Skip to content

External idp | new variables for various clients #270

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
MannixTT wants to merge 3 commits into
base: main
Choose a base branch
from
Open

External idp | new variables for various clients #270

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
68ddb4e
Update external-idp.yml
MannixTT Apr 8, 2026
212f87a
Update .env.example
MannixTT Apr 8, 2026
86f1d6f
Update external-idp.yml
MannixTT Apr 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions .env.example
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -313,6 +313,25 @@ IDP_DOMAIN=
IDP_ISSUER_URL=
# Url of the account edit page from your Identity Provider.
IDP_ACCOUNT_URL=
# Global Client ID, you can overwrite it by defining a client specific client id
OC_OIDC_CLIENT_ID="{{ item.oc_oidc_client_id }}"
# Declares which property should be used for the oidc claim
PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM="roles"
# claim_role to opencloud mapping
OC_OIDC_CLIENT_SCOPES="openid profile email roles offline_access"
# Unfortunetely needed at the moment (be careful to set it to none in prod)
# PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none
Copy link
Copy Markdown
Contributor

@streaminganger streaminganger Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this can be misunderstood as being a var you can activate by uncommenting

Copy link
Copy Markdown
Author

@MannixTT MannixTT Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it should be clear that the vars there are only available when you reference the dockerfile external-idp as mentioned above in this section

Copy link
Copy Markdown
Member

@micbar micbar Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All vars should default to empty

# Allow OpenCloud, to show Authentik Login-Frame
PROXY_CSP_CONFIG_FILE_LOCATION="/etc/ocis/csp.yaml"
Copy link
Copy Markdown
Contributor

@streaminganger streaminganger Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ocis? wouldnt it break csp?

Copy link
Copy Markdown
Member

@micbar micbar Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please remove that line.

# Client specific environment vars
#WEBFINGER_WEB_OIDC_CLIENT_ID=
#WEBFINGER_WEB_OIDC_CLIENT_SCOPES=
#WEBFINGER_IOS_OIDC_CLIENT_ID=
#WEBFINGER_IOS_OIDC_CLIENT_SCOPES=
#WEBFINGER_ANDROID_OIDC_CLIENT_ID=
#WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES=
#WEBFINGER_DESKTOP_OIDC_CLIENT_ID=
#WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPES=

## Shared User Directory Mode ##
# Use together with idm/ldap-keycloak.yml and traefik/ldap-keycloak.yml
Expand Down
14 changes: 13 additions & 1 deletion idm/external-idp.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,17 @@ services:
GRAPH_LDAP_REFINT_ENABLED: "true" # osixia has refint enabled.
FRONTEND_READONLY_USER_ATTRIBUTES: "user.onPremisesSamAccountName,user.displayName,user.mail,user.passwordProfile,user.accountEnabled,user.appRoleAssignments"
PROXY_OIDC_REWRITE_WELLKNOWN: "true"
WEB_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID:-web}
OC_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID:-web}
Copy link
Copy Markdown
Member

@micbar micbar Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is only the override value. We should have that empty.

OC_OIDC_CLIENT_SCOPES: ${PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM:-openid profile email roles offline_access}
Copy link
Copy Markdown
Member

@micbar micbar Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here, just an empty value will be enough

PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: ${PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM:-roles}
WEBFINGER_WEB_OIDC_CLIENT_ID: ${WEBFINGER_WEB_OIDC_CLIENT_ID:-${OC_OIDC_CLIENT_ID}}
Copy link
Copy Markdown
Member

@micbar micbar Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should default to empty, the default of the opencloud code is already web

WEBFINGER_WEB_OIDC_CLIENT_SCOPES: ${WEBFINGER_WEB_OIDC_CLIENT_SCOPES:-${OC_OIDC_CLIENT_SCOPES}}
Copy link
Copy Markdown
Member

@micbar micbar Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should default to openid profile email roles without offline_access.

Explanation: Web can refresh its access token without offline access, caused by the nature of it being a wen client. Giving a refresh token to an untrusted client is not good. On top: offline tokens are causing heavy load on OIDC Provider session handling.

WEBFINGER_ANDROID_OIDC_CLIENT_ID: ${WEBFINGER_ANDROID_OIDC_CLIENT_ID:-${OC_OIDC_CLIENT_ID}}
Copy link
Copy Markdown
Member

@micbar micbar Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should default to empty. The product default is OpenCloudAndroid

WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES: ${WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES:-${OC_OIDC_CLIENT_SCOPES}}
Copy link
Copy Markdown
Member

@micbar micbar Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be empty. The product default is openid profile email offline_access

WEBFINGER_IOS_OIDC_CLIENT_ID: ${WEBFINGER_IOS_OIDC_CLIENT_ID:-${OC_OIDC_CLIENT_ID}}
Copy link
Copy Markdown
Member

@micbar micbar Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should default to empty. The product default is OpenCloudIOS

WEBFINGER_IOS_OIDC_CLIENT_SCOPES: ${WEBFINGER_IOS_OIDC_CLIENT_SCOPES:-${OC_OIDC_CLIENT_SCOPES}}
Copy link
Copy Markdown
Member

@micbar micbar Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be empty. The product default is openid profile email offline_access

WEBFINGER_DESKTOP_OIDC_CLIENT_ID: ${WEBFINGER_DESKTOP_OIDC_CLIENT_ID:-${OC_OIDC_CLIENT_ID}}
Copy link
Copy Markdown
Member

@micbar micbar Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should default to empty. The product default is OpenCloudDesktop

WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPES: ${WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPES:-${OC_OIDC_CLIENT_SCOPES}}
Copy link
Copy Markdown
Member

@micbar micbar Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be empty. The product default is openid profile email offline_access

PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"
OC_OIDC_ISSUER: ${IDP_ISSUER_URL:-https://keycloak.opencloud.test/realms/openCloud}
# This specifies to start all services except idm and idp. These are replaced by external services.
Expand Down Expand Up @@ -45,6 +55,8 @@ services:
WEB_OPTION_ACCOUNT_EDIT_LINK_HREF: ${IDP_ACCOUNT_URL}
ldap-server:
image: bitnamilegacy/openldap:2.6
# Bitnami images require GID 0 to write to internal socket and PID directories
user: ${LDAP_UID_GID:-1000:0}
Copy link
Copy Markdown
Contributor

@streaminganger streaminganger Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what issue does this fix

Copy link
Copy Markdown
Author

@MannixTT MannixTT Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I owned the complete stack with my docker user, but the container isn't able to run rootless.

Copy link
Copy Markdown
Contributor

@streaminganger streaminganger Apr 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I owned the complete stack with my docker user, but the container isn't able to run rootless.

looks like it will help those using rootless. i think you can consider decoupling this fix into a separate pr

Copy link
Copy Markdown
Member

@micbar micbar Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please keep the scope of this PR small. That should be a different PR.

networks:
opencloud-net:
entrypoint: [ "/bin/sh", "/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh", "/opt/bitnami/scripts/openldap/run.sh" ]
Expand Down