IDP Service Configuration
Introduction
The Infinite Scale IDP service provides a built-in minimal OpenID Connect provider.
The IDP service is mainly suitable for smaller installations. The recommendation for larger setups is to replace IDP with and external OpenID Connect Provider. See the Docker Compose Examples (ocis_keycloak) for more details.
By default, the IDP service is configured to use the Infinite Scale IDM service as its LDAP backend for looking up and authenticating users. Other backends like an external LDAP server can be configured via a set of environment variables. For details see below.
The IDP service is by design limited in its functionality:
Therefore the IDP service is not meant to replace an external OpenID Connect Provider. |
To use the embedded IDP service, it must be accessed with https. Accessing it with http is not possible and generates an error that is logged. |
Configuration
Environment Variables
The idp
service is configured via the following environment variables. Read the Environment Variable Types documentation for important details.
Name | Type | Default Value | Description |
---|---|---|---|
|
string |
|
The URI where a user can reset their password. |
|
bool |
false |
Activates tracing. |
|
string |
|
The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now. |
|
string |
|
The endpoint of the tracing agent. |
|
string |
|
The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset. |
|
string |
|
The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'. |
|
bool |
false |
Activates pretty log output. |
|
bool |
false |
Activates colorized log output. |
|
string |
|
The path to the log file. Activates logging to this file if set. |
|
string |
127.0.0.1:9134 |
Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed. |
|
string |
|
Token to secure the metrics endpoint. |
|
bool |
false |
Enables pprof, which can be used for profiling. |
|
bool |
false |
Enables zpages, which can be used for collecting and viewing in-memory traces. |
|
string |
127.0.0.1:9130 |
The bind address of the HTTP service. |
|
string |
/ |
Subdirectory that serves as the root for this HTTP service. |
|
string |
/var/lib/ocis/idp/server.crt |
Path/File name of the TLS server certificate (in PEM format) for the IDP service. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH:/idp. |
|
string |
/var/lib/ocis/idp/server.key |
Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the IDP service. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH:/idp. |
|
bool |
false |
Disable or Enable HTTPS for the communication between the Proxy service and the IDP service. If set to 'true', the key and cert files need to be configured and present. |
|
string |
com.owncloud.api.gateway |
The CS3 gateway endpoint. |
|
string |
|
TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification. |
|
string |
|
Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services. |
|
string |
|
Machine auth API key used to validate internal requests necessary for the access to resources from other services. |
|
string |
|
Serve IDP assets from a path on the filesystem instead of the builtin assets. |
|
string |
|
Configure an alternative URL to the background image for the login page. |
|
string |
https://localhost:9200 |
The OIDC issuer URL to use. |
|
string |
ldap |
The identity manager implementation to use. Supported identity managers are 'ldap', 'cs3', 'libregraph' and 'guest'. |
|
string |
|
IDP uri base path (defaults to ''). |
|
string |
|
IDP sign-in url. |
|
string |
|
IDP sign-out url. |
|
string |
|
URL of the IDP endpoint. |
|
bool |
false |
Disable TLS certificate validation for the LDAP connections. Do not set this in production environments. |
|
bool |
false |
Allow guest clients to access oCIS. |
|
bool |
false |
Allow dynamic client registration. |
|
string |
/var/lib/ocis/idp/encryption.key |
Path to the encryption secret file, if unset, a new certificate will be autogenerated upon each restart, thus invalidating all existing sessions. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH:/idp. |
|
string |
private-key |
Value of the KID (Key ID) field which is used in created tokens to uniquely identify the signing-private-key. |
|
string |
PS256 |
Signing method of IDP requests like 'PS256' |
|
[]string |
[/var/lib/ocis/idp/private-key.pem] |
A list of private key files for signing IDP requests. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH:/idp. See the Environment Variable Types description for more details. |
|
string |
|
