External idp | new variables for various clients#270
External idp | new variables for various clients#270MannixTT wants to merge 3 commits intoopencloud-eu:mainfrom
Conversation
adapt docker compose for new variables regarding external idp
Update environment variables for new variables regarding external idp settings
adapt defaults - otherwise it will not behave as expected
| # claim_role to opencloud mapping | ||
| OC_OIDC_CLIENT_SCOPES="openid profile email roles offline_access" | ||
| # Unfortunetely needed at the moment (be careful to set it to none in prod) | ||
| # PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none |
There was a problem hiding this comment.
this can be misunderstood as being a var you can activate by uncommenting
There was a problem hiding this comment.
I think it should be clear that the vars there are only available when you reference the dockerfile external-idp as mentioned above in this section
There was a problem hiding this comment.
All vars should default to empty
| # Unfortunetely needed at the moment (be careful to set it to none in prod) | ||
| # PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none | ||
| # Allow OpenCloud, to show Authentik Login-Frame | ||
| PROXY_CSP_CONFIG_FILE_LOCATION="/etc/ocis/csp.yaml" |
There was a problem hiding this comment.
ocis? wouldnt it break csp?
| ldap-server: | ||
| image: bitnamilegacy/openldap:2.6 | ||
| # Bitnami images require GID 0 to write to internal socket and PID directories | ||
| user: ${LDAP_UID_GID:-1000:0} |
There was a problem hiding this comment.
what issue does this fix
There was a problem hiding this comment.
I owned the complete stack with my docker user, but the container isn't able to run rootless.
There was a problem hiding this comment.
I owned the complete stack with my docker user, but the container isn't able to run rootless.
looks like it will help those using rootless. i think you can consider decoupling this fix into a separate pr
There was a problem hiding this comment.
please keep the scope of this PR small. That should be a different PR.
| FRONTEND_READONLY_USER_ATTRIBUTES: "user.onPremisesSamAccountName,user.displayName,user.mail,user.passwordProfile,user.accountEnabled,user.appRoleAssignments" | ||
| PROXY_OIDC_REWRITE_WELLKNOWN: "true" | ||
| WEB_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID:-web} | ||
| OC_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID:-web} |
There was a problem hiding this comment.
This is only the override value. We should have that empty.
| PROXY_OIDC_REWRITE_WELLKNOWN: "true" | ||
| WEB_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID:-web} | ||
| OC_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID:-web} | ||
| OC_OIDC_CLIENT_SCOPES: ${PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM:-openid profile email roles offline_access} |
There was a problem hiding this comment.
Same here, just an empty value will be enough
| OC_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID:-web} | ||
| OC_OIDC_CLIENT_SCOPES: ${PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM:-openid profile email roles offline_access} | ||
| PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: ${PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM:-roles} | ||
| WEBFINGER_WEB_OIDC_CLIENT_ID: ${WEBFINGER_WEB_OIDC_CLIENT_ID:-${OC_OIDC_CLIENT_ID}} |
There was a problem hiding this comment.
This should default to empty, the default of the opencloud code is already web
| OC_OIDC_CLIENT_SCOPES: ${PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM:-openid profile email roles offline_access} | ||
| PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: ${PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM:-roles} | ||
| WEBFINGER_WEB_OIDC_CLIENT_ID: ${WEBFINGER_WEB_OIDC_CLIENT_ID:-${OC_OIDC_CLIENT_ID}} | ||
| WEBFINGER_WEB_OIDC_CLIENT_SCOPES: ${WEBFINGER_WEB_OIDC_CLIENT_SCOPES:-${OC_OIDC_CLIENT_SCOPES}} |
There was a problem hiding this comment.
This should default to openid profile email roles without offline_access.
Explanation: Web can refresh its access token without offline access, caused by the nature of it being a wen client. Giving a refresh token to an untrusted client is not good. On top: offline tokens are causing heavy load on OIDC Provider session handling.
| PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: ${PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM:-roles} | ||
| WEBFINGER_WEB_OIDC_CLIENT_ID: ${WEBFINGER_WEB_OIDC_CLIENT_ID:-${OC_OIDC_CLIENT_ID}} | ||
| WEBFINGER_WEB_OIDC_CLIENT_SCOPES: ${WEBFINGER_WEB_OIDC_CLIENT_SCOPES:-${OC_OIDC_CLIENT_SCOPES}} | ||
| WEBFINGER_ANDROID_OIDC_CLIENT_ID: ${WEBFINGER_ANDROID_OIDC_CLIENT_ID:-${OC_OIDC_CLIENT_ID}} |
There was a problem hiding this comment.
