Skip to content

External idp | new variables for various clients #270

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
MannixTT wants to merge 3 commits into
base: main
Choose a base branch
from
Open

External idp | new variables for various clients #270

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
68ddb4e
Update external-idp.yml
MannixTT Apr 8, 2026
212f87a
Update .env.example
MannixTT Apr 8, 2026
86f1d6f
Update external-idp.yml
MannixTT Apr 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions .env.example
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -313,6 +313,25 @@ IDP_DOMAIN=
IDP_ISSUER_URL=
# Url of the account edit page from your Identity Provider.
IDP_ACCOUNT_URL=
# Global Client ID, you can overwrite it by defining a client specific client id
OC_OIDC_CLIENT_ID="{{ item.oc_oidc_client_id }}"
# Declares which property should be used for the oidc claim
PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM="roles"
# claim_role to opencloud mapping
OC_OIDC_CLIENT_SCOPES="openid profile email roles offline_access"
# Unfortunetely needed at the moment (be careful to set it to none in prod)
# PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none
Copy link
Copy Markdown
Contributor

@streaminganger streaminganger Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this can be misunderstood as being a var you can activate by uncommenting

Copy link
Copy Markdown
Author

@MannixTT MannixTT Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it should be clear that the vars there are only available when you reference the dockerfile external-idp as mentioned above in this section

# Allow OpenCloud, to show Authentik Login-Frame
PROXY_CSP_CONFIG_FILE_LOCATION="/etc/ocis/csp.yaml"
Copy link
Copy Markdown
Contributor

@streaminganger streaminganger Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ocis? wouldnt it break csp?

# Client specific environment vars
#WEBFINGER_WEB_OIDC_CLIENT_ID=
#WEBFINGER_WEB_OIDC_CLIENT_SCOPES=
#WEBFINGER_IOS_OIDC_CLIENT_ID=
#WEBFINGER_IOS_OIDC_CLIENT_SCOPES=
#WEBFINGER_ANDROID_OIDC_CLIENT_ID=
#WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES=
#WEBFINGER_DESKTOP_OIDC_CLIENT_ID=
#WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPES=

## Shared User Directory Mode ##
# Use together with idm/ldap-keycloak.yml and traefik/ldap-keycloak.yml
Expand Down
14 changes: 13 additions & 1 deletion idm/external-idp.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,17 @@ services:
GRAPH_LDAP_REFINT_ENABLED: "true" # osixia has refint enabled.
FRONTEND_READONLY_USER_ATTRIBUTES: "user.onPremisesSamAccountName,user.displayName,user.mail,user.passwordProfile,user.accountEnabled,user.appRoleAssignments"
PROXY_OIDC_REWRITE_WELLKNOWN: "true"
WEB_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID:-web}
OC_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID:-web}
OC_OIDC_CLIENT_SCOPES: ${PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM:-openid profile email roles offline_access}
PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: ${PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM:-roles}
WEBFINGER_WEB_OIDC_CLIENT_ID: ${WEBFINGER_WEB_OIDC_CLIENT_ID:-${OC_OIDC_CLIENT_ID}}
WEBFINGER_WEB_OIDC_CLIENT_SCOPES: ${WEBFINGER_WEB_OIDC_CLIENT_SCOPES:-${OC_OIDC_CLIENT_SCOPES}}
WEBFINGER_ANDROID_OIDC_CLIENT_ID: ${WEBFINGER_ANDROID_OIDC_CLIENT_ID:-${OC_OIDC_CLIENT_ID}}
WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES: ${WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES:-${OC_OIDC_CLIENT_SCOPES}}
WEBFINGER_IOS_OIDC_CLIENT_ID: ${WEBFINGER_IOS_OIDC_CLIENT_ID:-${OC_OIDC_CLIENT_ID}}
WEBFINGER_IOS_OIDC_CLIENT_SCOPES: ${WEBFINGER_IOS_OIDC_CLIENT_SCOPES:-${OC_OIDC_CLIENT_SCOPES}}
WEBFINGER_DESKTOP_OIDC_CLIENT_ID: ${WEBFINGER_DESKTOP_OIDC_CLIENT_ID:-${OC_OIDC_CLIENT_ID}}
WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPES: ${WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPES:-${OC_OIDC_CLIENT_SCOPES}}
PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"
OC_OIDC_ISSUER: ${IDP_ISSUER_URL:-https://keycloak.opencloud.test/realms/openCloud}
# This specifies to start all services except idm and idp. These are replaced by external services.
Expand Down Expand Up @@ -45,6 +55,8 @@ services:
WEB_OPTION_ACCOUNT_EDIT_LINK_HREF: ${IDP_ACCOUNT_URL}
ldap-server:
image: bitnamilegacy/openldap:2.6
# Bitnami images require GID 0 to write to internal socket and PID directories
user: ${LDAP_UID_GID:-1000:0}
Copy link
Copy Markdown
Contributor

@streaminganger streaminganger Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what issue does this fix

Copy link
Copy Markdown
Author

@MannixTT MannixTT Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I owned the complete stack with my docker user, but the container isn't able to run rootless.

Copy link
Copy Markdown
Contributor

@streaminganger streaminganger Apr 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I owned the complete stack with my docker user, but the container isn't able to run rootless.

looks like it will help those using rootless. i think you can consider decoupling this fix into a separate pr

networks:
opencloud-net:
entrypoint: [ "/bin/sh", "/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh", "/opt/bitnami/scripts/openldap/run.sh" ]
Expand Down