Path to validation keys for IDP requests. |
|
uint64 |
300 |
'Access token lifespan in seconds (time before an access token is expired).' |
|
uint64 |
300 |
ID token lifespan in seconds (time before an ID token is expired). |
|
uint64 |
2592000 |
Refresh token lifespan in seconds (time before an refresh token is expired). This also limits the duration of an idle offline session. |
|
uint64 |
0 |
Lifespan in seconds of a dynamically registered OIDC client. |
|
string |
ldaps://localhost:9235 |
Url of the LDAP service to use as IDP. |
|
string |
/var/lib/ocis/idm/ldap.crt |
Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH:/idp. |
|
string |
uid=idp,ou=sysusers,o=libregraph-idm |
LDAP DN to use for simple bind authentication with the target LDAP server. |
|
string |
|
Password to use for authenticating the 'bind_dn'. |
|
string |
ou=users,o=libregraph-idm |
Search base DN for looking up LDAP users. |
|
string |
sub |
LDAP search scope to use when looking up users. Supported scopes are 'base', 'one' and 'sub'. |
|
string |
uid |
LDAP User attribute to use for login like 'uid'. |
|
string |
LDAP User email attribute like 'mail'. |
|
|
string |
displayName |
LDAP User name attribute like 'displayName'. |
|
string |
ownCloudUUID |
LDAP User UUID attribute like 'uid'. |
|
string |
text |
LDAP User uuid attribute type like 'text'. |
|
string |
ownCloudUserEnabled |
LDAP Attribute to use as a flag telling if the user is enabled or disabled. |
|
string |
|
LDAP filter to add to the default filters for user search like '(objectclass=ownCloud)'. |
|
string |
inetOrgPerson |
LDAP User ObjectClass like 'inetOrgPerson'. |
YAML Example
-
Note the file shown below must be renamed and placed in the correct folder according to the Configuration File Naming conventions to be effective.
-
See the Notes for Environment Variables if you want to use environment variables in the yaml file.
# Autogenerated
# Filename: idp-config-example.yaml
tracing:
enabled: false
type: ""
endpoint: ""
collector: ""
log:
level: ""
pretty: false
color: false
file: ""
debug:
addr: 127.0.0.1:9134
token: ""
pprof: false
zpages: false
http:
addr: 127.0.0.1:9130
root: /
tls_cert: /var/lib/ocis/idp/server.crt
tls_key: /var/lib/ocis/idp/server.key
tls: false
reva:
address: com.owncloud.api.gateway
tls:
mode: ""
cacert: ""
machine_auth_api_key: ""
asset:
asset: ""
login-background-url: ""
idp:
iss: https://localhost:9200
identity_manager: ldap
uri_base_path: ""
sign_in_uri: ""
signed_out_uri: ""
authorization_endpoint_uri: ""
ldap_insecure: false
trusted_proxy: []
allow_scope: []
allow_client_guests: false
allow_dynamic_client_registration: false
encrypt_secret_file: /var/lib/ocis/idp/encryption.key
listen: ""
identifierdefaultbannerlogo: ""
identifierdefaultsigninpagetext: ""
identifierdefaultusernamehinttext: ""
identifieruilocales: []
signing_kid: private-key
signing_method: PS256
signing_private_key_files:
- /var/lib/ocis/idp/private-key.pem
validation_keys_path: ""
cookiebackenduri: ""
cookienames: []
cookiesamesite: 3
access_token_duration_seconds: 300
id_token_duration_seconds: 300
refresh_token_duration_seconds: 2592000
dynamic_client_secret_duration_seconds: 0
clients:
- id: web
name: ownCloud Web app
trusted: true
secret: ""
redirect_uris:
- '{{OCIS_URL}}/'
- '{{OCIS_URL}}/oidc-callback.html'
- '{{OCIS_URL}}/oidc-silent-redirect.html'
origins:
- '{{OCIS_URL}}'
application_type: ""
- id: xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69
name: ownCloud desktop app
trusted: false
secret: UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh
redirect_uris:
- http://127.0.0.1
- http://localhost
origins: []
application_type: native
- id: e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD
name: ownCloud Android app
trusted: false
secret: dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD
redirect_uris:
- oc://android.owncloud.com
origins: []
application_type: native
- id: mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1
name: ownCloud iOS app
trusted: false
secret: KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx
redirect_uris:
- oc://ios.owncloud.com
origins: []
application_type: native
ldap:
uri: ldaps://localhost:9235
cacert: /var/lib/ocis/idm/ldap.crt
bind_dn: uid=idp,ou=sysusers,o=libregraph-idm
bind_password: ""
base_dn: ou=users,o=libregraph-idm
scope: sub
login_attribute: uid
email_attribute: mail
name_attribute: displayName
uuid_attribute: ownCloudUUID
uuid_attribute_type: text
user_enabled_attribute: ownCloudUserEnabled
filter: ""
objectclass: inetOrgPerson