Should default to empty. The product default is OpenCloudAndroid
| WEBFINGER_WEB_OIDC_CLIENT_ID: ${WEBFINGER_WEB_OIDC_CLIENT_ID:-${OC_OIDC_CLIENT_ID}} | ||
| WEBFINGER_WEB_OIDC_CLIENT_SCOPES: ${WEBFINGER_WEB_OIDC_CLIENT_SCOPES:-${OC_OIDC_CLIENT_SCOPES}} | ||
| WEBFINGER_ANDROID_OIDC_CLIENT_ID: ${WEBFINGER_ANDROID_OIDC_CLIENT_ID:-${OC_OIDC_CLIENT_ID}} | ||
| WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES: ${WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES:-${OC_OIDC_CLIENT_SCOPES}} |
There was a problem hiding this comment.
This should be empty. The product default is openid profile email offline_access
| WEBFINGER_WEB_OIDC_CLIENT_SCOPES: ${WEBFINGER_WEB_OIDC_CLIENT_SCOPES:-${OC_OIDC_CLIENT_SCOPES}} | ||
| WEBFINGER_ANDROID_OIDC_CLIENT_ID: ${WEBFINGER_ANDROID_OIDC_CLIENT_ID:-${OC_OIDC_CLIENT_ID}} | ||
| WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES: ${WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES:-${OC_OIDC_CLIENT_SCOPES}} | ||
| WEBFINGER_IOS_OIDC_CLIENT_ID: ${WEBFINGER_IOS_OIDC_CLIENT_ID:-${OC_OIDC_CLIENT_ID}} |
There was a problem hiding this comment.
Should default to empty. The product default is OpenCloudIOS
| WEBFINGER_ANDROID_OIDC_CLIENT_ID: ${WEBFINGER_ANDROID_OIDC_CLIENT_ID:-${OC_OIDC_CLIENT_ID}} | ||
| WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES: ${WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES:-${OC_OIDC_CLIENT_SCOPES}} | ||
| WEBFINGER_IOS_OIDC_CLIENT_ID: ${WEBFINGER_IOS_OIDC_CLIENT_ID:-${OC_OIDC_CLIENT_ID}} | ||
| WEBFINGER_IOS_OIDC_CLIENT_SCOPES: ${WEBFINGER_IOS_OIDC_CLIENT_SCOPES:-${OC_OIDC_CLIENT_SCOPES}} |
There was a problem hiding this comment.
This should be empty. The product default is openid profile email offline_access
| WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES: ${WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES:-${OC_OIDC_CLIENT_SCOPES}} | ||
| WEBFINGER_IOS_OIDC_CLIENT_ID: ${WEBFINGER_IOS_OIDC_CLIENT_ID:-${OC_OIDC_CLIENT_ID}} | ||
| WEBFINGER_IOS_OIDC_CLIENT_SCOPES: ${WEBFINGER_IOS_OIDC_CLIENT_SCOPES:-${OC_OIDC_CLIENT_SCOPES}} | ||
| WEBFINGER_DESKTOP_OIDC_CLIENT_ID: ${WEBFINGER_DESKTOP_OIDC_CLIENT_ID:-${OC_OIDC_CLIENT_ID}} |
There was a problem hiding this comment.
Should default to empty. The product default is OpenCloudDesktop
| WEBFINGER_IOS_OIDC_CLIENT_ID: ${WEBFINGER_IOS_OIDC_CLIENT_ID:-${OC_OIDC_CLIENT_ID}} | ||
| WEBFINGER_IOS_OIDC_CLIENT_SCOPES: ${WEBFINGER_IOS_OIDC_CLIENT_SCOPES:-${OC_OIDC_CLIENT_SCOPES}} | ||
| WEBFINGER_DESKTOP_OIDC_CLIENT_ID: ${WEBFINGER_DESKTOP_OIDC_CLIENT_ID:-${OC_OIDC_CLIENT_ID}} | ||
| WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPES: ${WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPES:-${OC_OIDC_CLIENT_SCOPES}} |
There was a problem hiding this comment.
This should be empty. The product default is openid profile email offline_access
3 participants
I removed legacy environment variables and added the new variables to be able to setup authentik for example.