IDP Service Configuration

Introduction

The Infinite Scale IDP service

Configuration

Environment Variables

The idp extension is configured via the following environment variables:

  • latest

  • 2.0.0

Environment variables for the idp service
Name Type Default Value Description

IDP_PASSWORD_RESET_URI

string

The URI where a user can reset their password.

OCIS_TRACING_ENABLED
IDP_TRACING_ENABLED

bool

false

Activates tracing.

OCIS_TRACING_TYPE
IDP_TRACING_TYPE

string

The type of tracing. Defaults to "", which is the same as "jaeger". Allowed tracing types are "jaeger" and "" as of now.

OCIS_TRACING_ENDPOINT
IDP_TRACING_ENDPOINT

string

The endpoint of the tracing agent.

OCIS_TRACING_COLLECTOR
IDP_TRACING_COLLECTOR

string

The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.

OCIS_LOG_LEVEL
IDP_LOG_LEVEL

string

The log level. Valid values are: "panic", "fatal", "error", "warn", "info", "debug", "trace".

OCIS_LOG_PRETTY
IDP_LOG_PRETTY

bool

false

Activates pretty log output.

OCIS_LOG_COLOR
IDP_LOG_COLOR

bool

false

Activates colorized log output.

OCIS_LOG_FILE
IDP_LOG_FILE

string

The path to the log file. Activates logging to this file if set.

IDP_DEBUG_ADDR

string

127.0.0.1:9134

Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.

IDP_DEBUG_TOKEN

string

Token to secure the metrics endpoint.

IDP_DEBUG_PPROF

bool

false

Enables pprof, which can be used for profiling.

IDP_DEBUG_ZPAGES

bool

false

Enables zpages, which can be used for collecting and viewing in-memory traces.

IDP_HTTP_ADDR

string

127.0.0.1:9130

The bind address of the HTTP service.

IDP_HTTP_ROOT

string

/

Subdirectory that serves as the root for this HTTP service.

IDP_TRANSPORT_TLS_CERT

string

~/.ocis/idp/server.crt

Path/File name of the TLS server certificate (in PEM format) for the IDP service.

IDP_TRANSPORT_TLS_KEY

string

~/.ocis/idp/server.key

Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the IDP service.

IDP_TLS

bool

false

Enable/Disable HTTPS for the IDP service.

REVA_GATEWAY

string

127.0.0.1:9142

The CS3 gateway endpoint.

OCIS_GRPC_CLIENT_TLS_MODE

string

TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows to use transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server ceritificate verification.

OCIS_GRPC_CLIENT_TLS_CACERT

string

Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.

OCIS_MACHINE_AUTH_API_KEY
IDP_MACHINE_AUTH_API_KEY

string

Machine auth API key used to validate internal requests necessary for the access to resources from other services.

IDP_ASSET_PATH

string

Serve IDP assets from a path on the filesystem instead of the builtin assets.

OCIS_URL
OCIS_OIDC_ISSUER
IDP_ISS

string

https://localhost:9200

The OIDC issuer URL to use.

IDP_IDENTITY_MANAGER

string

ldap

The identity manager implementation to use. Supported identity managers are 'ldap', 'cs3', 'kc', 'libregraph', 'cookie' and 'guest'.

IDP_URI_BASE_PATH

string

IDP uri base path (defaults to "").

IDP_SIGN_IN_URI

string

IDP sign-in url.

IDP_SIGN_OUT_URI

string

IDP sign-out url.

IDP_ENDPOINT_URI

string

URL of the IDP endpoint.

LDAP_INSECURE
IDP_INSECURE

bool

false

Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.

IDP_ALLOW_CLIENT_GUESTS

bool

false

Allow guest clients to access oCIS.

IDP_ALLOW_DYNAMIC_CLIENT_REGISTRATION

bool

false

Allow dynamic client registration.

IDP_ENCRYPTION_SECRET_FILE

string

~/.ocis/idp/encryption.key

Path to the encryption secret file, if unset, a new certificate will be autogenerated upon each restart, thus invalidating all existing sessions.

