From 0cfd1cfed22c3171854e6026a409bb8bb887e813 Mon Sep 17 00:00:00 2001 From: case0sh Date: Mon, 19 Aug 2024 13:58:42 +0200 Subject: [PATCH 1/6] add oidc scopes --- charts/ocis/docs/values-desc-table.adoc | 6 ++++++ charts/ocis/docs/values.adoc.yaml | 2 ++ charts/ocis/templates/web/deployment.yaml | 3 ++- charts/ocis/values.yaml | 2 ++ 4 files changed, 12 insertions(+), 1 deletion(-) diff --git a/charts/ocis/docs/values-desc-table.adoc b/charts/ocis/docs/values-desc-table.adoc index 5f23df038..4025293ce 100644 --- a/charts/ocis/docs/values-desc-table.adoc +++ b/charts/ocis/docs/values-desc-table.adoc @@ -624,6 +624,12 @@ a| [subs=-attributes] a| [subs=-attributes] `true` | Writeable configures if oCIS is allowed to write to the LDAP server, to eg. create or edit users. +| features.externalUserManagement.oidc.WebClientScope +a| [subs=-attributes] ++string+ +a| [subs=-attributes] +`"openid profile email"` +| OIDC scopes to request during authentication to authorize access to user details. Defaults to ‘openid profile email’. Values are separated by blank. More example values but not limited to are ‘address’ or ‘phone’ etc. | features.externalUserManagement.oidc.accessTokenVerifyMethod a| [subs=-attributes] +string+ diff --git a/charts/ocis/docs/values.adoc.yaml b/charts/ocis/docs/values.adoc.yaml index 8a960a17b..2112bee5a 100644 --- a/charts/ocis/docs/values.adoc.yaml +++ b/charts/ocis/docs/values.adoc.yaml @@ -406,6 +406,8 @@ features: # -- Link to the OIDC provider's user accessible account editing page. This will be shown to the user on the personal account page. # When using Keycloak with the a realm named "ocis" this could point to eg. https://keycloak.owncloud.test/realms/ocis/account/ editAccountLink: "" + # -- OIDC scopes to request during authentication to authorize access to user details. Defaults to ‘openid profile email’. Values are separated by blank. More example values but not limited to are ‘address’ or ‘phone’ etc. + WebClientScope: "openid profile email" # -- Specify the client ID which the web frontend will use webClientID: web # -- Claim to take an unique user identifier from. It will be used to look up the user on the LDAP server. diff --git a/charts/ocis/templates/web/deployment.yaml b/charts/ocis/templates/web/deployment.yaml index 223967a2e..912dd19ec 100644 --- a/charts/ocis/templates/web/deployment.yaml +++ b/charts/ocis/templates/web/deployment.yaml @@ -56,9 +56,10 @@ spec: {{- else }} value: {{ .Values.features.externalUserManagement.oidc.issuerURI | quote }} {{- end }} - - name: WEB_OIDC_CLIENT_ID value: {{ .Values.features.externalUserManagement.oidc.webClientID | quote }} + - name: WEB_OIDC_SCOPE + value: {{ .Values.features.externalUserManagement.oidc.WebClientScope | quote }} - name: WEB_UI_THEME_SERVER {{- if .Values.services.web.config.theme.server }} diff --git a/charts/ocis/values.yaml b/charts/ocis/values.yaml index 470f1b19a..026513603 100644 --- a/charts/ocis/values.yaml +++ b/charts/ocis/values.yaml @@ -405,6 +405,8 @@ features: # -- Link to the OIDC provider's user accessible account editing page. This will be shown to the user on the personal account page. # When using Keycloak with the a realm named "ocis" this could point to eg. https://keycloak.owncloud.test/realms/ocis/account/ editAccountLink: "" + # -- OIDC scopes to request during authentication to authorize access to user details. Defaults to ‘openid profile email’. Values are separated by blank. More example values but not limited to are ‘address’ or ‘phone’ etc. + WebClientScope: "openid profile email" # -- Specify the client ID which the web frontend will use webClientID: web # -- Claim to take an unique user identifier from. It will be used to look up the user on the LDAP server. From e923857e30063d6c77025b34be907037efca62a4 Mon Sep 17 00:00:00 2001 From: case0sh Date: Mon, 19 Aug 2024 16:53:13 +0200 Subject: [PATCH 2/6] add oidc scopes to service web config --- charts/ocis/templates/web/deployment.yaml | 8 ++++---- charts/ocis/values.yaml | 17 +++++++++-------- 2 files changed, 13 insertions(+), 12 deletions(-) diff --git a/charts/ocis/templates/web/deployment.yaml b/charts/ocis/templates/web/deployment.yaml index 912dd19ec..e431ed71c 100644 --- a/charts/ocis/templates/web/deployment.yaml +++ b/charts/ocis/templates/web/deployment.yaml @@ -57,9 +57,9 @@ spec: value: {{ .Values.features.externalUserManagement.oidc.issuerURI | quote }} {{- end }} - name: WEB_OIDC_CLIENT_ID - value: {{ .Values.features.externalUserManagement.oidc.webClientID | quote }} + value: {{ .Values.services.web.config.oidc.webClientID | quote }} - name: WEB_OIDC_SCOPE - value: {{ .Values.features.externalUserManagement.oidc.WebClientScope | quote }} + value: {{ .Values.services.web.config.oidc.WebClientScope | quote }} - name: WEB_UI_THEME_SERVER {{- if .Values.services.web.config.theme.server }} @@ -133,12 +133,12 @@ spec: value: {{ . | quote }} {{- end }} - {{- with .Values.services.web.config.postLogoutRedirectURI }} + {{- with .Values.services.web.config.oidc.postLogoutRedirectURI }} - name: WEB_OIDC_POST_LOGOUT_REDIRECT_URI value: {{ . | quote }} {{- end }} - {{- with .Values.services.web.config.loginURL }} + {{- with .Values.services.web.config.oidc.loginURL }} - name: WEB_OPTION_LOGIN_URL value: {{ . | quote }} {{- end }} diff --git a/charts/ocis/values.yaml b/charts/ocis/values.yaml index 026513603..9a606dd52 100644 --- a/charts/ocis/values.yaml +++ b/charts/ocis/values.yaml @@ -405,10 +405,6 @@ features: # -- Link to the OIDC provider's user accessible account editing page. This will be shown to the user on the personal account page. # When using Keycloak with the a realm named "ocis" this could point to eg. https://keycloak.owncloud.test/realms/ocis/account/ editAccountLink: "" - # -- OIDC scopes to request during authentication to authorize access to user details. Defaults to ‘openid profile email’. Values are separated by blank. More example values but not limited to are ‘address’ or ‘phone’ etc. - WebClientScope: "openid profile email" - # -- Specify the client ID which the web frontend will use - webClientID: web # -- Claim to take an unique user identifier from. It will be used to look up the user on the LDAP server. userIDClaim: ocis.user.uuid # -- Attribute mapping of for the userIDClaim. @@ -2268,10 +2264,15 @@ services: # -- Name of the theme you provide via `configRefs.webThemeConfigRef` and `configRefs.webThemeAssetsConfigRef`. # If you change this when providing a custom theme, you must also change `theme.path`. themeNameConfigRefs: "owncloud" - # URI where to redirect the user after a logout was performed. Defaults to the URI of the login page. - postLogoutRedirectURI: "" - # Specifies the target url valid for the logged out / access denied page. - loginURL: + oidc: + # -- OIDC scopes to request during authentication to authorize access to user details. Defaults to ‘openid profile email’. Values are separated by blank. More example values but not limited to are ‘address’ or ‘phone’ etc. + webClientScope: "openid profile email" + # -- Specify the client ID which the web frontend will use + webClientID: web + # URI where to redirect the user after a logout was performed. Defaults to the URI of the login page. + postLogoutRedirectURI: "" + # Specifies the target url valid for the logged out / access denied page. + loginURL: # Defines whether one ore more filters must be set in order to list users in the Web admin settings. userListRequiresFilter: false # Embed mode settings From 233272df699304e2dd427028a6e74995c442b397 Mon Sep 17 00:00:00 2001 From: case0sh Date: Mon, 19 Aug 2024 17:04:40 +0200 Subject: [PATCH 3/6] docs --- charts/ocis/docs/values-desc-table.adoc | 24 ++++++++++++------------ charts/ocis/docs/values.adoc.yaml | 17 +++++++++-------- 2 files changed, 21 insertions(+), 20 deletions(-) diff --git a/charts/ocis/docs/values-desc-table.adoc b/charts/ocis/docs/values-desc-table.adoc index 4025293ce..ec663d2b3 100644 --- a/charts/ocis/docs/values-desc-table.adoc +++ b/charts/ocis/docs/values-desc-table.adoc @@ -624,12 +624,6 @@ a| [subs=-attributes] a| [subs=-attributes] `true` | Writeable configures if oCIS is allowed to write to the LDAP server, to eg. create or edit users. -| features.externalUserManagement.oidc.WebClientScope -a| [subs=-attributes] -+string+ -a| [subs=-attributes] -`"openid profile email"` -| OIDC scopes to request during authentication to authorize access to user details. Defaults to ‘openid profile email’. Values are separated