Document some of the requirements we currently have on the IDP#450
Document some of the requirements we currently have on the IDP#450rhafer merged 1 commit intoopencloud-eu:mainfrom
Conversation
rhafer
force-pushed
the
idp-requirement
branch
2 times, most recently
from
76f5de8 to
23ffe91
Compare
rhafer
force-pushed
the
idp-requirement
branch
from
23ffe91 to
c2253e1
Compare
rhafer
force-pushed
the
idp-requirement
branch
from
c2253e1 to
da6c101
Compare
rhafer
force-pushed
the
idp-requirement
branch
from
da6c101 to
2540996
Compare
There was a problem hiding this comment.
Pull Request Overview
Documents the current requirements and limitations for integrating external OpenID Connect Identity Providers with OpenCloud, providing administrators with clear expectations before attempting integration.
- Added a comprehensive requirements section outlining IDP compatibility needs
- Included specific technical requirements for public clients, PKCE flow, and predefined client IDs
- Added clarification about scope handling and automatic role assignment limitations
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
docs/admin/configuration/authentication-and-user-management/external-idp.md
Show resolved
Hide resolved
docs/admin/configuration/authentication-and-user-management/external-idp.md
Outdated
Show resolved
Hide resolved
rhafer
force-pushed
the
idp-requirement
branch
from
2540996 to
5bba4ee
Compare
docs/admin/configuration/authentication-and-user-management/external-idp.md
Outdated
Show resolved
Hide resolved
docs/admin/configuration/authentication-and-user-management/external-idp.md
Outdated
Show resolved
Hide resolved
| [Desktop](https://github.com/opencloud-eu/desktop/), [Android](https://github.com/opencloud-eu/android/) | ||
| and [iOS](https://github.com/opencloud-eu/ios/)), are implemented as public clients using the | ||
| Authorization Code flow with PKCE. Therefore the IDP needs to support this flow. | ||
| - All clients, except the Web client, use hardcoded client IDs. Therefore the IDP needs to |
There was a problem hiding this comment.
Are the clients really hardcoded as in code, or are they "just" configured?
There was a problem hiding this comment.
Well, I guess most clients allow them to be changed via config (or branding or MDM) somehow, but for most users that is the equivalent of "hard-coded". (i.e. there is no-UI to change it and fiddling with some config file on an IOS/Android device is quite a hurdle, if possible at all)
There was a problem hiding this comment.
I'll change it to predefined
docs/admin/configuration/authentication-and-user-management/external-idp.md
Outdated
Show resolved
Hide resolved
| The following environment variables are relevant when connecting OpenCloud to an external IDP | ||
|
|
||
| - `OC_OIDC_ISSUER`: Set this to the issuer URL of the external Identity Provider | ||
| - `OC_EXCLUDE_RUN_SERVICES`: To disable the built-in Identity Provider set this to `idp` |
There was a problem hiding this comment.
What is the default value? I would name it here, for example like "Change this from internal to idp to disable...."
There was a problem hiding this comment.
The default is empty. I reworded the sentence a bit. I hope that makes it better to understand.
docs/admin/configuration/authentication-and-user-management/external-idp.md
Outdated
Show resolved
Hide resolved
|
|
||
| - `OC_OIDC_ISSUER`: Set this to the issuer URL of the external Identity Provider | ||
| - `OC_EXCLUDE_RUN_SERVICES`: To disable the built-in Identity Provider set this to `idp` | ||
| - `PROXY_OIDC_REWRITE_WELLKNOWN`: Set this to `true` to expose the Identity |
There was a problem hiding this comment.
This sentence does not really explain. Where is the identity exposed? Why?
There was a problem hiding this comment.
It's not any identity that is being exposed. It's the "Identity Provider's well-known/openid-configuration endpoint.
Reworded, hth.
|
|
||
| - `OC_OIDC_ISSUER`: Set this to the issuer URL of the external Identity Provider | ||
| - `OC_EXCLUDE_RUN_SERVICES`: To disable the built-in Identity Provider set this to `idp` | ||
| - `PROXY_OIDC_REWRITE_WELLKNOWN`: Set this to `true` to expose the Identity |
There was a problem hiding this comment.
Should we add an real-world example configuration here with a little description?
There was a problem hiding this comment.
I'll add a link to the keycloak chapter. I think that should do it.
rhafer
force-pushed
the
idp-requirement
branch
from
5bba4ee to
1a0a37a
Compare
Until we have addressed the current restrictions of our clients we should at least document them.
rhafer
force-pushed
the
idp-requirement
branch
from
1a0a37a to
bda4c4e
Compare
Until we have addressed the current restrictions of our client we should at least document them.