IDP Service Configuration

Introduction

The Infinite Scale IDP service provides a built-in minimal OpenID Connect provider.

The IDP service is mainly suitable for smaller installations. The recommendation for larger setups is to replace IDP with and external OpenID Connect Provider. See the Docker Compose Examples (ocis_keycloak) for more details.

By default, the IDP service is configured to use the Infinite Scale IDM service as its LDAP backend for looking up and authenticating users. Other backends like an external LDAP server can be configured via a set of environment variables. For details see below.

The IDP service is by design limited in its functionality:

  • IDP does NOT support branding or theming.
    This also means that there is no possibility to customize the login screen.

  • IDP has no brute force protection like external IDP’s have.
    This means that there is no "invalid credential" logged on consecutive failed login attempts.

  • The IDP has no backchannel logout capability.
    Consider that you have configured Infinite Scale to work with Keycloak. When logging out via the webUI, Keycloak will issue a callback to the Infinite Scale backend about the fact that the session has ended. The Infinite Scale backend is then able to invalidate it’s internal session cache. The IDP service does not support backchannel logout and Infinite Scale will consider the access token valid until it reaches it’s expiry.

Therefore the IDP service is not meant to replace an external OpenID Connect Provider.

To use the embedded IDP service, it must be accessed with https. Accessing it with http is not possible and generates an error that is logged.

Default Values

  • IDP listens on port 9130 by default.

Configuration

Environment Variables

The idp service is configured via the following environment variables. Read the Environment Variable Types documentation for important details. Column IV shows with which release the environment variable has been introduced.

  • 7.0.0

Environment variables for the idp service
Name IV Type Default Value Description

IDP_PASSWORD_RESET_URI

pre5.0

string

The URI where a user can reset their password.

OCIS_TRACING_ENABLED
IDP_TRACING_ENABLED

pre5.0

bool

false

Activates tracing.

OCIS_TRACING_TYPE
IDP_TRACING_TYPE

pre5.0

string

The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.

OCIS_TRACING_ENDPOINT
IDP_TRACING_ENDPOINT

pre5.0

string

The endpoint of the tracing agent.

OCIS_TRACING_COLLECTOR
IDP_TRACING_COLLECTOR

pre5.0

string

The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.

OCIS_LOG_LEVEL
IDP_LOG_LEVEL

pre5.0

string

The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.

OCIS_LOG_PRETTY
IDP_LOG_PRETTY

pre5.0

bool

false

Activates pretty log output.

OCIS_LOG_COLOR
IDP_LOG_COLOR

pre5.0

bool

false

Activates colorized log output.

OCIS_LOG_FILE
IDP_LOG_FILE

pre5.0

string

The path to the log file. Activates logging to this file if set.

IDP_DEBUG_ADDR

pre5.0

string

127.0.0.1:9134

Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.

IDP_DEBUG_TOKEN

pre5.0

string

Token to secure the metrics endpoint.

IDP_DEBUG_PPROF

pre5.0

bool

false

Enables pprof, which can be used for profiling.

IDP_DEBUG_ZPAGES

pre5.0

bool

false

Enables zpages, which can be used for collecting and viewing in-memory traces.

IDP_HTTP_ADDR

pre5.0

string

127.0.0.1:9130

The bind address of the HTTP service.

IDP_HTTP_ROOT

pre5.0

string

/

Subdirectory that serves as the root for this HTTP service.

IDP_TRANSPORT_TLS_CERT

pre5.0

string

/var/lib/ocis/idp/server.crt

Path/File name of the TLS server certificate (in PEM format) for the IDP service. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH/idp.

IDP_TRANSPORT_TLS_KEY

pre5.0

string

/var/lib/ocis/idp/server.key

Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the IDP service. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH/idp.

IDP_TLS

pre5.0

bool

false

Disable or Enable HTTPS for the communication between the Proxy service and the IDP service. If set to 'true', the key and cert files need to be configured and present.

OCIS_REVA_GATEWAY

pre5.0

string

com.owncloud.api.gateway

The CS3 gateway endpoint.

OCIS_GRPC_CLIENT_TLS_MODE

pre5.0

string

TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.

OCIS_GRPC_CLIENT_TLS_CACERT

pre5.0

string

Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.

OCIS_MACHINE_AUTH_API_KEY
IDP_MACHINE_AUTH_API_KEY

pre5.0

string

Machine auth API key used to validate internal requests necessary for the access to resources from other services.

