ownCloud
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. ownCloud
  2. /
  3. Services
  4. /
  5. IDP
Edit page

IDP

Abstract

This service provides a builtin minimal OpenID Connect provider based on LibreGraph Connect (lico) for ocis.

It is mainly targeted at smaller installations. For larger setups it is recommended to replace IDP with an external OpenID Connect Provider.

By default, it is configured to use the ocis IDM service as its LDAP backend for looking up and authenticating users. Other backends like an external LDAP server can be configured via a set of enviroment variables.

Note that translations provided by the IDP service are not maintained via ownCloud but part of the embedded LibreGraph Connect Identifier package.

Table of Contents

Example Yaml Config 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115

# Autogenerated
# Filename: idp-config-example.yaml

tracing:
  enabled: false
  type: ""
  endpoint: ""
  collector: ""
log:
  level: ""
  pretty: false
  color: false
  file: ""
debug:
  addr: 127.0.0.1:9134
  token: ""
  pprof: false
  zpages: false
http:
  addr: 127.0.0.1:9130
  root: /
  tls_cert: /var/lib/ocis/idp/server.crt
  tls_key: /var/lib/ocis/idp/server.key
  tls: false
reva:
  address: com.owncloud.api.gateway
  tls:
    mode: ""
    cacert: ""
machine_auth_api_key: ""
asset:
  asset: ""
  login-background-url: ""
idp:
  iss: https://localhost:9200
  identity_manager: ldap
  uri_base_path: ""
  sign_in_uri: ""
  signed_out_uri: ""
  authorization_endpoint_uri: ""
  ldap_insecure: false
  trusted_proxy: []
  allow_scope: []
  allow_client_guests: false
  allow_dynamic_client_registration: false
  encrypt_secret_file: /var/lib/ocis/idp/encryption.key
  listen: ""
  identifierdefaultbannerlogo: ""
  identifierdefaultsigninpagetext: ""
  identifierdefaultusernamehinttext: ""
  identifieruilocales: []
  signing_kid: private-key
  signing_method: PS256
  signing_private_key_files:
  - /var/lib/ocis/idp/private-key.pem
  validation_keys_path: ""
  cookiebackenduri: ""
  cookienames: []
  cookiesamesite: 3
  access_token_duration_seconds: 300
  id_token_duration_seconds: 300
  refresh_token_duration_seconds: 2592000
  dynamic_client_secret_duration_seconds: 0
clients:
- id: web
  name: ownCloud Web app
  trusted: true
  secret: ""
  redirect_uris:
  - '{{OCIS_URL}}/'
  - '{{OCIS_URL}}/oidc-callback.html'
  - '{{OCIS_URL}}/oidc-silent-redirect.html'
  origins:
  - '{{OCIS_URL}}'
  application_type: ""
- id: xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69
  name: ownCloud desktop app
  trusted: false
  secret: UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh
  redirect_uris:
  - http://127.0.0.1
  - http://localhost
  origins: []
  application_type: native
- id: e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD
  name: ownCloud Android app
  trusted: false
  secret: dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD
  redirect_uris:
  - oc://android.owncloud.com
  origins: []
  application_type: native
- id: mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1
  name: ownCloud iOS app
  trusted: false
  secret: KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx
  redirect_uris:
  - oc://ios.owncloud.com
  origins: []
  application_type: native
ldap:
  uri: ldaps://localhost:9235
  cacert: /var/lib/ocis/idm/ldap.crt
  bind_dn: uid=idp,ou=sysusers,o=libregraph-idm
  bind_password: ""
  base_dn: ou=users,o=libregraph-idm
  scope: sub
  login_attribute: uid
  email_attribute: mail
  name_attribute: displayName
  uuid_attribute: ownCloudUUID
  uuid_attribute_type: text
  user_enabled_attribute: ownCloudUserEnabled
  filter: ""
  objectclass: inetOrgPerson

