diff --git a/.env.example b/.env.example index 4ebacaf..ccda56f 100644 --- a/.env.example +++ b/.env.example @@ -298,6 +298,14 @@ LDAP_BIND_PASSWORD= ## Autoprovisioning Mode ## # Use together with idm/external-idp.yml +# Role assignment driver for the proxy. Defaults to "oidc". +# Possible values: "oidc", "default" +# When set to "oidc", roles are assigned based on OIDC claims. +# When set to "default", all users get the 'user' role assigned. +PROXY_ROLE_ASSIGNMENT_DRIVER= +# Assign the default 'user' role to new users. Defaults to "false". +# Set to "true" when using PROXY_ROLE_ASSIGNMENT_DRIVER=default +GRAPH_ASSIGN_DEFAULT_USER_ROLE= # If you want to use a keycloak for local testing, you can use testing/external-keycloak.yml and testing/ldap-manager.yml # Domain of your Identity Provider. IDP_DOMAIN= diff --git a/idm/external-idp.yml b/idm/external-idp.yml index ff8a6a4..b7e8350 100644 --- a/idm/external-idp.yml +++ b/idm/external-idp.yml @@ -15,7 +15,7 @@ services: FRONTEND_READONLY_USER_ATTRIBUTES: "user.onPremisesSamAccountName,user.displayName,user.mail,user.passwordProfile,user.accountEnabled,user.appRoleAssignments" PROXY_OIDC_REWRITE_WELLKNOWN: "true" WEB_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID:-web} - PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc" + PROXY_ROLE_ASSIGNMENT_DRIVER: ${PROXY_ROLE_ASSIGNMENT_DRIVER:-oidc} OC_OIDC_ISSUER: ${IDP_ISSUER_URL:-https://keycloak.opencloud.test/realms/openCloud} # This specifies to start all services except idm and idp. These are replaced by external services. OC_EXCLUDE_RUN_SERVICES: idm,idp @@ -37,7 +37,7 @@ services: OC_LDAP_DISABLE_USER_MECHANISM: "attribute" OC_ADMIN_USER_ID: "" SETTINGS_SETUP_DEFAULT_ASSIGNMENTS: "false" - GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false" + GRAPH_ASSIGN_DEFAULT_USER_ROLE: ${GRAPH_ASSIGN_DEFAULT_USER_ROLE:-false} GRAPH_USERNAME_MATCH: "none" # We need to set the IDP_DOMAIN to allow the CSP rules to be set correctly IDP_DOMAIN: ${IDP_DOMAIN:-keycloak.opencloud.test}