PATH`	string		IDP uri base path (defaults to '').
`IDP_SIGN_IN_URI`	string		IDP sign-in url.
`IDP_SIGN_OUT_URI`	string		IDP sign-out url.
`IDP_ENDPOINT_URI`	string		URL of the IDP endpoint.
`OCIS_LDAP_INSECURE` `IDP_INSECURE`	bool	false	Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.
`IDP_ALLOW_CLIENT_GUESTS`	bool	false	Allow guest clients to access oCIS.
`IDP_ALLOW_DYNAMIC_CLIENT_REGISTRATION`	bool	false	Allow dynamic client registration.
`IDP_ENCRYPTION_SECRET_FILE`	string	~/.ocis/idp/encryption.key	Path to the encryption secret file, if unset, a new certificate will be autogenerated upon each restart, thus invalidating all existing sessions. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH:/idp.
`IDP_SIGNING_KID`	string	private-key	Value of the KID (Key ID) field which is used in created tokens to uniquely identify the signing-private-key.
`IDP_SIGNING_METHOD`	string	PS256	Signing method of IDP requests like 'PS256'
`IDP_SIGNING_PRIVATE_KEY_FILES`	[]string	[~/.ocis/idp/private-key.pem]	Private key files for signing IDP requests. Separate multiple keys by blank or comma. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH:/idp.
`IDP_VALIDATION_KEYS_PATH`	string		Path to validation keys for IDP requests.
`IDP_ACCESS_TOKEN_EXPIRATION`	uint64	300	'Access token lifespan in seconds (time before an access token is expired).'
`IDP_ID_TOKEN_EXPIRATION`	uint64	300	ID token lifespan in seconds (time before an ID token is expired).
`IDP_REFRESH_TOKEN_EXPIRATION`	uint64	2592000	Refresh token lifespan in seconds (time before an refresh token is expired). This also limits the duration of an idle offline session.
`IDP_DYNAMIC_CLIENT_SECRET_DURATION`	uint64	0	Lifespan in seconds of a dynamically registered OIDC client.
`OCIS_LDAP_URI` `IDP_LDAP_URI`	string	ldaps://localhost:9235	Url of the LDAP service to use as IDP.
`OCIS_LDAP_CACERT` `IDP_LDAP_TLS_CACERT`	string	~/.ocis/idm/ldap.crt	Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH:/idp.
`OCIS_LDAP_BIND_DN` `IDP_LDAP_BIND_DN`	string	uid=idp,ou=sysusers,o=libregraph-idm	LDAP DN to use for simple bind authentication with the target LDAP server.
`OCIS_LDAP_BIND_PASSWORD` `LDAP_BIND_PASSWORD` `IDP_LDAP_BIND_PASSWORD` Deprecation Note	string		Password to use for authenticating the 'bind_dn'.
`OCIS_LDAP_USER_BASE_DN` `IDP_LDAP_BASE_DN`	string	ou=users,o=libregraph-idm	Search base DN for looking up LDAP users.
`OCIS_LDAP_USER_SCOPE` `IDP_LDAP_SCOPE`	string	sub	LDAP search scope to use when looking up users. Supported scopes are 'base', 'one' and 'sub'.
`IDP_LDAP_LOGIN_ATTRIBUTE`	string	uid	LDAP User attribute to use for login like 'uid'.
`OCIS_LDAP_USER_SCHEMA_MAIL` `IDP_LDAP_EMAIL_ATTRIBUTE`	string	mail	LDAP User email attribute like 'mail'.
`OCIS_LDAP_USER_SCHEMA_USERNAME` `IDP_LDAP_NAME_ATTRIBUTE`	string	displayName	LDAP User name attribute like 'displayName'.
`OCIS_LDAP_USER_SCHEMA_ID` `IDP_LDAP_UUID_ATTRIBUTE`	string	ownCloudUUID	LDAP User UUID attribute like 'uid'.
`IDP_LDAP_UUID_ATTRIBUTE_TYPE`	string	text	LDAP User uuid attribute type like 'text'.
`OCIS_LDAP_USER_ENABLED_ATTRIBUTE` `IDP_USER_ENABLED_ATTRIBUTE`	string	ownCloudUserEnabled	LDAP Attribute to use as a flag telling if the user is enabled or disabled.
`OCIS_LDAP_USER_FILTER` `IDP_LDAP_FILTER`	string		LDAP filter to add to the default filters for user search like '(objectclass=ownCloud)'.
`OCIS_LDAP_USER_OBJECTCLASS` `IDP_LDAP_OBJECTCLASS`	string	inetOrgPerson	LDAP User ObjectClass like 'inetOrgPerson'.

