Auth-Basic

Abstract

The oCIS Auth Basic service provides basic authentication for those clients who cannot handle OpenID Connect. This should only be enabled for tests and development.

The auth-basic service is responsible for validating authentication of incoming requests. To do so, it will use the configured auth manager, see the Auth Managers section. Only HTTP basic auth requests to ocis will involve the auth-basic service.

To enable auth-basic, you first must set PROXY_ENABLE_BASIC_AUTH to true.

The auth Service Family
Auth Managers
- LDAP Auth Manager
- Other Auth Managers
Scalability
Example Yaml Config

The `auth` Service Family

ocis uses serveral authentication services for different use cases. All services that start with auth- are part of the authentication service family. Each member authenticates requests with different scopes. As of now, these services exist:

auth-app handles authentication of external 3rd party apps
auth-basic handles basic authentication
auth-bearer handles oidc authentication
auth-machine handles interservice authentication when a user is impersonated
auth-service handles interservice authentication when using service accounts

Auth Managers

Since the auth-basic service does not do any validation itself, it needs to be configured with an authentication manager. One can use the AUTH_BASIC_AUTH_MANAGER environment variable to configure this. Currently only one auth manager is supported: "ldap"

LDAP Auth Manager

Setting AUTH_BASIC_AUTH_MANAGER to "ldap" will configure the auth-basic service to use LDAP as auth manager. This is the recommended option for running in a production and testing environment. More details on how to configure LDAP with ocis can be found in the admin docs.

Other Auth Managers

oCIS currently supports no other auth manager

Scalability

When using "ldap" as auth manager, there is no persistance as requests will just be forwarded to the LDAP server. Therefore, multiple instances of the auth-basic service can be started without further configuration. Be aware, that other auth managers might not allow that.

Example Yaml Config

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75


# Autogenerated
# Filename: auth-basic-config-example.yaml

tracing:
  enabled: false
  type: ""
  endpoint: ""
  collector: ""
log:
  level: ""
  pretty: false
  color: false
  file: ""
debug:
  addr: 127.0.0.1:9147
  token: ""
  pprof: false
  zpages: false
grpc:
  addr: 127.0.0.1:9146
  tls: null
  protocol: tcp
token_manager:
  jwt_secret: ""
reva:
  address: com.owncloud.api.gateway
  tls:
    mode: ""
    cacert: ""
skip_user_groups_in_token: false
auth_provider: ldap
auth_providers:
  ldap:
    uri: ldaps://localhost:9235
    ca_cert: /var/lib/ocis/idm/ldap.crt
    insecure: false
    bind_dn: uid=reva,ou=sysusers,o=libregraph-idm
    bind_password: ""
    user_base_dn: ou=users,o=libregraph-idm
    group_base_dn: ou=groups,o=libregraph-idm
    user_scope: sub
    group_scope: sub
    user_filter: ""
    group_filter: ""
    user_object_class: inetOrgPerson
    group_object_class: groupOfNames
    login_attributes:
    - uid
    idp: https://localhost:9200
    disable_user_mechanism: attribute
    ldap_disabled_users_group_dn: cn=DisabledUsersGroup,ou=groups,o=libregraph-idm
    user_schema:
      id: ownclouduuid
      id_is_octet_string: false
      mail: mail
      display_name: displayname
      user_name: uid
      user_enabled: ownCloudUserEnabled
    group_schema:
      id: ownclouduuid
      id_is_octet_string: false
      mail: mail
      display_name: cn
      group_name: cn
      member: member
  owncloudsql:
    db_username: owncloud
    db_password: ""
    db_host: mysql
    db_port: 3306
    db_name: owncloud
    idp: https://localhost:9200
    nobody: 90
    join_username: false
    join_owncloud_uuid: false