IDP_SIGNING_KID

string

private-key

Value of the KID (Key ID) field which is used in created tokens to uniquely identify the signing-private-key.

IDP_SIGNING_METHOD

string

PS256

Signing method of IDP requests like 'PS256'

IDP_SIGNING_PRIVATE_KEY_FILES

[]string

[~/.ocis/idp/private-key.pem]

Private key files for signing IDP requests.

IDP_VALIDATION_KEYS_PATH

string

Path to validation keys for IDP requests.

IDP_ACCESS_TOKEN_EXPIRATION

uint64

300

'Access token lifespan in seconds (time before an access token is expired).'

IDP_ID_TOKEN_EXPIRATION

uint64

300

ID token lifespan in seconds (time before an ID token is expired).

IDP_REFRESH_TOKEN_EXPIRATION

uint64

2592000

Refresh token lifespan in seconds (time before an refresh token is expired). This also limits the duration of an idle offline session.

IDP_DYNAMIC_CLIENT_SECRET_DURATION

uint64

0

Lifespan in seconds of a dynamically registered OIDC client.

LDAP_URI
IDP_LDAP_URI

string

ldaps://localhost:9235

Url of the LDAP service to use as IDP.

LDAP_CACERT
IDP_LDAP_TLS_CACERT

string

~/.ocis/idm/ldap.crt

Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service.

LDAP_BIND_DN
IDP_LDAP_BIND_DN

string

uid=idp,ou=sysusers,o=libregraph-idm

LDAP DN to use for simple bind authentication with the target LDAP server.

LDAP_BIND_PASSWORD
IDP_LDAP_BIND_PASSWORD

string

Password to use for authenticating the 'bind_dn'.

LDAP_USER_BASE_DN
IDP_LDAP_BASE_DN

string

ou=users,o=libregraph-idm

Search base DN for looking up LDAP users.

LDAP_USER_SCOPE
IDP_LDAP_SCOPE

string

sub

LDAP search scope to use when looking up users. Supported scopes are 'base', 'one' and 'sub'.

IDP_LDAP_LOGIN_ATTRIBUTE

string

uid

LDAP User attribute to use for login like 'uid'.

LDAP_USER_SCHEMA_MAIL
IDP_LDAP_EMAIL_ATTRIBUTE

string

mail

LDAP User email attribute like 'mail'.

LDAP_USER_SCHEMA_USERNAME
IDP_LDAP_NAME_ATTRIBUTE

string

displayName

LDAP User name attribute like 'displayName'.

LDAP_USER_SCHEMA_ID
IDP_LDAP_UUID_ATTRIBUTE

string

uid

LDAP User uuid attribute like 'uid'.

IDP_LDAP_UUID_ATTRIBUTE_TYPE

string

text

LDAP User uuid attribute type like 'text'.

LDAP_USER_FILTER
IDP_LDAP_FILTER

string

LDAP filter to add to the default filters for user search like '(objectclass=ownCloud)'.

LDAP_USER_OBJECTCLASS
IDP_LDAP_OBJECTCLASS

string

inetOrgPerson

LDAP User ObjectClass like 'inetOrgPerson'.

Environment variables for the idp service
Name Type Default Value Description

IDP_PASSWORD_RESET_URI

string

The URI where a user can reset their password.

OCIS_TRACING_ENABLED
IDP_TRACING_ENABLED

bool

false

Activates tracing.

OCIS_TRACING_TYPE
IDP_TRACING_TYPE

string

The type of tracing. Defaults to "", which is the same as "jaeger". Allowed tracing types are "jaeger" and "" as of now.

OCIS_TRACING_ENDPOINT
IDP_TRACING_ENDPOINT

string

The endpoint of the tracing agent.

OCIS_TRACING_COLLECTOR
IDP_TRACING_COLLECTOR

string

The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.

OCIS_LOG_LEVEL
IDP_LOG_LEVEL

string

The log level. Valid values are: "panic", "fatal", "error", "warn", "info", "debug", "trace".

OCIS_LOG_PRETTY
IDP_LOG_PRETTY

bool

false

Activates pretty log output.