by blank. More example values but not limited to are ‘address’ or ‘phone’ etc. | features.externalUserManagement.oidc.accessTokenVerifyMethod a| [subs=-attributes] +string+ @@ -684,12 +678,6 @@ a| [subs=-attributes] a| [subs=-attributes] `"userid"` | Attribute mapping of for the userIDClaim. Set to `userid` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in `...ldap.user.schema.id`. Set to `mail` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in `...ldap.user.schema.mail`. Set to `username` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in `...ldap.user.schema.userName`. -| features.externalUserManagement.oidc.webClientID -a| [subs=-attributes] -+string+ -a| [subs=-attributes] -`"web"` -| Specify the client ID which the web frontend will use | features.gdprReport.integrations.keycloak.basePath a| [subs=-attributes] +string+ @@ -4506,6 +4494,18 @@ a| [subs=-attributes] a| [subs=-attributes] `""` | URI where the feedback link points. Uses the ownCloud default href if empty. +| services.web.config.oidc.webClientID +a| [subs=-attributes] ++string+ +a| [subs=-attributes] +`"web"` +| Specify the client ID which the web frontend will use +| services.web.config.oidc.webClientScope +a| [subs=-attributes] ++string+ +a| [subs=-attributes] +`"openid profile email"` +| OIDC scopes to request during authentication to authorize access to user details. Defaults to ‘openid profile email’. Values are separated by blank. More example values but not limited to are ‘address’ or ‘phone’ etc. | services.web.config.previewFileMimeTypes a| [subs=-attributes] +list+ diff --git a/charts/ocis/docs/values.adoc.yaml b/charts/ocis/docs/values.adoc.yaml index 2112bee5a..f23b2401e 100644 --- a/charts/ocis/docs/values.adoc.yaml +++ b/charts/ocis/docs/values.adoc.yaml @@ -406,10 +406,6 @@ features: # -- Link to the OIDC provider's user accessible account editing page. This will be shown to the user on the personal account page. # When using Keycloak with the a realm named "ocis" this could point to eg. https://keycloak.owncloud.test/realms/ocis/account/ editAccountLink: "" - # -- OIDC scopes to request during authentication to authorize access to user details. Defaults to ‘openid profile email’. Values are separated by blank. More example values but not limited to are ‘address’ or ‘phone’ etc. - WebClientScope: "openid profile email" - # -- Specify the client ID which the web frontend will use - webClientID: web # -- Claim to take an unique user identifier from. It will be used to look up the user on the LDAP server. userIDClaim: ocis.user.uuid # -- Attribute mapping of for the userIDClaim. @@ -2269,10 +2265,15 @@ services: # -- Name of the theme you provide via `configRefs.webThemeConfigRef` and `configRefs.webThemeAssetsConfigRef`. # If you change this when providing a custom theme, you must also change `theme.path`. themeNameConfigRefs: "owncloud" - # URI where to redirect the user after a logout was performed. Defaults to the URI of the login page. - postLogoutRedirectURI: "" - # Specifies the target url valid for the logged out / access denied page. - loginURL: + oidc: + # -- OIDC scopes to request during authentication to authorize access to user details. Defaults to ‘openid profile email’. Values are separated by blank. More example values but not limited to are ‘address’ or ‘phone’ etc. + webClientScope: "openid profile email" + # -- Specify the client ID which the web frontend will use + webClientID: web + # URI where to redirect the user after a logout was performed. Defaults to the URI of the login page. + postLogoutRedirectURI: "" + # Specifies the target url valid for the logged out / access denied page. + loginURL: # Defines whether one ore more filters must be set in order to list users in the Web admin settings. userListRequiresFilter: false # Embed mode settings From 808301c29d7d7490d3b0ee8807877b936bc8329e Mon Sep 17 00:00:00 2001 From: Dennis Sieben Date: Tue, 20 Aug 2024 15:36:17 +0200 Subject: [PATCH 4/6] - corrected keycloak example helmfile --- deployments/external-user-management/helmfile.