IDP Service Configuration
Introduction
The Infinite Scale IDP service provides …
Services are under development because of the  stage of Infinite Scale. Their service, environment variables and configuration may change. Forgive us if there are mistakes or information is missing. Feel free to report issues and we’ll take care of them as soon as possible on github. You want to fix them yourself? We’d appreciate that even more.
|
Configuration
Environment Variables
The idp extension is configured via the following environment variables:
| Name | Type | Default Value | Description |
|---|---|---|---|
|
string |
The URI where a user can reset their password. |
|
|
bool |
false |
Activates tracing. |
|
string |
The type of tracing. Defaults to "", which is the same as "jaeger". Allowed tracing types are "jaeger" and "" as of now. |
|
|
string |
The endpoint of the tracing agent. |
|
|
string |
The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset. |
|
|
string |
The log level. Valid values are: "panic", "fatal", "error", "warn", "info", "debug", "trace". |
|
|
bool |
false |
Activates pretty log output. |
|
bool |
false |
Activates colorized log output. |
|
string |
The path to the log file. Activates logging to this file if set. |
|
|
string |
127.0.0.1:9134 |
Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed. |
|
string |
Token to secure the metrics endpoint |
|
|
bool |
false |
Enables pprof, which can be used for profiling |
|
bool |
false |
Enables zpages, which can be used for collecting and viewing in-memory traces. |
|
string |
127.0.0.1:9130 |
The bind address of the HTTP service. |
|
string |
/ |
Subdirectory that serves as the root for this HTTP service. |
|
string |
~/.ocis/idp/server.crt |
|
|
string |
~/.ocis/idp/server.key |
|
|
bool |
false |
|
|
string |
127.0.0.1:9142 |
CS3 gateway used to authenticate and look up users |
|
string |
Machine auth API key used for accessing the 'auth-machine' service to impersonate users when looking up their userinfo via the 'cs3' backend. |
|
|
string |
Serve IDP assets from a path on the filesystem instead of the builtin assets. |
|
|
string |
https://localhost:9200 |
The OIDC issuer URL to use. |
|
string |
ldap |
The identity manager implementation to use, defaults to 'ldap', can be changed to 'cs3', 'kc', 'libregraph', 'cookie' or 'guest'. |
|
string |
Idp uri base path (defaults to ""). |
|
|
string |
Idp sign-in url. |
|
|
string |
Idp sign-out url. |
|
|
string |
Url of IDP endpoint. |
|
|
bool |
false |
Allow insecure connections to the user backend (eg. LDAP, CS3 api, …). |
|
bool |
false |
Allow guest clients to access ocis. |
|
bool |
false |
Allow dynamic client registration. |
|
string |
~/.ocis/idp/encryption.key |
Path to the encryption secret file, if unset, a new certificate will be autogenerated upon each restart, thus invalidating all existing sessions. |
|
string |
private-key |
Value of the KID (Key ID) field which is used in created tokens to uniquely identify the signing-private-key. |
|
string |
PS256 |
Signing method of idp requests (e.g. PS256) |
|
[~/.ocis/idp/private-key.pem] |
Private key files for signing idp requests. |
|
|
string |
Path to validation keys for idp requests. |
|
|
uint64 |
86400 |
Expiration time for idp access token (in seconds). |
|
uint64 |
3600 |
Expiration time for idp id tokens (in seconds). |
|
uint64 |
94608000 |
Expiration time for refresh tokens (in seconds). |
|
uint64 |
0 |
Expiration time for dynamic clients (in seconds). |
|
string |
ldaps://localhost:9235 |
Url of the LDAP service to use as idp. |
|
string |
~/.ocis/idm/ldap.crt |