Environment Variables

Name Type Default Value Description
IDP_PASSWORD_RESET_URI string The URI where a user can reset their password.
OCIS_TRACING_ENABLED
IDP_TRACING_ENABLED		 bool false Activates tracing.
OCIS_TRACING_TYPE
IDP_TRACING_TYPE		 string The type of tracing. Defaults to ‘’, which is the same as ‘jaeger’. Allowed tracing types are ‘jaeger’ and ’’ as of now.
OCIS_TRACING_ENDPOINT
IDP_TRACING_ENDPOINT		 string The endpoint of the tracing agent.
OCIS_TRACING_COLLECTOR
IDP_TRACING_COLLECTOR		 string The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.
OCIS_LOG_LEVEL
IDP_LOG_LEVEL		 string The log level. Valid values are: ‘panic’, ‘fatal’, ’error’, ‘warn’, ‘info’, ‘debug’, ’trace’.
OCIS_LOG_PRETTY
IDP_LOG_PRETTY		 bool false Activates pretty log output.
OCIS_LOG_COLOR
IDP_LOG_COLOR		 bool false Activates colorized log output.
OCIS_LOG_FILE
IDP_LOG_FILE		 string The path to the log file. Activates logging to this file if set.
IDP_DEBUG_ADDR string 127.0.0.1:9134 Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.
IDP_DEBUG_TOKEN string Token to secure the metrics endpoint.
IDP_DEBUG_PPROF bool false Enables pprof, which can be used for profiling.
IDP_DEBUG_ZPAGES bool false Enables zpages, which can be used for collecting and viewing in-memory traces.
IDP_HTTP_ADDR string 127.0.0.1:9130 The bind address of the HTTP service.
IDP_HTTP_ROOT string / Subdirectory that serves as the root for this HTTP service.
IDP_TRANSPORT_TLS_CERT string /var/lib/ocis/idp/server.crt Path/File name of the TLS server certificate (in PEM format) for the IDP service. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH/idp.
IDP_TRANSPORT_TLS_KEY string /var/lib/ocis/idp/server.key Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the IDP service. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH/idp.
IDP_TLS bool false Disable or Enable HTTPS for the communication between the Proxy service and the IDP service. If set to ’true’, the key and cert files need to be configured and present.
OCIS_REVA_GATEWAY string com.owncloud.api.gateway The CS3 gateway endpoint.
OCIS_GRPC_CLIENT_TLS_MODE string TLS mode for grpc connection to the go-micro based grpc services. Possible values are ‘off’, ‘insecure’ and ‘on’. ‘off’: disables transport security for the clients. ‘insecure’ allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). ‘on’ enables transport security, including server certificate verification.
OCIS_GRPC_CLIENT_TLS_CACERT string Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.
OCIS_MACHINE_AUTH_API_KEY
IDP_MACHINE_AUTH_API_KEY		 string Machine auth API key used to validate internal requests necessary for the access to resources from other services.
IDP_ASSET_PATH string Serve IDP assets from a path on the filesystem instead of the builtin assets.
IDP_LOGIN_BACKGROUND_URL string Configure an alternative URL to the background image for the login page.
OCIS_URL
OCIS_OIDC_ISSUER
IDP_ISS		 string https://localhost:9200 The OIDC issuer URL to use.
IDP_IDENTITY_MANAGER string ldap The identity manager implementation to use. Supported identity managers are ’ldap’, ‘cs3’, ’libregraph’ and ‘guest’.
IDP_URI_BASE_PATH string IDP uri base path (defaults to ‘’).
IDP_SIGN_IN_URI string IDP sign-in url.
IDP_SIGN_OUT_URI string IDP sign-out url.
IDP_ENDPOINT_URI string URL of the IDP endpoint.
