Integrating external OpenID Connect Identity Providers
Requirements
OpenCloud integrates with external OpenID Connect Identity Providers (IDPs). The setup is opinionated, but the requirements below are provider-independent. For a provider-specific example, see Keycloak integration.
This is the list of minimal requirements that an IDP needs to fulfill in order to work with OpenCloud:
- All clients provided by OpenCloud (Web, Desktop, Android and iOS), are implemented as public clients using the authorization code flow with PKCE. Therefore the IDP needs to support this flow.
- All clients, except the Web client, use predefined client IDs. Therefore the IDP needs to be able to create clients with predefined IDs.
- OpenCloud provides client IDs and scopes for the Web, Desktop, Android, and iOS apps through the OpenCloud WebFinger service. Configure these values in the OpenCloud deployment so that clients can discover the correct OIDC settings.
- The IDP must return the claims required by OpenCloud in the access token or through the UserInfo endpoint. Configure scopes and claim mappings in the IDP accordingly.
OpenCloud Configuration
The following environment variables are relevant when connecting OpenCloud to an external IDP.
Configure the OIDC issuer
IDP_DOMAIN=idp.example.org
IDP_ISSUER_URL=https://idp.example.org/realms/openCloud
OC_OIDC_ISSUER=https://idp.example.org/realms/openCloud
Do not include the protocol in IDP_DOMAIN. Use idp.example.org, not
https://idp.example.org.
OC_OIDC_ISSUER: Set this to the issuer URL of the external Identity Provider.OC_EXCLUDE_RUN_SERVICES: When using an external IDP, the built-in Identity Provider does not need to run. Addidphere to prevent the internalidpservice from starting.PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD: Set this tojwtso OpenCloud verifies access tokens as JWTs using the Identity Provider's published signing keys.PROXY_OIDC_REWRITE_WELLKNOWN: Set this totrueto expose the Identity Provider's.well-known/openid-configurationendpoint via the OpenCloud base URLs.PROXY_USER_OIDC_CLAIMandPROXY_USER_CS3_CLAIM: These two variables configure how users are mapped between the Identity Provider and OpenCloud.PROXY_USER_OIDC_CLAIMdefines the OIDC claim that OpenCloud uses to uniquely identify a user. It is matched against the OpenCloud user attribute defined inPROXY_USER_CS3_CLAIM. For example, ifPROXY_USER_OIDC_CLAIMis set topreferred_usernameandPROXY_USER_CS3_CLAIMis set tousername, then an OpenID Connect user withpreferred_username=alanmaps to the OpenCloud user with usernamealan.PROXY_AUTOPROVISION_ACCOUNTSandGRAPH_USERNAME_MATCH: WhenPROXY_AUTOPROVISION_ACCOUNTSis set totrue, OpenCloud creates a new user account in the LDAP database for every user who logs in via OpenID Connect for the first time. This requires a writable LDAP server. For smaller setups, the built-in LDAP server provided by theidmservice can be used. If set tofalse, users must already exist in LDAP.PROXY_ROLE_ASSIGNMENT_DRIVERandGRAPH_ASSIGN_DEFAULT_USER_ROLE: See the section below.
If you use Docker Compose with an external IDP, add idm/external-idp.yml to
COMPOSE_FILE.
Configure client discovery with WebFinger
OpenCloud clients discover OIDC client settings through the OpenCloud WebFinger
service at https://<opencloud-domain>/.well-known/webfinger.
The WebFinger OIDC variables define which client ID and scopes are returned to the different OpenCloud clients. They already ship with the following defaults, so you only need to set them if your IDP requires different client IDs or scopes:
WEBFINGER_WEB_OIDC_CLIENT_ID=web
WEBFINGER_WEB_OIDC_CLIENT_SCOPES=openid profile email
WEBFINGER_ANDROID_OIDC_CLIENT_ID=OpenCloudAndroid
WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES=openid profile email offline_access
WEBFINGER_IOS_OIDC_CLIENT_ID=OpenCloudIOS
WEBFINGER_IOS_OIDC_CLIENT_SCOPES=openid profile email offline_access
WEBFINGER_DESKTOP_OIDC_CLIENT_ID=OpenCloudDesktop
WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPES=openid profile email offline_access
- Android and iOS clients use the WebFinger discovery mechanism.
- The Desktop Client does not fully support this discovery mechanism yet. Configure the Desktop Client WebFinger variables anyway so the setup is ready for client support and stays consistent.
Automatic Role Assignments
Automatic role assignment requires the IDP to provide the configured role claim in the access token or through the UserInfo endpoint. Make sure that the configured scopes and claim mappings return this claim for OpenCloud clients.
If the IDP does not provide the required role claim, automatic role assignment
with the oidc driver will not work.
When users login into OpenCloud, they get a user role assigned
automatically. The automatic role assignment can be configured in different
ways. The PROXY_ROLE_ASSIGNMENT_DRIVER environment variable (or the driver
setting in the role_assignment section of the configuration file) select which
mechanism to use for the automatic role assignment.
When set to default, all users which do not have a role assigned at the time
of first login will get the role 'user' assigned. This is also the
default behavior if PROXY_ROLE_ASSIGNMENT_DRIVER is unset.
When PROXY_ROLE_ASSIGNMENT_DRIVER is set to oidc the role assignment for a
user will happen based on the values of an OpenID Connect Claim of that user.
The name of the OpenID Connect Claim to be used for the role assignment can be
configured via the PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM environment variable. It
is also possible to define a mapping of claim values to role names defined in
OpenCloud via a yaml configuration. See the following proxy.yaml snippet
for an example.
role_assignment:
driver: oidc
oidc_role_mapper:
role_claim: opencloudRoles
role_mapping:
- role_name: admin
claim_value: myAdminRole
- role_name: spaceadmin
claim_value: mySpaceAdminRole
- role_name: user
claim_value: myUserRole
- role_name: user-light
claim_value: myGuestRole
This would assign the role admin to users with the value myAdminRole in the claim opencloudRoles.
The role user to users with the values myUserRole in the claims opencloudRoles and so on.
Claim values that are not mapped to a specific OpenCloud role will be ignored.
Note: An OpenCloud user can only have a single role assigned. If the configured
role_mapping and a user's claim values result in multiple possible roles for a user, the order in
which the role mappings are defined in the configuration is important. The first role in the
role_mappings where the claim_value matches a value from the user's roles claim will be assigned
to the user. So if e.g. a user's opencloudRoles claim has the values myUserRole and
mySpaceAdminRole that user will get the OpenCloud role spaceadmin assigned (because spaceadmin
appears before user in the above sample configuration).
If a user's claim values don't match any of the configured role mappings an error will be logged and the user will not be able to login.
The default role_claim (or PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM) is roles. The default role_mapping is:
- role_name: admin
claim_value: opencloudAdmin
- role_name: spaceadmin
claim_value: opencloudSpaceAdmin
- role_name: user
claim_value: opencloudUser
- role_name: user-light
claim_value: opencloudGuest
When PROXY_ROLE_ASSIGNMENT_DRIVER is set to oidc it is recommended to set GRAPH_ASSIGN_DEFAULT_USER_ROLE to false.