Environment Variables

Name	Type	Default Value	Description
OCIS_TRACING_ENABLED AUTH_BASIC_TRACING_ENABLED	bool	false	Activates tracing.
OCIS_TRACING_TYPE AUTH_BASIC_TRACING_TYPE	string		The type of tracing. Defaults to ‘’, which is the same as ‘jaeger’. Allowed tracing types are ‘jaeger’ and ’’ as of now.
OCIS_TRACING_ENDPOINT AUTH_BASIC_TRACING_ENDPOINT	string		The endpoint of the tracing agent.
OCIS_TRACING_COLLECTOR AUTH_BASIC_TRACING_COLLECTOR	string		The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.
OCIS_LOG_LEVEL AUTH_BASIC_LOG_LEVEL	string		The log level. Valid values are: ‘panic’, ‘fatal’, ’error’, ‘warn’, ‘info’, ‘debug’, ’trace’.
OCIS_LOG_PRETTY AUTH_BASIC_LOG_PRETTY	bool	false	Activates pretty log output.
OCIS_LOG_COLOR AUTH_BASIC_LOG_COLOR	bool	false	Activates colorized log output.
OCIS_LOG_FILE AUTH_BASIC_LOG_FILE	string		The path to the log file. Activates logging to this file if set.
AUTH_BASIC_DEBUG_ADDR	string	127.0.0.1:9147	Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.
AUTH_BASIC_DEBUG_TOKEN	string		Token to secure the metrics endpoint.
AUTH_BASIC_DEBUG_PPROF	bool	false	Enables pprof, which can be used for profiling.
AUTH_BASIC_DEBUG_ZPAGES	bool	false	Enables zpages, which can be used for collecting and viewing traces in-memory.
AUTH_BASIC_GRPC_ADDR	string	127.0.0.1:9146	The bind address of the GRPC service.
OCIS_GRPC_PROTOCOL AUTH_BASIC_GRPC_PROTOCOL	string	tcp	The transport protocol of the GRPC service.
OCIS_JWT_SECRET AUTH_BASIC_JWT_SECRET	string		The secret to mint and validate jwt tokens.
OCIS_REVA_GATEWAY	string	com.owncloud.api.gateway	The CS3 gateway endpoint.
OCIS_GRPC_CLIENT_TLS_MODE	string		TLS mode for grpc connection to the go-micro based grpc services. Possible values are ‘off’, ‘insecure’ and ‘on’. ‘off’: disables transport security for the clients. ‘insecure’ allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). ‘on’ enables transport security, including server certificate verification.
OCIS_GRPC_CLIENT_TLS_CACERT	string		Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.
AUTH_BASIC_SKIP_USER_GROUPS_IN_TOKEN	bool	false	Disables the encoding of the user’s group memberships in the reva access token. This reduces the token size, especially when users are members of a large number of groups.
AUTH_BASIC_AUTH_MANAGER	string	ldap	The authentication manager to check if credentials are valid. Supported value is ’ldap’.
OCIS_LDAP_URI AUTH_BASIC_LDAP_URI	string	ldaps://localhost:9235	URI of the LDAP Server to connect to. Supported URI schemes are ’ldaps://’ and ’ldap://’
OCIS_LDAP_CACERT AUTH_BASIC_LDAP_CACERT	string	/var/lib/ocis/idm/ldap.crt	Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH/idm.
OCIS_LDAP_INSECURE AUTH_BASIC_LDAP_INSECURE	bool	false	Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.
OCIS_LDAP_BIND_DN AUTH_BASIC_LDAP_BIND_DN	string	uid=reva,ou=sysusers,o=libregraph-idm	LDAP DN to use for simple bind authentication with the target LDAP server.
OCIS_LDAP_BIND_PASSWORD AUTH_BASIC_LDAP_BIND_PASSWORD	string		Password to use for authenticating the ‘bind_dn’.
OCIS_LDAP_USER_BASE_DN AUTH_BASIC_LDAP_USER_BASE_DN	string	ou=users,o=libregraph-idm	Search base DN for looking up LDAP users.
OCIS_LDAP_GROUP_BASE_DN AUTH_BASIC_LDAP_GROUP_BASE_DN	string	ou=groups,o=libregraph-idm	Search base DN for looking up LDAP groups.
OCIS_LDAP_USER_SCOPE AUTH_BASIC_LDAP_USER_SCOPE	string	sub	LDAP search scope to use when looking up users. Supported values are ‘base’, ‘one’ and ‘sub’.
OCIS_LDAP_GROUP_SCOPE AUTH_BASIC_LDAP_GROUP_SCOPE	string	sub	LDAP search scope to use when looking up groups. Supported values are ‘base’, ‘one’ and ‘sub’.
OCIS_LDAP_USER_FILTER AUTH_BASIC_LDAP_USER_FILTER	string		LDAP filter to add to the default filters for user search like ‘(objectclass=ownCloud)’.
OCIS_LDAP_GROUP_FILTER AUTH_BASIC_LDAP_GROUP_FILTER	string		LDAP filter to add to the default filters for group searches.
OCIS_LDAP_USER_OBJECTCLASS AUTH_BASIC_LDAP_USER_OBJECTCLASS	string	inetOrgPerson	The object class to use for users in the default user search filter (‘inetOrgPerson’).