OCIS_LDAP_INSECURE
IDP_INSECURE		 bool false Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.
IDP_ALLOW_CLIENT_GUESTS bool false Allow guest clients to access oCIS.
IDP_ALLOW_DYNAMIC_CLIENT_REGISTRATION bool false Allow dynamic client registration.
IDP_ENCRYPTION_SECRET_FILE string /var/lib/ocis/idp/encryption.key Path to the encryption secret file, if unset, a new certificate will be autogenerated upon each restart, thus invalidating all existing sessions. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH/idp.
IDP_SIGNING_KID string private-key Value of the KID (Key ID) field which is used in created tokens to uniquely identify the signing-private-key.
IDP_SIGNING_METHOD string PS256 Signing method of IDP requests like ‘PS256’
IDP_SIGNING_PRIVATE_KEY_FILES []string [/var/lib/ocis/idp/private-key.pem] A list of private key files for signing IDP requests. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH/idp. See the Environment Variable Types description for more details.
IDP_VALIDATION_KEYS_PATH string Path to validation keys for IDP requests.
IDP_ACCESS_TOKEN_EXPIRATION uint64 300 ‘Access token lifespan in seconds (time before an access token is expired).’
IDP_ID_TOKEN_EXPIRATION uint64 300 ID token lifespan in seconds (time before an ID token is expired).
IDP_REFRESH_TOKEN_EXPIRATION uint64 2592000 Refresh token lifespan in seconds (time before an refresh token is expired). This also limits the duration of an idle offline session.
IDP_DYNAMIC_CLIENT_SECRET_DURATION uint64 0 Lifespan in seconds of a dynamically registered OIDC client.
OCIS_LDAP_URI
IDP_LDAP_URI		 string ldaps://localhost:9235 Url of the LDAP service to use as IDP.
OCIS_LDAP_CACERT
IDP_LDAP_TLS_CACERT		 string /var/lib/ocis/idm/ldap.crt Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH/idp.
OCIS_LDAP_BIND_DN
IDP_LDAP_BIND_DN		 string uid=idp,ou=sysusers,o=libregraph-idm LDAP DN to use for simple bind authentication with the target LDAP server.
OCIS_LDAP_BIND_PASSWORD
IDP_LDAP_BIND_PASSWORD		 string Password to use for authenticating the ‘bind_dn’.
OCIS_LDAP_USER_BASE_DN
IDP_LDAP_BASE_DN		 string ou=users,o=libregraph-idm Search base DN for looking up LDAP users.
OCIS_LDAP_USER_SCOPE
IDP_LDAP_SCOPE		 string sub LDAP search scope to use when looking up users. Supported scopes are ‘base’, ‘one’ and ‘sub’.
IDP_LDAP_LOGIN_ATTRIBUTE string uid LDAP User attribute to use for login like ‘uid’.
OCIS_LDAP_USER_SCHEMA_MAIL
IDP_LDAP_EMAIL_ATTRIBUTE		 string mail LDAP User email attribute like ‘mail’.
OCIS_LDAP_USER_SCHEMA_USERNAME
IDP_LDAP_NAME_ATTRIBUTE		 string displayName LDAP User name attribute like ‘displayName’.
OCIS_LDAP_USER_SCHEMA_ID
IDP_LDAP_UUID_ATTRIBUTE		 string ownCloudUUID LDAP User UUID attribute like ‘uid’.
IDP_LDAP_UUID_ATTRIBUTE_TYPE string text LDAP User uuid attribute type like ’text’.
OCIS_LDAP_USER_ENABLED_ATTRIBUTE
IDP_USER_ENABLED_ATTRIBUTE		 string ownCloudUserEnabled LDAP Attribute to use as a flag telling if the user is enabled or disabled.
OCIS_LDAP_USER_FILTER
IDP_LDAP_FILTER		 string LDAP filter to add to the default filters for user search like ‘(objectclass=ownCloud)’.
OCIS_LDAP_USER_OBJECTCLASS
IDP_LDAP_OBJECTCLASS		 string inetOrgPerson LDAP User ObjectClass like ‘inetOrgPerson’.
gdoc_arrow_left_alt Service Configuration Service Configuration gdoc_arrow_right_alt