OCIS_LOG_COLOR
IDP_LOG_COLOR

bool

false

Activates colorized log output.

OCIS_LOG_FILE
IDP_LOG_FILE

string

The path to the log file. Activates logging to this file if set.

IDP_DEBUG_ADDR

string

127.0.0.1:9134

Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.

IDP_DEBUG_TOKEN

string

Token to secure the metrics endpoint.

IDP_DEBUG_PPROF

bool

false

Enables pprof, which can be used for profiling.

IDP_DEBUG_ZPAGES

bool

false

Enables zpages, which can be used for collecting and viewing in-memory traces.

IDP_HTTP_ADDR

string

127.0.0.1:9130

The bind address of the HTTP service.

IDP_HTTP_ROOT

string

/

Subdirectory that serves as the root for this HTTP service.

IDP_TRANSPORT_TLS_CERT

string

~/.ocis/idp/server.crt

Path/File name of the TLS server certificate (in PEM format) for the IDP service.

IDP_TRANSPORT_TLS_KEY

string

~/.ocis/idp/server.key

Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the IDP service.

IDP_TLS

bool

false

Enable/Disable HTTPS for the IDP service.

REVA_GATEWAY

string

127.0.0.1:9142

The CS3 gateway endpoint.

OCIS_GRPC_CLIENT_TLS_MODE

string

TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows to use transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server ceritificate verification.

OCIS_GRPC_CLIENT_TLS_CACERT

string

Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.

OCIS_MACHINE_AUTH_API_KEY
IDP_MACHINE_AUTH_API_KEY

string

Machine auth API key used to validate internal requests necessary for the access to resources from other services.

IDP_ASSET_PATH

string

Serve IDP assets from a path on the filesystem instead of the builtin assets.

OCIS_URL
OCIS_OIDC_ISSUER
IDP_ISS

string

https://localhost:9200

The OIDC issuer URL to use.

IDP_IDENTITY_MANAGER

string

ldap

The identity manager implementation to use. Supported identity managers are 'ldap', 'cs3', 'kc', 'libregraph', 'cookie' and 'guest'.

IDP_URI_BASE_PATH

string

IDP uri base path (defaults to "").

IDP_SIGN_IN_URI

string

IDP sign-in url.

IDP_SIGN_OUT_URI

string

IDP sign-out url.

IDP_ENDPOINT_URI

string

URL of the IDP endpoint.

LDAP_INSECURE
IDP_INSECURE

bool

false

Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.

IDP_ALLOW_CLIENT_GUESTS

bool

false

Allow guest clients to access oCIS.

IDP_ALLOW_DYNAMIC_CLIENT_REGISTRATION

bool

false

Allow dynamic client registration.

IDP_ENCRYPTION_SECRET_FILE

string

~/.ocis/idp/encryption.key

Path to the encryption secret file, if unset, a new certificate will be autogenerated upon each restart, thus invalidating all existing sessions.

IDP_SIGNING_KID

string

private-key

Value of the KID (Key ID) field which is used in created tokens to uniquely identify the signing-private-key.

IDP_SIGNING_METHOD

string

PS256

Signing method of IDP requests like 'PS256'

IDP_SIGNING_PRIVATE_KEY_FILES

[]string

[~/.ocis/idp/private-key.pem]

Private key files for signing IDP requests.

IDP_VALIDATION_KEYS_PATH

string

Path to validation keys for IDP requests.

IDP_ACCESS_TOKEN_EXPIRATION

uint64

300

'Access token lifespan in seconds (time before an access token is expired).'

IDP_ID_TOKEN_EXPIRATION

uint64

300

ID token lifespan in seconds (time before an ID token is expired).

IDP_REFRESH_TOKEN_EXPIRATION

uint64

2592000

Refresh token lifespan in seconds (time before an refresh token is expired). This also limits the duration of an idle offline session.

IDP_DYNAMIC_CLIENT_SECRET_DURATION

uint64

0

Lifespan in seconds of a dynamically registered OIDC client.

LDAP_URI
IDP_LDAP_URI

string

ldaps://localhost:9235

Url of the LDAP service to use as IDP.