IDP_ASSET_PATH

pre5.0

string

Serve IDP assets from a path on the filesystem instead of the builtin assets.

IDP_LOGIN_BACKGROUND_URL

5.0

string

Configure an alternative URL to the background image for the login page.

OCIS_URL
OCIS_OIDC_ISSUER
IDP_ISS

pre5.0

string

https://localhost:9200

The OIDC issuer URL to use.

IDP_IDENTITY_MANAGER

pre5.0

string

ldap

The identity manager implementation to use. Supported identity managers are 'ldap', 'cs3', 'libregraph' and 'guest'.

IDP_URI_BASE_PATH

pre5.0

string

IDP uri base path (defaults to '').

IDP_SIGN_IN_URI

pre5.0

string

IDP sign-in url.

IDP_SIGN_OUT_URI

pre5.0

string

IDP sign-out url.

IDP_ENDPOINT_URI

pre5.0

string

URL of the IDP endpoint.

OCIS_LDAP_INSECURE
IDP_INSECURE

pre5.0

bool

false

Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.

IDP_ALLOW_CLIENT_GUESTS

pre5.0

bool

false

Allow guest clients to access oCIS.

IDP_ALLOW_DYNAMIC_CLIENT_REGISTRATION

pre5.0

bool

false

Allow dynamic client registration.

IDP_ENCRYPTION_SECRET_FILE

pre5.0

string

/var/lib/ocis/idp/encryption.key

Path to the encryption secret file, if unset, a new certificate will be autogenerated upon each restart, thus invalidating all existing sessions. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH/idp.

IDP_SIGNING_KID

pre5.0

string

private-key

Value of the KID (Key ID) field which is used in created tokens to uniquely identify the signing-private-key.

IDP_SIGNING_METHOD

pre5.0

string

PS256

Signing method of IDP requests like 'PS256'

IDP_SIGNING_PRIVATE_KEY_FILES

pre5.0

[]string

[/var/lib/ocis/idp/private-key.pem]

A list of private key files for signing IDP requests. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH/idp. See the Environment Variable Types description for more details.

IDP_VALIDATION_KEYS_PATH

pre5.0

string

Path to validation keys for IDP requests.

IDP_ACCESS_TOKEN_EXPIRATION

pre5.0

uint64

300

'Access token lifespan in seconds (time before an access token is expired).'

IDP_ID_TOKEN_EXPIRATION

pre5.0

uint64

300

ID token lifespan in seconds (time before an ID token is expired).

IDP_REFRESH_TOKEN_EXPIRATION

pre5.0

uint64

2592000

Refresh token lifespan in seconds (time before an refresh token is expired). This also limits the duration of an idle offline session.

IDP_DYNAMIC_CLIENT_SECRET_DURATION

pre5.0

uint64

0

Lifespan in seconds of a dynamically registered OIDC client.

OCIS_LDAP_URI
IDP_LDAP_URI

pre5.0

string

ldaps://localhost:9235

Url of the LDAP service to use as IDP.

OCIS_LDAP_CACERT
IDP_LDAP_TLS_CACERT

pre5.0

string

/var/lib/ocis/idm/ldap.crt

Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH/idp.

OCIS_LDAP_BIND_DN
IDP_LDAP_BIND_DN

pre5.0

string

uid=idp,ou=sysusers,o=libregraph-idm

LDAP DN to use for simple bind authentication with the target LDAP server.

OCIS_LDAP_BIND_PASSWORD
IDP_LDAP_BIND_PASSWORD

pre5.0

string

Password to use for authenticating the 'bind_dn'.

OCIS_LDAP_USER_BASE_DN
IDP_LDAP_BASE_DN

pre5.0

string

ou=users,o=libregraph-idm

Search base DN for looking up LDAP users.

OCIS_LDAP_USER_SCOPE
IDP_LDAP_SCOPE

pre5.0

string

sub

LDAP search scope to use when looking up users. Supported scopes are 'base', 'one' and 'sub'.

IDP_LDAP_LOGIN_ATTRIBUTE

pre5.0

string

uid

LDAP User attribute to use for login like 'uid'.

OCIS_LDAP_USER_SCHEMA_MAIL
IDP_LDAP_EMAIL_ATTRIBUTE

pre5.0

string

mail

LDAP User email attribute like 'mail'.

