OIDC customization settings not persistent
-
Hello,
I want to comment out the following entries inhomeserver.yamlso that users can define their matrix usernames.user_mapping_provider: config: #localpart_template: '{{ user.sub }}' #display_name_template: '{{ user.name }}' email_template: '{{ user.email }}'But when restarting the app, the two lines are added again, uncommented, overwriting my changes.
-
Guess it has something to do with
app/pkg/start.sh# oidc if [[ -n "${CLOUDRON_OIDC_ISSUER:-}" ]]; then echo " ==> Configuring OIDC auth" yq eval -i ".oidc_providers[0].idp_id=\"cloudron\"" /app/data/configs/homeserver.yaml yq eval -i ".oidc_providers[0].idp_name=\"${CLOUDRON_OIDC_PROVIDER_NAME:-Cloudron}\"" /app/data/configs/homeserver.yaml yq eval -i ".oidc_providers[0].issuer=\"${CLOUDRON_OIDC_ISSUER}\"" /app/data/configs/homeserver.yaml yq eval -i ".oidc_providers[0].client_id=\"${CLOUDRON_OIDC_CLIENT_ID}\"" /app/data/configs/homeserver.yaml yq eval -i ".oidc_providers[0].client_secret=\"${CLOUDRON_OIDC_CLIENT_SECRET}\"" /app/data/configs/homeserver.yaml yq eval -i ".oidc_providers[0].scopes=[\"openid\", \"email\", \"profile\"]" /app/data/configs/homeserver.yaml yq eval -i ".oidc_providers[0].authorization_endpoint=\"${CLOUDRON_OIDC_AUTH_ENDPOINT}\"" /app/data/configs/homeserver.yaml yq eval -i ".oidc_providers[0].token_endpoint=\"${CLOUDRON_OIDC_TOKEN_ENDPOINT}\"" /app/data/configs/homeserver.yaml yq eval -i ".oidc_providers[0].userinfo_endpoint=\"${CLOUDRON_OIDC_PROFILE_ENDPOINT}\"" /app/data/configs/homeserver.yaml # https://s3lph.me/ldap-to-oidc-migration-3-matrix.html yq eval -i ".oidc_providers[0].allow_existing_users=true" /app/data/configs/homeserver.yaml yq eval -i ".oidc_providers[0].skip_verification=true" /app/data/configs/homeserver.yaml yq eval -i ".oidc_providers[0].user_mapping_provider.config.localpart_template=\"{{ user.sub }}\"" /app/data/configs/homeserver.yaml yq eval -i ".oidc_providers[0].user_mapping_provider.config.display_name_template=\"{{ user.name }}\"" /app/data/configs/homeserver.yaml yq eval -i ".oidc_providers[0].user_mapping_provider.config.email_template=\"{{ user.email }}\"" /app/data/configs/homeserver.yaml elseBasically, the script should not update the
homeserver.yamllocalpart_templatekey, if its value was set (manually) tonull(changing it tonullis maybe easier to detect than just commenting it out). -
Hello @mononym
When packaging a Cloudron app with OIDC support we make the app start up always handle the OIDC set up to ensure it is working.
You would like a change to the Matrix/Synapse app that if the/app/data/configs/homeserver.yamlwas initially set up it should not be touched again to prevent reverting changes by the user.
Is that correct? -
Hello @mononym
When packaging a Cloudron app with OIDC support we make the app start up always handle the OIDC set up to ensure it is working.
You would like a change to the Matrix/Synapse app that if the/app/data/configs/homeserver.yamlwas initially set up it should not be touched again to prevent reverting changes by the user.
Is that correct? -
Since the OIDC settings like the endpoint origin may change, if an app was installed with OIDC through Cloudron enabled, we always have to ensure this.
If the user management should be left to the admin to configure, an app has to be installed without Cloudron usermanagement.
Unless we make this a post-install setting, reinstallation is the only way to persistently change those bits. Think of it similarily like the database setup of an app. Either Cloudron ensures the setup or it would require each admin to manually tweak those if changed by the platform or through an app update.
-
Yes, this makes perfect sense to me. That's also why I only want to change two specific parameters (
localpart_templateanddisplay_name_template) and not the whole OIDC setup, which should be unmutable so to say. And in my case, I also wanted to ensure thatemail_templateis kept in sync with the Cloudron account email, only giving freedom to set a desired handle and display name (although that one can be modified afterwards by the user).P.S.: I did not test yet if other settings are persistent or not, as I intend to set a retention policy for synapse as well.
