IDP Service Configuration

Introduction

The Infinite Scale IDP service provides …​

Services are under development because of the beta badge 1 stage of Infinite Scale. Their service, environment variables and configuration may change. Forgive us if there are mistakes or information is missing. Feel free to report issues and we’ll take care of them as soon as possible on github. You want to fix them yourself? We’d appreciate that even more.

Configuration

Environment Variables

The idp extension is configured via the following environment variables:

Environment variables for the idp extension
Name Type Default Value Description

IDP_PASSWORD_RESET_URI

string

The URI where a user can reset their password.

OCIS_TRACING_ENABLED
IDP_TRACING_ENABLED

bool

false

Activates tracing.

OCIS_TRACING_TYPE
IDP_TRACING_TYPE

string

The type of tracing. Defaults to "", which is the same as "jaeger". Allowed tracing types are "jaeger" and "" as of now.

OCIS_TRACING_ENDPOINT
IDP_TRACING_ENDPOINT

string

The endpoint of the tracing agent.

OCIS_TRACING_COLLECTOR
IDP_TRACING_COLLECTOR

string

The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.

OCIS_LOG_LEVEL
IDP_LOG_LEVEL

string

The log level. Valid values are: "panic", "fatal", "error", "warn", "info", "debug", "trace".

OCIS_LOG_PRETTY
IDP_LOG_PRETTY

bool

false

Activates pretty log output.

OCIS_LOG_COLOR
IDP_LOG_COLOR

bool

false

Activates colorized log output.

OCIS_LOG_FILE
IDP_LOG_FILE

string

The path to the log file. Activates logging to this file if set.

IDP_DEBUG_ADDR

string

127.0.0.1:9134

Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.

IDP_DEBUG_TOKEN

string

Token to secure the metrics endpoint

IDP_DEBUG_PPROF

bool

false

Enables pprof, which can be used for profiling

IDP_DEBUG_ZPAGES

bool

false

Enables zpages, which can be used for collecting and viewing in-memory traces.

IDP_HTTP_ADDR

string

127.0.0.1:9130

The bind address of the HTTP service.

IDP_HTTP_ROOT

string

/

Subdirectory that serves as the root for this HTTP service.

IDP_TRANSPORT_TLS_CERT

string

~/.ocis/idp/server.crt

IDP_TRANSPORT_TLS_KEY

string

~/.ocis/idp/server.key

IDP_TLS

bool

false

REVA_GATEWAY

string

127.0.0.1:9142

CS3 gateway used to authenticate and look up users

OCIS_MACHINE_AUTH_API_KEY
IDP_MACHINE_AUTH_API_KEY

string

Machine auth API key used for accessing the 'auth-machine' service to impersonate users when looking up their userinfo via the 'cs3' backend.

IDP_ASSET_PATH

string

Serve IDP assets from a path on the filesystem instead of the builtin assets.

OCIS_URL
OCIS_OIDC_ISSUER
IDP_ISS

string

https://localhost:9200

The OIDC issuer URL to use.

IDP_IDENTITY_MANAGER

string

ldap

The identity manager implementation to use, defaults to 'ldap', can be changed to 'cs3', 'kc', 'libregraph', 'cookie' or 'guest'.

IDP_URI_BASE_PATH

string

Idp uri base path (defaults to "").

IDP_SIGN_IN_URI

string

Idp sign-in url.

IDP_SIGN_OUT_URI

string

Idp sign-out url.

IDP_ENDPOINT_URI

string

Url of IDP endpoint.

LDAP_INSECURE
IDP_INSECURE

bool

false

Allow insecure connections to the user backend (eg. LDAP, CS3 api, …​).

IDP_ALLOW_CLIENT_GUESTS

bool

false

Allow guest clients to access ocis.

IDP_ALLOW_DYNAMIC_CLIENT_REGISTRATION

bool

false

Allow dynamic client registration.

IDP_ENCRYPTION_SECRET_FILE

string

~/.ocis/idp/encryption.key

Path to the encryption secret file, if unset, a new certificate will be autogenerated upon each restart, thus invalidating all existing sessions.

IDP_SIGNING_KID

string

private-key

Value of the KID (Key ID) field which is used in created tokens to uniquely identify the signing-private-key.

IDP_SIGNING_METHOD

string

PS256

Signing method of idp requests (e.g. PS256)

IDP_SIGNING_PRIVATE_KEY_FILES

[~/.ocis/idp/private-key.pem]

Private key files for signing idp requests.

IDP_VALIDATION_KEYS_PATH

string

Path to validation keys for idp requests.

IDP_ACCESS_TOKEN_EXPIRATION

uint64

86400

Expiration time for idp access token (in seconds).

IDP_ID_TOKEN_EXPIRATION

uint64

3600

Expiration time for idp id tokens (in seconds).

IDP_REFRESH_TOKEN_EXPIRATION

uint64

94608000

Expiration time for refresh tokens (in seconds).

IDP_DYNAMIC_CLIENT_SECRET_DURATION

uint64

0

Expiration time for dynamic clients (in seconds).

LDAP_URI
IDP_LDAP_URI

string

ldaps://localhost:9235

Url of the LDAP service to use as idp.

LDAP_CACERT
IDP_LDAP_TLS_CACERT

string

~/.ocis/idm/ldap.crt

Path to the tls cert for the ldap service.

LDAP_BIND_DN
IDP_LDAP_BIND_DN

string

uid=idp,ou=sysusers,o=libregraph-idm

LDAP DN to use for simple bind authentication with the target LDAP server.

LDAP_BIND_PASSWORD
IDP_LDAP_BIND_PASSWORD

string

Password to use for authenticating the 'bind_dn'.

LDAP_USER_BASE_DN
IDP_LDAP_BASE_DN

string

ou=users,o=libregraph-idm

Search base DN for looking up LDAP users.

LDAP_USER_SCOPE
IDP_LDAP_SCOPE

string

sub

LDAP search scope to use when looking up users ('base', 'one', 'sub').

IDP_LDAP_LOGIN_ATTRIBUTE

string

uid

LDAP User attribute to use for login (e.g. uid).

LDAP_USER_SCHEMA_MAIL
IDP_LDAP_EMAIL_ATTRIBUTE

string

mail

LDAP User email attribute (e.g. mail).

LDAP_USER_SCHEMA_USERNAME
IDP_LDAP_NAME_ATTRIBUTE

string

displayName

LDAP User name attribute (e.g. displayName).

LDAP_USER_SCHEMA_ID
IDP_LDAP_UUID_ATTRIBUTE

string

uid

LDAP User uuid attribute (e.g. uid).

IDP_LDAP_UUID_ATTRIBUTE_TYPE

string

text

LDAP User uuid attribute type (e.g. text).

LDAP_USER_FILTER
IDP_LDAP_FILTER

string

LDAP filter to add to the default filters for user search (e.g. '(objectclass=ownCloud)').

LDAP_USER_OBJECTCLASS
IDP_LDAP_OBJECTCLASS

string

inetOrgPerson

LDAP User ObjectClass (e.g. inetOrgPerson).

Since Version: + added, - deprecated

YAML Example

# Autogenerated
# Filename: idp-config-example.yaml

tracing:
  enabled: false
  type: ""
  endpoint: ""
  collector: ""
log:
  level: ""
  pretty: false
  color: false
  file: ""
debug:
  addr: 127.0.0.1:9134
  token: ""
  pprof: false
  zpages: false
http:
  addr: 127.0.0.1:9130
  root: /
  tls_cert: ~/.ocis/idp/server.crt
  tls_key: ~/.ocis/idp/server.key
  tls: false
reva:
  address: 127.0.0.1:9142
machine_auth_api_key: ""
asset:
  asset: ""
idp:
  iss: https://localhost:9200
  identity_manager: ldap
  uri_base_path: ""
  sign_in_uri: ""
  signed_out_uri: ""
  authorization_endpoint_uri: ""
  insecure: false
  trusted_proxy: []
  allow_scope: []
  allow_client_guests: false
  allow_dynamic_client_registration: false
  encrypt_secret_file: ~/.ocis/idp/encryption.key
  listen: ""
  identifierdefaultbannerlogo: ""
  identifierdefaultsigninpagetext: ""
  identifierdefaultusernamehinttext: ""
  identifieruilocales: []
  signing_kid: private-key
  signing_method: PS256
  signing_private_key_files:
  - ~/.ocis/idp/private-key.pem
  validation_keys_path: ""
  cookiebackenduri: ""
  cookienames: []
  access_token_duration_seconds: 86400
  id_token_duration_seconds: 3600
  refresh_token_duration_seconds: 94608000
  dynamic_client_secret_duration_seconds: 0
clients:
- id: web
  name: ownCloud Web app
  trusted: true
  secret: ""
  redirect_uris:
  - '{{OCIS_URL}}/'
  - '{{OCIS_URL}}/oidc-callback.html'
  - '{{OCIS_URL}}/oidc-silent-redirect.html'
  origins:
  - '{{OCIS_URL}}'
  application_type: ""
- id: ocis-explorer.js
  name: oCIS Graph Explorer
  trusted: true
  secret: ""
  redirect_uris:
  - '{{OCIS_URL}}/graph-explorer/'
  origins:
  - '{{OCIS_URL}}'
  application_type: ""
- id: xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69
  name: ownCloud desktop app
  trusted: false
  secret: UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh
  redirect_uris:
  - http://127.0.0.1
  - http://localhost
  origins: []
  application_type: native
- id: e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD
  name: ownCloud Android app
  trusted: false
  secret: dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD
  redirect_uris:
  - oc://android.owncloud.com
  origins: []
  application_type: native
- id: mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1
  name: ownCloud iOS app
  trusted: false
  secret: KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx
  redirect_uris:
  - oc://ios.owncloud.com
  - oc.ios://ios.owncloud.com
  origins: []
  application_type: native
ldap:
  uri: ldaps://localhost:9235
  cacert: ~/.ocis/idm/ldap.crt
  bind_dn: uid=idp,ou=sysusers,o=libregraph-idm
  bind_password: ""
  base_dn: ou=users,o=libregraph-idm
  scope: sub
  login_attribute: uid
  email_attribute: mail
  name_attribute: displayName
  uuid_attribute: uid
  uuid_attribute_type: text
  filter: ""
  objectclass: inetOrgPerson