OCIS_LDAP_USER_SCHEMA_USERNAME
IDP_LDAP_NAME_ATTRIBUTE

pre5.0

string

displayName

LDAP User name attribute like 'displayName'.

OCIS_LDAP_USER_SCHEMA_ID
IDP_LDAP_UUID_ATTRIBUTE

pre5.0

string

ownCloudUUID

LDAP User UUID attribute like 'uid'.

IDP_LDAP_UUID_ATTRIBUTE_TYPE

pre5.0

string

text

LDAP User uuid attribute type like 'text'.

OCIS_LDAP_USER_ENABLED_ATTRIBUTE
IDP_USER_ENABLED_ATTRIBUTE

pre5.0

string

ownCloudUserEnabled

LDAP Attribute to use as a flag telling if the user is enabled or disabled.

OCIS_LDAP_USER_FILTER
IDP_LDAP_FILTER

pre5.0

string

LDAP filter to add to the default filters for user search like '(objectclass=ownCloud)'.

OCIS_LDAP_USER_OBJECTCLASS
IDP_LDAP_OBJECTCLASS

pre5.0

string

inetOrgPerson

LDAP User ObjectClass like 'inetOrgPerson'.

YAML Example

  • 7.0.0

# Autogenerated
# Filename: idp-config-example.yaml

tracing:
  enabled: false
  type: ""
  endpoint: ""
  collector: ""
log:
  level: ""
  pretty: false
  color: false
  file: ""
debug:
  addr: 127.0.0.1:9134
  token: ""
  pprof: false
  zpages: false
http:
  addr: 127.0.0.1:9130
  root: /
  tls_cert: /var/lib/ocis/idp/server.crt
  tls_key: /var/lib/ocis/idp/server.key
  tls: false
reva:
  address: com.owncloud.api.gateway
  tls:
    mode: ""
    cacert: ""
machine_auth_api_key: ""
asset:
  asset: ""
  login-background-url: ""
idp:
  iss: https://localhost:9200
  identity_manager: ldap
  uri_base_path: ""
  sign_in_uri: ""
  signed_out_uri: ""
  authorization_endpoint_uri: ""
  ldap_insecure: false
  trusted_proxy: []
  allow_scope: []
  allow_client_guests: false
  allow_dynamic_client_registration: false
  encrypt_secret_file: /var/lib/ocis/idp/encryption.key
  listen: ""
  identifierdefaultbannerlogo: ""
  identifierdefaultsigninpagetext: ""
  identifierdefaultusernamehinttext: ""
  identifieruilocales: []
  signing_kid: private-key
  signing_method: PS256
  signing_private_key_files:
  - /var/lib/ocis/idp/private-key.pem
  validation_keys_path: ""
  cookiebackenduri: ""
  cookienames: []
  cookiesamesite: 3
  access_token_duration_seconds: 300
  id_token_duration_seconds: 300
  refresh_token_duration_seconds: 2592000
  dynamic_client_secret_duration_seconds: 0
clients:
- id: web
  name: ownCloud Web app
  trusted: true
  secret: ""
  redirect_uris:
  - '{{OCIS_URL}}/'
  - '{{OCIS_URL}}/oidc-callback.html'
  - '{{OCIS_URL}}/oidc-silent-redirect.html'
  origins:
  - '{{OCIS_URL}}'
  application_type: ""
- id: xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69
  name: ownCloud desktop app
  trusted: false
  secret: UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh
  redirect_uris:
  - http://127.0.0.1
  - http://localhost
  origins: []
  application_type: native
- id: e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD
  name: ownCloud Android app
  trusted: false
  secret: dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD
  redirect_uris:
  - oc://android.owncloud.com
  origins: []
  application_type: native
- id: mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1
  name: ownCloud iOS app
  trusted: false
  secret: KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx
  redirect_uris:
  - oc://ios.owncloud.com
  origins: []
  application_type: native
ldap:
  uri: ldaps://localhost:9235
  cacert: /var/lib/ocis/idm/ldap.crt
  bind_dn: uid=idp,ou=sysusers,o=libregraph-idm
  bind_password: ""
  base_dn: ou=users,o=libregraph-idm
  scope: sub
  login_attribute: uid
  email_attribute: mail
  name_attribute: displayName
  uuid_attribute: ownCloudUUID
  uuid_attribute_type: text
  user_enabled_attribute: ownCloudUserEnabled
  filter: ""
  objectclass: inetOrgPerson