LDAP_CACERT
IDP_LDAP_TLS_CACERT

string

~/.ocis/idm/ldap.crt

Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service.

LDAP_BIND_DN
IDP_LDAP_BIND_DN

string

uid=idp,ou=sysusers,o=libregraph-idm

LDAP DN to use for simple bind authentication with the target LDAP server.

LDAP_BIND_PASSWORD
IDP_LDAP_BIND_PASSWORD

string

Password to use for authenticating the 'bind_dn'.

LDAP_USER_BASE_DN
IDP_LDAP_BASE_DN

string

ou=users,o=libregraph-idm

Search base DN for looking up LDAP users.

LDAP_USER_SCOPE
IDP_LDAP_SCOPE

string

sub

LDAP search scope to use when looking up users. Supported scopes are 'base', 'one' and 'sub'.

IDP_LDAP_LOGIN_ATTRIBUTE

string

uid

LDAP User attribute to use for login like 'uid'.

LDAP_USER_SCHEMA_MAIL
IDP_LDAP_EMAIL_ATTRIBUTE

string

mail

LDAP User email attribute like 'mail'.

LDAP_USER_SCHEMA_USERNAME
IDP_LDAP_NAME_ATTRIBUTE

string

displayName

LDAP User name attribute like 'displayName'.

LDAP_USER_SCHEMA_ID
IDP_LDAP_UUID_ATTRIBUTE

string

uid

LDAP User uuid attribute like 'uid'.

IDP_LDAP_UUID_ATTRIBUTE_TYPE

string

text

LDAP User uuid attribute type like 'text'.

LDAP_USER_FILTER
IDP_LDAP_FILTER

string

LDAP filter to add to the default filters for user search like '(objectclass=ownCloud)'.

LDAP_USER_OBJECTCLASS
IDP_LDAP_OBJECTCLASS

string

inetOrgPerson

LDAP User ObjectClass like 'inetOrgPerson'.

YAML Example

  • latest

  • 2.0.0

# Autogenerated
# Filename: idp-config-example.yaml

tracing:
  enabled: false
  type: ""
  endpoint: ""
  collector: ""
log:
  level: ""
  pretty: false
  color: false
  file: ""
debug:
  addr: 127.0.0.1:9134
  token: ""
  pprof: false
  zpages: false
http:
  addr: 127.0.0.1:9130
  root: /
  tls_cert: ~/.ocis/idp/server.crt
  tls_key: ~/.ocis/idp/server.key
  tls: false
reva:
  address: 127.0.0.1:9142
  tls:
    mode: ""
    cacert: ""
machine_auth_api_key: ""
asset:
  asset: ""
idp:
  iss: https://localhost:9200
  identity_manager: ldap
  uri_base_path: ""
  sign_in_uri: ""
  signed_out_uri: ""
  authorization_endpoint_uri: ""
  insecure: false
  trusted_proxy: []
  allow_scope: []
  allow_client_guests: false
  allow_dynamic_client_registration: false
  encrypt_secret_file: ~/.ocis/idp/encryption.key
  listen: ""
  identifierdefaultbannerlogo: ""
  identifierdefaultsigninpagetext: ""
  identifierdefaultusernamehinttext: ""
  identifieruilocales: []
  signing_kid: private-key
  signing_method: PS256
  signing_private_key_files:
  - ~/.ocis/idp/private-key.pem
  validation_keys_path: ""
  cookiebackenduri: ""
  cookienames: []
  access_token_duration_seconds: 300
  id_token_duration_seconds: 300
  refresh_token_duration_seconds: 2592000
  dynamic_client_secret_duration_seconds: 0
clients:
- id: web
  name: ownCloud Web app
  trusted: true
  secret: ""
  redirect_uris:
  - '{{OCIS_URL}}/'
  - '{{OCIS_URL}}/oidc-callback.html'
  - '{{OCIS_URL}}/oidc-silent-redirect.html'
  origins:
  - '{{OCIS_URL}}'
  application_type: ""
- id: xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69
  name: ownCloud desktop app
  trusted: false
  secret: UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh
  redirect_uris:
  - http://127.0.0.1
  - http://localhost
  origins: []
  application_type: native
- id: e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD
  name: ownCloud Android app
  trusted: false
  secret: dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD
  redirect_uris:
  - oc://android.owncloud.com
  origins: []
  application_type: native
- id: mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1
  name: ownCloud iOS app
  trusted: false
  secret: KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx
  redirect_uris:
  - oc://ios.owncloud.com
  - oc.ios://ios.owncloud.com
  origins: []
  application_type: native
ldap:
  uri: ldaps://localhost:9235
  cacert: ~/.ocis/idm/ldap.crt
  bind_dn: uid=idp,ou=sysusers,o=libregraph-idm
  bind_password: ""
  base_dn: ou=users,o=libregraph-idm
  scope: sub
  login_attribute: uid
  email_attribute: mail
  name_attribute: displayName
  uuid_attribute: uid
  uuid_attribute_type: text
  filter: ""
  objectclass: inetOrgPerson
# Autogenerated
# Filename: idp-config-example.yaml