OCIS_LDAP_GROUP_OBJECTCLASS AUTH_BASIC_LDAP_GROUP_OBJECTCLASS	string	groupOfNames	The object class to use for groups in the default group search filter (‘groupOfNames’).
LDAP_LOGIN_ATTRIBUTES AUTH_BASIC_LDAP_LOGIN_ATTRIBUTES	[]string	[uid]	A list of user object attributes that can be used for login. See the Environment Variable Types description for more details.
OCIS_URL OCIS_OIDC_ISSUER AUTH_BASIC_IDP_URL	string	https://localhost:9200	The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider.
OCIS_LDAP_DISABLE_USER_MECHANISM AUTH_BASIC_DISABLE_USER_MECHANISM	string	attribute	An option to control the behavior for disabling users. Valid options are ’none’, ‘attribute’ and ‘group’. If set to ‘group’, disabling a user via API will add the user to the configured group for disabled users, if set to ‘attribute’ this will be done in the ldap user entry, if set to ’none’ the disable request is not processed.
OCIS_LDAP_DISABLED_USERS_GROUP_DN AUTH_BASIC_DISABLED_USERS_GROUP_DN	string	cn=DisabledUsersGroup,ou=groups,o=libregraph-idm	The distinguished name of the group to which added users will be classified as disabled when ‘disable_user_mechanism’ is set to ‘group’.
OCIS_LDAP_USER_SCHEMA_ID AUTH_BASIC_LDAP_USER_SCHEMA_ID	string	ownclouduuid	LDAP Attribute to use as the unique ID for users. This should be a stable globally unique ID like a UUID.
OCIS_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING AUTH_BASIC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING	bool	false	Set this to true if the defined ‘ID’ attribute for users is of the ‘OCTETSTRING’ syntax. This is e.g. required when using the ‘objectGUID’ attribute of Active Directory for the user IDs.
OCIS_LDAP_USER_SCHEMA_MAIL AUTH_BASIC_LDAP_USER_SCHEMA_MAIL	string	mail	LDAP Attribute to use for the email address of users.
OCIS_LDAP_USER_SCHEMA_DISPLAYNAME AUTH_BASIC_LDAP_USER_SCHEMA_DISPLAYNAME	string	displayname	LDAP Attribute to use for the displayname of users.
OCIS_LDAP_USER_SCHEMA_USERNAME AUTH_BASIC_LDAP_USER_SCHEMA_USERNAME	string	uid	LDAP Attribute to use for username of users.
OCIS_LDAP_USER_ENABLED_ATTRIBUTE AUTH_BASIC_LDAP_USER_ENABLED_ATTRIBUTE	string	ownCloudUserEnabled	LDAP attribute to use as a flag telling if the user is enabled or disabled.
OCIS_LDAP_GROUP_SCHEMA_ID AUTH_BASIC_LDAP_GROUP_SCHEMA_ID	string	ownclouduuid	LDAP Attribute to use as the unique id for groups. This should be a stable globally unique id (e.g. a UUID).
OCIS_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING AUTH_BASIC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING	bool	false	Set this to true if the defined ‘id’ attribute for groups is of the ‘OCTETSTRING’ syntax. This is e.g. required when using the ‘objectGUID’ attribute of Active Directory for the group IDs.
OCIS_LDAP_GROUP_SCHEMA_MAIL AUTH_BASIC_LDAP_GROUP_SCHEMA_MAIL	string	mail	LDAP Attribute to use for the email address of groups (can be empty).
OCIS_LDAP_GROUP_SCHEMA_DISPLAYNAME AUTH_BASIC_LDAP_GROUP_SCHEMA_DISPLAYNAME	string	cn	LDAP Attribute to use for the displayname of groups (often the same as groupname attribute).
OCIS_LDAP_GROUP_SCHEMA_GROUPNAME AUTH_BASIC_LDAP_GROUP_SCHEMA_GROUPNAME	string	cn	LDAP Attribute to use for the name of groups.
OCIS_LDAP_GROUP_SCHEMA_MEMBER AUTH_BASIC_LDAP_GROUP_SCHEMA_MEMBER	string	member	LDAP Attribute that is used for group members.
AUTH_BASIC_OWNCLOUDSQL_DB_USERNAME	string	owncloud	Database user to use for authenticating with the owncloud database.
AUTH_BASIC_OWNCLOUDSQL_DB_PASSWORD	string		Password for the database user.
AUTH_BASIC_OWNCLOUDSQL_DB_HOST	string	mysql	Hostname of the database server.
AUTH_BASIC_OWNCLOUDSQL_DB_PORT	int	3306	Network port to use for the database connection.
AUTH_BASIC_OWNCLOUDSQL_DB_NAME	string	owncloud	Name of the owncloud database.
AUTH_BASIC_OWNCLOUDSQL_IDP	string	https://localhost:9200	The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider.
AUTH_BASIC_OWNCLOUDSQL_NOBODY	int64	90	Fallback number if no numeric UID and GID properties are provided.
AUTH_BASIC_OWNCLOUDSQL_JOIN_USERNAME	bool	false	Join the user properties table to read usernames
AUTH_BASIC_OWNCLOUDSQL_JOIN_OWNCLOUD_UUID	bool	false	Join the user properties table to read user ID’s.