diff --git a/charts/ocis/docs/values-desc-table.adoc b/charts/ocis/docs/values-desc-table.adoc index 5f23df038..216a00a7f 100644 --- a/charts/ocis/docs/values-desc-table.adoc +++ b/charts/ocis/docs/values-desc-table.adoc @@ -678,12 +678,6 @@ a| [subs=-attributes] a| [subs=-attributes] `"userid"` | Attribute mapping of for the userIDClaim. Set to `userid` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in `...ldap.user.schema.id`. Set to `mail` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in `...ldap.user.schema.mail`. Set to `username` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in `...ldap.user.schema.userName`. -| features.externalUserManagement.oidc.webClientID -a| [subs=-attributes] -+string+ -a| [subs=-attributes] -`"web"` -| Specify the client ID which the web frontend will use | features.gdprReport.integrations.keycloak.basePath a| [subs=-attributes] +string+ @@ -4500,6 +4494,30 @@ a| [subs=-attributes] a| [subs=-attributes] `""` | URI where the feedback link points. Uses the ownCloud default href if empty. +| services.web.config.oidc.loginURL +a| [subs=-attributes] ++string+ +a| [subs=-attributes] +`nil` +| Specifies the target url valid for the logged out / access denied page. +| services.web.config.oidc.postLogoutRedirectURI +a| [subs=-attributes] ++string+ +a| [subs=-attributes] +`""` +| URI where to redirect the user after a logout was performed. Defaults to the URI of the login page. +| services.web.config.oidc.webClientID +a| [subs=-attributes] ++string+ +a| [subs=-attributes] +`"web"` +| Specify the client ID which the web frontend will use +| services.web.config.oidc.webClientScope +a| [subs=-attributes] ++string+ +a| [subs=-attributes] +`"openid profile email"` +| OIDC scopes to request during authentication to authorize access to user details. Defaults to ‘openid profile email’. Values are separated by blank. More example values but not limited to are ‘address’ or ‘phone’ etc. | services.web.config.previewFileMimeTypes a| [subs=-attributes] +list+ diff --git a/charts/ocis/docs/values.adoc.yaml b/charts/ocis/docs/values.adoc.yaml index 8a960a17b..8484bdee8 100644 --- a/charts/ocis/docs/values.adoc.yaml +++ b/charts/ocis/docs/values.adoc.yaml @@ -406,8 +406,6 @@ features: # -- Link to the OIDC provider's user accessible account editing page. This will be shown to the user on the personal account page. # When using Keycloak with the a realm named "ocis" this could point to eg. https://keycloak.owncloud.test/realms/ocis/account/ editAccountLink: "" - # -- Specify the client ID which the web frontend will use - webClientID: web # -- Claim to take an unique user identifier from. It will be used to look up the user on the LDAP server. userIDClaim: ocis.user.uuid # -- Attribute mapping of for the userIDClaim. @@ -2267,10 +2265,15 @@ services: # -- Name of the theme you provide via `configRefs.webThemeConfigRef` and `configRefs.webThemeAssetsConfigRef`. # If you change this when providing a custom theme, you must also change `theme.path`. themeNameConfigRefs: "owncloud" - # URI where to redirect the user after a logout was performed. Defaults to the URI of the login page. - postLogoutRedirectURI: "" - # Specifies the target url valid for the logged out / access denied page. - loginURL: + oidc: + # -- OIDC scopes to request during authentication to authorize access to user details. Defaults to ‘openid profile email’. Values are separated by blank. More example values but not limited to are ‘address’ or ‘phone’ etc. + webClientScope: "openid profile email" + # -- Specify the client ID which the web frontend will use + webClientID: web + # -- URI where to redirect the user after a logout was performed. Defaults to the URI of the login page. + postLogoutRedirectURI: "" + # -- Specifies the target url valid for the logged out / access denied page. + loginURL: # Defines whether one ore more filters must be set in order to list users in the Web admin settings. userListRequiresFilter: false # Embed mode settings diff --git a/charts/ocis/templates/web/deployment.yaml b/charts/ocis/templates/web/deployment.yaml index 223967a2e..5885903d2 100644 --- a/charts/ocis/templates/web/deployment.yaml +++ b/charts/ocis/templates/web/deployment.yaml @@ -56,9 +56,10 @@ spec: {{- else }} value: {{ .Values.features.externalUserManagement.oidc.issuerURI | quote }} {{- end }} - - name: WEB_OIDC_CLIENT_ID - value: {{ .Values.features.externalUserManagement.oidc.webClientID | quote }} + value: {{ .Values.services.web.config.oidc.webClientID | quote }} + - name: WEB_OIDC_SCOPE + value: {{ .Values.services.web.config.oidc.webClientScope | quote }} - name: WEB_UI_THEME_SERVER {{- if .Values.services.web.config.theme.server }} @@ -132,12 +133,12 @@ spec: value: {{ . | quote }} {{- end }} - {{- with .Values.services.web.config.postLogoutRedirectURI }} + {{- with .Values.services.web.config.oidc.postLogoutRedirectURI }} - name: WEB_OIDC_POST_LOGOUT_REDIRECT_URI value: {{ . | quote }} {{- end }} - {{- with .Values.services.web.config.loginURL }} + {{- with .Values.services.web.config.oidc.loginURL }} - name: WEB_OPTION_LOGIN_URL value: {{ . | quote }} {{- end }} diff --git a/charts/ocis/values.yaml b/charts/ocis/values.yaml index 470f1b19a..36331f1eb 100644 --- a/charts/ocis/values.yaml +++ b/charts/ocis/values.yaml @@ -405,8 +405,6 @@ features: # -- Link to the OIDC provider's user accessible account editing page. This will be shown to the user on the personal account page. # When using Keycloak with the a realm named "ocis" this could point to eg. https://keycloak.owncloud.test/realms/ocis/account/ editAccountLink: "" - # -- Specify the client ID which the web frontend will use - webClientID: web # -- Claim to take an unique user identifier from. It will be used to look up the user on the LDAP server. userIDClaim: ocis.user.uuid # -- Attribute mapping of for the userIDClaim. @@ -2266,10 +2264,15 @@ services: # -- Name of the theme you provide via `configRefs.webThemeConfigRef` and `configRefs.webThemeAssetsConfigRef`. # If you change this when providing a custom theme, you must also change `theme.path`. themeNameConfigRefs: "owncloud" - # URI where to redirect the user after a logout was performed. Defaults to the URI of the login page. - postLogoutRedirectURI: "" - # Specifies the target url valid for the logged out / access denied page. - loginURL: + oidc: + # -- OIDC scopes to request during authentication to authorize access to user details. Defaults to ‘openid profile email’. Values are separated by blank. More example values but not limited to are ‘address’ or ‘phone’ etc. + webClientScope: "openid profile email" + # -- Specify the client ID which the web frontend will use + webClientID: web + # -- URI where to redirect the user after a logout was performed. Defaults to the URI of the login page. + postLogoutRedirectURI: "" + # -- Specifies the target url valid for the logged out / access denied page. + loginURL: # Defines whether one ore more filters must be set in order to list users in the Web admin settings. userListRequiresFilter: false # Embed mode settings diff --git a/deployments/external-user-management/helmfile.yaml b/deployments/external-user-management/helmfile.yaml index 0dea11426..38bfead24 100644 --- a/deployments/external-user-management/helmfile.yaml +++ b/deployments/external-user-management/helmfile.yaml @@ -352,7 +352,6 @@ releases: adminUUID: "ddc2004c-0977-11eb-9d3f-a793888cd0f8" oidc: issuerURI: https://keycloak.kube.owncloud.test/realms/oCIS - webClientID: web userIDClaim: ocis.user.uuid userIDClaimAttributeMapping: userid @@ -392,6 +391,9 @@ releases: web: persistence: enabled: true + config: + oidc: + webClientID: web - extraResources: - |