Path to the tls cert for the ldap service. |
|
string |
uid=idp,ou=sysusers,o=libregraph-idm |
LDAP DN to use for simple bind authentication with the target LDAP server. |
|
string |
Password to use for authenticating the 'bind_dn'. |
|
|
string |
ou=users,o=libregraph-idm |
Search base DN for looking up LDAP users. |
|
string |
sub |
LDAP search scope to use when looking up users ('base', 'one', 'sub'). |
|
string |
uid |
LDAP User attribute to use for login (e.g. uid). |
|
string |
LDAP User email attribute (e.g. mail). |
|
|
string |
displayName |
LDAP User name attribute (e.g. displayName). |
|
string |
uid |
LDAP User uuid attribute (e.g. uid). |
|
string |
text |
LDAP User uuid attribute type (e.g. text). |
|
string |
LDAP filter to add to the default filters for user search (e.g. '(objectclass=ownCloud)'). |
|
|
string |
inetOrgPerson |
LDAP User ObjectClass (e.g. inetOrgPerson). |
Since Version: + added, - deprecated
YAML Example
# Autogenerated
# Filename: idp-config-example.yaml
tracing:
enabled: false
type: ""
endpoint: ""
collector: ""
log:
level: ""
pretty: false
color: false
file: ""
debug:
addr: 127.0.0.1:9134
token: ""
pprof: false
zpages: false
http:
addr: 127.0.0.1:9130
root: /
tls_cert: ~/.ocis/idp/server.crt
tls_key: ~/.ocis/idp/server.key
tls: false
reva:
address: 127.0.0.1:9142
machine_auth_api_key: ""
asset:
asset: ""
idp:
iss: https://localhost:9200
identity_manager: ldap
uri_base_path: ""
sign_in_uri: ""
signed_out_uri: ""
authorization_endpoint_uri: ""
insecure: false
trusted_proxy: []
allow_scope: []
allow_client_guests: false
allow_dynamic_client_registration: false
encrypt_secret_file: ~/.ocis/idp/encryption.key
listen: ""
identifierdefaultbannerlogo: ""
identifierdefaultsigninpagetext: ""
identifierdefaultusernamehinttext: ""
identifieruilocales: []
signing_kid: private-key
signing_method: PS256
signing_private_key_files:
- ~/.ocis/idp/private-key.pem
validation_keys_path: ""
cookiebackenduri: ""
cookienames: []
access_token_duration_seconds: 86400
id_token_duration_seconds: 3600
refresh_token_duration_seconds: 94608000
dynamic_client_secret_duration_seconds: 0
clients:
- id: web
name: ownCloud Web app
trusted: true
secret: ""
redirect_uris:
- '{{OCIS_URL}}/'
- '{{OCIS_URL}}/oidc-callback.html'
- '{{OCIS_URL}}/oidc-silent-redirect.html'
origins:
- '{{OCIS_URL}}'
application_type: ""
- id: ocis-explorer.js
name: oCIS Graph Explorer
trusted: true
secret: ""
redirect_uris:
- '{{OCIS_URL}}/graph-explorer/'
origins:
- '{{OCIS_URL}}'
application_type: ""
- id: xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69
name: ownCloud desktop app
trusted: false
secret: UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh
redirect_uris:
- http://127.0.0.1
- http://localhost
origins: []
application_type: native
- id: e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD
name: ownCloud Android app
trusted: false
secret: dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD
redirect_uris:
- oc://android.owncloud.com
origins: []
application_type: native
- id: mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1
name: ownCloud iOS app
trusted: false
secret: KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx
redirect_uris:
- oc://ios.owncloud.com
- oc.ios://ios.owncloud.com
origins: []
application_type: native
ldap:
uri: ldaps://localhost:9235
cacert: ~/.ocis/idm/ldap.crt
bind_dn: uid=idp,ou=sysusers,o=libregraph-idm
bind_password: ""
base_dn: ou=users,o=libregraph-idm
scope: sub
login_attribute: uid
email_attribute: mail
name_attribute: displayName
uuid_attribute: uid
uuid_attribute_type: text
filter: ""
objectclass: inetOrgPerson