tracing:
  enabled: false
  type: ""
  endpoint: ""
  collector: ""
log:
  level: ""
  pretty: false
  color: false
  file: ""
debug:
  addr: 127.0.0.1:9134
  token: ""
  pprof: false
  zpages: false
http:
  addr: 127.0.0.1:9130
  root: /
  tls_cert: ~/.ocis/idp/server.crt
  tls_key: ~/.ocis/idp/server.key
  tls: false
reva:
  address: 127.0.0.1:9142
  tls:
    mode: ""
    cacert: ""
machine_auth_api_key: ""
asset:
  asset: ""
idp:
  iss: https://localhost:9200
  identity_manager: ldap
  uri_base_path: ""
  sign_in_uri: ""
  signed_out_uri: ""
  authorization_endpoint_uri: ""
  insecure: false
  trusted_proxy: []
  allow_scope: []
  allow_client_guests: false
  allow_dynamic_client_registration: false
  encrypt_secret_file: ~/.ocis/idp/encryption.key
  listen: ""
  identifierdefaultbannerlogo: ""
  identifierdefaultsigninpagetext: ""
  identifierdefaultusernamehinttext: ""
  identifieruilocales: []
  signing_kid: private-key
  signing_method: PS256
  signing_private_key_files:
  - ~/.ocis/idp/private-key.pem
  validation_keys_path: ""
  cookiebackenduri: ""
  cookienames: []
  access_token_duration_seconds: 300
  id_token_duration_seconds: 300
  refresh_token_duration_seconds: 2592000
  dynamic_client_secret_duration_seconds: 0
clients:
- id: web
  name: ownCloud Web app
  trusted: true
  secret: ""
  redirect_uris:
  - '{{OCIS_URL}}/'
  - '{{OCIS_URL}}/oidc-callback.html'
  - '{{OCIS_URL}}/oidc-silent-redirect.html'
  origins:
  - '{{OCIS_URL}}'
  application_type: ""
- id: xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69
  name: ownCloud desktop app
  trusted: false
  secret: UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh
  redirect_uris:
  - http://127.0.0.1
  - http://localhost
  origins: []
  application_type: native
- id: e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD
  name: ownCloud Android app
  trusted: false
  secret: dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD
  redirect_uris:
  - oc://android.owncloud.com
  origins: []
  application_type: native
- id: mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1
  name: ownCloud iOS app
  trusted: false
  secret: KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx
  redirect_uris:
  - oc://ios.owncloud.com
  - oc.ios://ios.owncloud.com
  origins: []
  application_type: native
ldap:
  uri: ldaps://localhost:9235
  cacert: ~/.ocis/idm/ldap.crt
  bind_dn: uid=idp,ou=sysusers,o=libregraph-idm
  bind_password: ""
  base_dn: ou=users,o=libregraph-idm
  scope: sub
  login_attribute: uid
  email_attribute: mail
  name_attribute: displayName
  uuid_attribute: uid
  uuid_attribute_type: text
  filter: ""
  objectclass: inetOrgPerson