YAML Example

Note that the filename shown below has been chosen on purpose.
See the Configuration File Naming for details when setting up your own configuration.

4.0.5

# Autogenerated
# Filename: idp-config-example.yaml

tracing:
  enabled: false
  type: ""
  endpoint: ""
  collector: ""
log:
  level: ""
  pretty: false
  color: false
  file: ""
debug:
  addr: 127.0.0.1:9134
  token: ""
  pprof: false
  zpages: false
http:
  addr: 127.0.0.1:9130
  root: /
  tls_cert: ~/.ocis/idp/server.crt
  tls_key: ~/.ocis/idp/server.key
  tls: false
reva:
  address: com.owncloud.api.gateway
  tls:
    mode: ""
    cacert: ""
machine_auth_api_key: ""
asset:
  asset: ""
idp:
  iss: https://localhost:9200
  identity_manager: ldap
  uri_base_path: ""
  sign_in_uri: ""
  signed_out_uri: ""
  authorization_endpoint_uri: ""
  ldap_insecure: false
  trusted_proxy: []
  allow_scope: []
  allow_client_guests: false
  allow_dynamic_client_registration: false
  encrypt_secret_file: ~/.ocis/idp/encryption.key
  listen: ""
  identifierdefaultbannerlogo: ""
  identifierdefaultsigninpagetext: ""
  identifierdefaultusernamehinttext: ""
  identifieruilocales: []
  signing_kid: private-key
  signing_method: PS256
  signing_private_key_files:
  - ~/.ocis/idp/private-key.pem
  validation_keys_path: ""
  cookiebackenduri: ""
  cookienames: []
  access_token_duration_seconds: 300
  id_token_duration_seconds: 300
  refresh_token_duration_seconds: 2592000
  dynamic_client_secret_duration_seconds: 0
clients:
- id: web
  name: ownCloud Web app
  trusted: true
  secret: ""
  redirect_uris:
  - '{{OCIS_URL}}/'
  - '{{OCIS_URL}}/oidc-callback.html'
  - '{{OCIS_URL}}/oidc-silent-redirect.html'
  origins:
  - '{{OCIS_URL}}'
  application_type: ""
- id: xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69
  name: ownCloud desktop app
  trusted: false
  secret: UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh
  redirect_uris:
  - http://127.0.0.1
  - http://localhost
  origins: []
  application_type: native
- id: e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD
  name: ownCloud Android app
  trusted: false
  secret: dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD
  redirect_uris:
  - oc://android.owncloud.com
  origins: []
  application_type: native
- id: mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1
  name: ownCloud iOS app
  trusted: false
  secret: KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx
  redirect_uris:
  - oc://ios.owncloud.com
  origins: []
  application_type: native
ldap:
  uri: ldaps://localhost:9235
  cacert: ~/.ocis/idm/ldap.crt
  bind_dn: uid=idp,ou=sysusers,o=libregraph-idm
  bind_password: ""
  base_dn: ou=users,o=libregraph-idm
  scope: sub
  login_attribute: uid
  email_attribute: mail
  name_attribute: displayName
  uuid_attribute: ownCloudUUID
  uuid_attribute_type: text
  user_enabled_attribute: ownCloudUserEnabled
  filter: ""
  objectclass: inetOrgPerson