Skip to content

Commit 2512969

Browse files
maybenotconnormaybenotconnor
committed
feat: make role assignment settings configurable
 Allow PROXY_ROLE_ASSIGNMENT_DRIVER and GRAPH_ASSIGN_DEFAULT_USER_ROLE to be set via environment variables in .env file. - PROXY_ROLE_ASSIGNMENT_DRIVER defaults to oidc - GRAPH_ASSIGN_DEFAULT_USER_ROLE defaults to false When using PROXY_ROLE_ASSIGNMENT_DRIVER=default, set GRAPH_ASSIGN_DEFAULT_USER_ROLE=true to assign the 'user' role to new users.
1 parent 59f5f17 commit 2512969

File tree

2 files changed

+10
-2
lines changed

2 files changed

+10
-2
lines changed

.env.example

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -298,6 +298,14 @@ LDAP_BIND_PASSWORD=
298298

299299
## Autoprovisioning Mode ##
300300
# Use together with idm/external-idp.yml
301+
# Role assignment driver for the proxy. Defaults to "oidc".
302+
# Possible values: "oidc", "default"
303+
# When set to "oidc", roles are assigned based on OIDC claims.
304+
# When set to "default", all users get the 'user' role assigned.
305+
PROXY_ROLE_ASSIGNMENT_DRIVER=
306+
# Assign the default 'user' role to new users. Defaults to "false".
307+
# Set to "true" when using PROXY_ROLE_ASSIGNMENT_DRIVER=default
308+
GRAPH_ASSIGN_DEFAULT_USER_ROLE=
301309
# If you want to use a keycloak for local testing, you can use testing/external-keycloak.yml and testing/ldap-manager.yml
302310
# Domain of your Identity Provider.
303311
IDP_DOMAIN=

idm/external-idp.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ services:
1515
FRONTEND_READONLY_USER_ATTRIBUTES: "user.onPremisesSamAccountName,user.displayName,user.mail,user.passwordProfile,user.accountEnabled,user.appRoleAssignments"
1616
PROXY_OIDC_REWRITE_WELLKNOWN: "true"
1717
WEB_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID:-web}
18-
PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"
18+
PROXY_ROLE_ASSIGNMENT_DRIVER: ${PROXY_ROLE_ASSIGNMENT_DRIVER:-oidc}
1919
OC_OIDC_ISSUER: ${IDP_ISSUER_URL:-https://keycloak.opencloud.test/realms/openCloud}
2020
# This specifies to start all services except idm and idp. These are replaced by external services.
2121
OC_EXCLUDE_RUN_SERVICES: idm,idp
@@ -37,7 +37,7 @@ services:
3737
OC_LDAP_DISABLE_USER_MECHANISM: "attribute"
3838
OC_ADMIN_USER_ID: ""
3939
SETTINGS_SETUP_DEFAULT_ASSIGNMENTS: "false"
40-
GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"
40+
GRAPH_ASSIGN_DEFAULT_USER_ROLE: ${GRAPH_ASSIGN_DEFAULT_USER_ROLE:-false}
4141
GRAPH_USERNAME_MATCH: "none"
4242
# We need to set the IDP_DOMAIN to allow the CSP rules to be set correctly
4343
IDP_DOMAIN: ${IDP_DOMAIN:-keycloak.opencloud.test}

0 commit comments

Comments
 (0)