lyra_phasma/opencloud-compose
1
0
Fork 0
mirror of https://github.com/opencloud-eu/opencloud-compose.git synced 2026-06-08 12:10:05 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: wording of the external idp

Browse Source
This commit is contained in:
Michael Barz
2025-06-23 17:28:39 +02:00
parent cf2b48fb97
commit 0c9aa61813
3 changed files with 46 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
.env.example
View File

@@ -245,10 +245,25 @@ LDAP_BIND_PASSWORD=
# authentication process, the allowed clients and the session management. # authentication process, the allowed clients and the session management.
# Keycloak also manages the Role Based Access Control (RBAC) for OpenCloud. # Keycloak also manages the Role Based Access Control (RBAC) for OpenCloud.
# Keycloak can be used in two different modes: # Keycloak can be used in two different modes:
# 1. Autoprovisioning: New are automatically created in openCloud when they log in for the first time. # 1. Autoprovisioning: New users are automatically created in openCloud when they log in for the first time.
# 2. Shared User Directory: Users are created in Keycloak and can be used in OpenCloud immediately # 2. Shared User Directory: Users are created in Keycloak and can be used in OpenCloud immediately
# because the LDAP server is connected to both Keycloak and OpenCloud. # because the LDAP server is connected to both Keycloak and OpenCloud.
# Only use one of the two modes at a time.
## Autoprovisioning Mode ##
# Use together with idm/external-idp.yml
# If you want to use a keycloak for local testing, you can use testing/external-keycloak.yml and testing/ldap-manager.yml
# Domain of your Identity Provider.
IDP_DOMAIN=
# IdP Issuer URL, which is used to identify the Identity Provider.
# We need the complete URL, including the protocol (http or https) and the realm.
# Example: "https://keycloak.opencloud.test/realms/openCloud"
IDP_ISSUER_URL=
# Url of the account endit page from your Identity Provider.
IDP_ACCOUNT_URL=
## Shared User Directory Mode ##
# Use together with idm/ldap-keycloak.yml and traefik/ldap-keycloak.yml
# Domain for Keycloak. Defaults to "keycloak.opencloud.test". # Domain for Keycloak. Defaults to "keycloak.opencloud.test".
KEYCLOAK_DOMAIN= KEYCLOAK_DOMAIN=
# Admin user login name. Defaults to "kcadmin". # Admin user login name. Defaults to "kcadmin".

22
config/keycloak/opencloud-realm-autoprovisioning.dist.json
View File

@@ -1596,6 +1596,10 @@
"strictTransportSecurity" : "max-age=31536000; includeSubDomains" "strictTransportSecurity" : "max-age=31536000; includeSubDomains"
}, },
"smtpServer" : { }, "smtpServer" : { },
"loginTheme": "opencloud",
"accountTheme": "",
"adminTheme": "",
"emailTheme": "",
"eventsEnabled" : false, "eventsEnabled" : false,
"eventsListeners" : [ "jboss-logging" ], "eventsListeners" : [ "jboss-logging" ],
"enabledEventTypes" : [ ], "enabledEventTypes" : [ ],
@@ -1663,7 +1667,23 @@
"subType" : "anonymous", "subType" : "anonymous",
"subComponents" : { }, "subComponents" : { },
"config" : { } "config" : { }
} ], },
{
"id": "c016f2b3-cf74-410e-a852-f6c7b49e0f5a",
"name": "Block Client Registration",
"providerId": "trusted-hosts",
"subType": "anonymous",
"subComponents": {},
"config": {
"host-sending-registration-request-must-match": [
"true"
],
"client-uris-must-match": [
"true"
]
}
}
],
"org.keycloak.userprofile.UserProfileProvider" : [ { "org.keycloak.userprofile.UserProfileProvider" : [ {
"id" : "28d6b4ce-33d4-40c0-adef-b27e35b7e122", "id" : "28d6b4ce-33d4-40c0-adef-b27e35b7e122",
"providerId" : "declarative-user-profile", "providerId" : "declarative-user-profile",

15
idm/keycloak.yml → idm/external-idp.yml
View File

@@ -17,17 +17,17 @@ services:
PROXY_OIDC_REWRITE_WELLKNOWN: "true" PROXY_OIDC_REWRITE_WELLKNOWN: "true"
WEB_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID:-web} WEB_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID:-web}
PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc" PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"
OC_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}/realms/openCloud OC_OIDC_ISSUER: ${IDP_ISSUER_URL:-https://keycloak.opencloud.test/realms/openCloud}
# This specifies to start all services except idm and idp. These are replaced by external services. # This specifies to start all services except idm and idp. These are replaced by external services.
OC_EXCLUDE_RUN_SERVICES: idm,idp OC_EXCLUDE_RUN_SERVICES: idm,idp
# Keycloak IDP specific configuration for auto-provisioning # IdP specific configuration for auto-provisioning
OC_LDAP_SERVER_WRITE_ENABLED: "true" OC_LDAP_SERVER_WRITE_ENABLED: "true"
PROXY_AUTOPROVISION_ACCOUNTS: "true" PROXY_AUTOPROVISION_ACCOUNTS: "true"
# Use the `sub` claim from keycloak for the user ID # Use the `sub` claim from the IdP for the user ID
# Keycloak uses the keycloak user ID as the `sub` claim # Most IdPs use the internal user ID as the `sub` claim
PROXY_USER_OIDC_CLAIM: "sub" PROXY_USER_OIDC_CLAIM: "sub"
# Use the `sub` claim as identifier during autoprovisioning # Use the `sub` claim as identifier during autoprovisioning
# That mitigates problems when a user is renamed in keycloak # That mitigates problems when a user is renamed in the IdP
PROXY_AUTOPROVISION_CLAIM_USERNAME: "sub" PROXY_AUTOPROVISION_CLAIM_USERNAME: "sub"
PROXY_USER_CS3_CLAIM: "username" PROXY_USER_CS3_CLAIM: "username"
# This is the default value, we need to set it here because we overwrite the values # This is the default value, we need to set it here because we overwrite the values
@@ -40,7 +40,10 @@ services:
SETTINGS_SETUP_DEFAULT_ASSIGNMENTS: "false" SETTINGS_SETUP_DEFAULT_ASSIGNMENTS: "false"
GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false" GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"
GRAPH_USERNAME_MATCH: "none" GRAPH_USERNAME_MATCH: "none"
IDP_DOMAIN: ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test} # We need to set the IDP_DOMAIN to allow the CSP rules to be set correctly
IDP_DOMAIN: ${IDP_DOMAIN:-keycloak.opencloud.test}
# The openCloud users need to be able to edit their account in the externa IdP
WEB_OPTION_ACCOUNT_EDIT_LINK_HREF: ${IDP_ACCOUNT_URL}
ldap-server: ldap-server:
image: bitnami/openldap:2.6 image: bitnami/openldap:2.6
networks: networks: