Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

simplify oCIS deployment with external IDP #2819

Closed
wkloucek opened this issue Nov 25, 2021 · 3 comments · Fixed by #4346
Closed

simplify oCIS deployment with external IDP #2819

wkloucek opened this issue Nov 25, 2021 · 3 comments · Fixed by #4346
Labels
Category:Enhancement Add new functionality Category:Technical Technical ehancements Estimation:S(2) Interaction:Needs-Concept

Comments

@wkloucek
Copy link
Contributor

Is your feature request related to a problem? Please describe.

When you are using oCIS with an external IDP, you need to make sure, that oC Desktop / iOS / Android clients can find the .well-known/openid-configuration endpoint on the same domain / port, in general address as oCIS.

This endpoint is provided by an external IDP in our case. Redirects to this proxy are not allowed (OIDC spec), therefore we need to proxy requests to the IDP. The current capabilities of the proxy are not sufficient for common usecases. An example for that is our Keycloak deployment example:

ocis/deployments/examples/ocis_keycloak/docker-compose.yml

Lines 130 to 138 in 38d670f

# let /.well-known/openid-configuration be served by Keycloak
- "traefik.http.middlewares.idp-headers.headers.customrequestheaders.X-Forwarded-Host=${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}"
- "traefik.http.middlewares.idp-prefix.addprefix.prefix=/auth/realms/${KEYCLOAK_REALM:-oCIS}"
- "traefik.http.middlewares.idp-override.chain.middlewares=idp-headers,idp-prefix"
- "traefik.http.routers.idp-wellknown.entrypoints=https"
- "traefik.http.routers.idp-wellknown.tls.certresolver=http"
- "traefik.http.routers.idp-wellknown.rule=Host(`${OCIS_DOMAIN:-ocis.owncloud.test}`) && Path(`/.well-known/openid-configuration`)"
- "traefik.http.routers.idp-wellknown.middlewares=idp-override"
- "traefik.http.routers.idp-wellknown.service=keycloak"

In that example this mapping is done in the proxy:

Describe the solution you'd like

Have a simple way to make the .well-known/openid-configuration endpoint available without using an external proxy.

Describe alternatives you've considered

Providing different way to discover the OIDC provider to the clients (eg. like Web with a config) but that would break existing clients.
@stale
Copy link

stale bot commented Jan 24, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 10 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the Status:Stale label Jan 24, 2022
@stale
Copy link

stale bot commented Mar 26, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 10 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the Status:Stale label Mar 26, 2022
@stale
Copy link

stale bot commented May 30, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 10 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the Status:Stale label May 30, 2022
@wkloucek wkloucek mentioned this issue Aug 5, 2022
Merged
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Category:Enhancement Add new functionality Category:Technical Technical ehancements Estimation:S(2) Interaction:Needs-Concept
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

add middleware to rewrite the /.well-known/openid-configuration endpoint for external idps
1 participant
@wkloucek