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/deployments/external-user-management/helmfile.yaml b/deployments/external-user-management/helmfile.yaml index 0dea11426..38bfead24 100644 --- a/deployments/external-user-management/helmfile.yaml +++ b/deployments/external-user-management/helmfile.yaml @@ -352,7 +352,6 @@ releases: adminUUID: "ddc2004c-0977-11eb-9d3f-a793888cd0f8" oidc: issuerURI: https://keycloak.kube.owncloud.test/realms/oCIS - webClientID: web userIDClaim: ocis.user.uuid userIDClaimAttributeMapping: userid @@ -392,6 +391,9 @@ releases: web: persistence: enabled: true + config: + oidc: + webClientID: web - extraResources: - | From f2c2f43b8c320b3c236806ad36247b7966fa610e Mon Sep 17 00:00:00 2001 From: Dennis Sieben Date: Tue, 20 Aug 2024 15:46:16 +0200 Subject: [PATCH 5/6] - fixed documentation format --- charts/ocis/docs/values-desc-table.adoc | 12 ++++++++++++ charts/ocis/docs/values.adoc.yaml | 4 ++-- charts/ocis/values.yaml | 4 ++-- 3 files changed, 16 insertions(+), 4 deletions(-) diff --git a/charts/ocis/docs/values-desc-table.adoc b/charts/ocis/docs/values-desc-table.adoc index ec663d2b3..216a00a7f 100644 --- a/charts/ocis/docs/values-desc-table.adoc +++ b/charts/ocis/docs/values-desc-table.adoc @@ -4494,6 +4494,18 @@ a| [subs=-attributes] a| [subs=-attributes] `""` | URI where the feedback link points. Uses the ownCloud default href if empty. +| services.web.config.oidc.loginURL +a| [subs=-attributes] ++string+ +a| [subs=-attributes] +`nil` +| Specifies the target url valid for the logged out / access denied page. +| services.web.config.oidc.postLogoutRedirectURI +a| [subs=-attributes] ++string+ +a| [subs=-attributes] +`""` +| URI where to redirect the user after a logout was performed. Defaults to the URI of the login page. | services.web.config.oidc.webClientID a| [subs=-attributes] +string+ diff --git a/charts/ocis/docs/values.adoc.yaml b/charts/ocis/docs/values.adoc.yaml index f23b2401e..8484bdee8 100644 --- a/charts/ocis/docs/values.adoc.yaml +++ b/charts/ocis/docs/values.adoc.yaml @@ -2270,9 +2270,9 @@ services: webClientScope: "openid profile email" # -- Specify the client ID which the web frontend will use webClientID: web - # URI where to redirect the user after a logout was performed. Defaults to the URI of the login page. + # -- URI where to redirect the user after a logout was performed. Defaults to the URI of the login page. postLogoutRedirectURI: "" - # Specifies the target url valid for the logged out / access denied page. + # -- Specifies the target url valid for the logged out / access denied page. loginURL: # Defines whether one ore more filters must be set in order to list users in the Web admin settings. userListRequiresFilter: false diff --git a/charts/ocis/values.yaml b/charts/ocis/values.yaml index 9a606dd52..36331f1eb 100644 --- a/charts/ocis/values.yaml +++ b/charts/ocis/values.yaml @@ -2269,9 +2269,9 @@ services: webClientScope: "openid profile email" # -- Specify the client ID which the web frontend will use webClientID: web - # URI where to redirect the user after a logout was performed. Defaults to the URI of the login page. + # -- URI where to redirect the user after a logout was performed. Defaults to the URI of the login page. postLogoutRedirectURI: "" - # Specifies the target url valid for the logged out / access denied page. + # -- Specifies the target url valid for the logged out / access denied page. loginURL: # Defines whether one ore more filters must be set in order to list users in the Web admin settings. userListRequiresFilter: false From eafcdb15a0c1d512a4d155e2e88b43e3589193c9 Mon Sep 17 00:00:00 2001 From: Dennis Sieben <102977884+d7oc@users.noreply.github.com> Date: Wed, 21 Aug 2024 19:17:24 +0200 Subject: [PATCH 6/6] changed case of attribute --- charts/ocis/templates/web/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/ocis/templates/web/deployment.yaml b/charts/ocis/templates/web/deployment.yaml index e431ed71c..5885903d2 100644 --- a/charts/ocis/templates/web/deployment.yaml +++ b/charts/ocis/templates/web/deployment.yaml @@ -59,7 +59,7 @@ spec: - name: WEB_OIDC_CLIENT_ID value: {{ .Values.services.web.config.oidc.webClientID | quote }} - name: WEB_OIDC_SCOPE - value: {{ .Values.services.web.config.oidc.WebClientScope | quote }} + value: {{ .Values.services.web.config.oidc.webClientScope | quote }} - name: WEB_UI_THEME_SERVER {{- if .Values.services.web.config.theme.server }}