Merge pull request #1148 from owncloud/add_ocis_url_env

add OCIS_URL env var
2026-03-08 23:09:02 -05:00 · 2020-12-23 17:25:24 +01:00
parent 335aa2d5b3 652448f5f1
commit 5689daf864
47 changed files with 249 additions and 368 deletions
--- a/.drone.star
+++ b/.drone.star
@@ -1407,6 +1407,7 @@ def frontend(module):
 def ocisServer(storage, accounts_hash_difficulty = 4, volumes=[]):
  environment = {
    #'OCIS_LOG_LEVEL': 'debug',
+    'OCIS_URL': 'https://ocis-server:9200',
    'STORAGE_HOME_DRIVER': '%s' % (storage),
    'STORAGE_USERS_DRIVER': '%s' % (storage),
    'STORAGE_DRIVER_OCIS_ROOT': '/srv/app/tmp/ocis/storage/users',
@@ -1414,18 +1415,12 @@ def ocisServer(storage, accounts_hash_difficulty = 4, volumes=[]):
    'STORAGE_METADATA_ROOT': '/srv/app/tmp/ocis/metadata',
    'STORAGE_DRIVER_OWNCLOUD_DATADIR': '/srv/app/tmp/ocis/owncloud/data',
    'STORAGE_DRIVER_OWNCLOUD_REDIS_ADDR': 'redis:6379',
-    'STORAGE_LDAP_IDP': 'https://ocis-server:9200',
-    'STORAGE_OIDC_ISSUER': 'https://ocis-server:9200',
-    'PROXY_OIDC_ISSUER': 'https://ocis-server:9200',
    'STORAGE_HOME_DATA_SERVER_URL': 'http://ocis-server:9155/data',
-    'STORAGE_DATAGATEWAY_PUBLIC_URL': 'https://ocis-server:9200/data',
    'STORAGE_USERS_DATA_SERVER_URL': 'http://ocis-server:9158/data',
-    'STORAGE_FRONTEND_PUBLIC_URL': 'https://ocis-server:9200',
    'STORAGE_SHARING_USER_JSON_FILE': '/srv/app/tmp/ocis/shares.json',
    'PROXY_ENABLE_BASIC_AUTH': True,
    'WEB_UI_CONFIG': '/drone/src/tests/config/drone/ocis-config.json',
    'KONNECTD_IDENTIFIER_REGISTRATION_CONF': '/drone/src/tests/config/drone/identifier-registration.yml',
-    'KONNECTD_ISS': 'https://ocis-server:9200',
    'KONNECTD_TLS': 'true',
    'OCIS_LOG_LEVEL': 'warn',
  }
--- a/changelog/unreleased/add-ocis-url-env.md
+++ b/changelog/unreleased/add-ocis-url-env.md
@@ -0,0 +1,17 @@
+Enhancement: add OCIS_URL env var
+
+Tags: ocis
+
+We introduced a new environment variable `OCIS_URL` that expects a URL including protocol, host and optionally port to simplify configuring all the different services. These existing environment variables still take precedence, but will also fall back to `OCIS_URL`: `STORAGE_LDAP_IDP`, `STORAGE_OIDC_ISSUER`, `PROXY_OIDC_ISSUER`, `STORAGE_FRONTEND_PUBLIC_URL`, `KONNECTD_ISS`, `WEB_OIDC_AUTHORITY`, and `WEB_UI_CONFIG_SERVER`.
+
+Some environment variables are now built dynamically if they are not set: 
+- `STORAGE_DATAGATEWAY_PUBLIC_URL` defaults to `<STORAGE_FRONTEND_PUBLIC_URL>/data`, also falling back to `OCIS_URL`
+- `WEB_OIDC_METADATA_URL` defaults to `<WEB_OIDC_AUTHORITY>/.well-known/openid-configuration`, also falling back to `OCIS_URL`
+
+Furthermore, the built in konnectd will generate an `identifier-registration.yaml` that uses the `KONNECTD_ISS` in the allowed `redirect_uris` and `origins`. It simplifies the default `https://localhost:9200` and remote deployment with `OCIS_URL` which is evaluated as a fallback if `KONNECTD_ISS` is not set.
+
+An OCIS server can now be started on a remote machine as easy as `OCIS_URL=https://cloud.ocis.test PROXY_HTTP_ADDR=0.0.0.0:443 ocis server`.
+
+Note that the `OCIS_DOMAIN` environment variable is not used by ocis, but by the docker containers.
+
+https://github.com/owncloud/ocis/pull/1148
--- a/deployments/examples/cs3_users_ocis/docker-compose.yaml
+++ b/deployments/examples/cs3_users_ocis/docker-compose.yaml
@@ -73,23 +73,15 @@ services:
      STORAGE_LDAP_FINDFILTER: '(&(objectclass=owncloud)(|(uid={{query}}*)(cn={{query}}*)(displayname={{query}}*)(mail={{query}}*)(description={{query}}*)))'
      STORAGE_LDAP_GROUPFILTER: '(&(objectclass=groupOfUniqueNames)(objectclass=owncloud)(ownclouduuid={{.OpaqueId}}*))'
      # General ocis config
-      OCIS_DOMAIN: ${OCIS_DOMAIN:-ocis.owncloud.test}
+      OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
      OCIS_LOG_LEVEL: error
      # proxy config
      PROXY_OIDC_INSECURE: "${INSECURE:-false}"
-      PROXY_OIDC_ISSUER: https://${OCIS_DOMAIN:-ocis.owncloud.test}
      PROXY_TLS: "false"
      # web config
-      WEB_OIDC_AUTHORITY: https://${OCIS_DOMAIN:-ocis.owncloud.test}
-      WEB_OIDC_METADATA_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}/.well-known/openid-configuration
      WEB_UI_CONFIG_APPS: files,draw-io,markdown-editor,media-viewer
-      WEB_UI_CONFIG_SERVER: https://${OCIS_DOMAIN:-ocis.owncloud.test}
      # storage config
-      STORAGE_DATAGATEWAY_PUBLIC_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}/data
-      STORAGE_FRONTEND_PUBLIC_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}/
-      STORAGE_OIDC_ISSUER: https://${OCIS_DOMAIN:-ocis.owncloud.test}
      # idp config
-      KONNECTD_ISS: https://${OCIS_DOMAIN:-ocis.owncloud.test}
      KONNECTD_TLS: 'false'
    volumes:
      - ./config/ocis:/config
--- a/deployments/examples/ocis_keycloak/docker-compose.yml
+++ b/deployments/examples/ocis_keycloak/docker-compose.yml
@@ -46,7 +46,7 @@ services:
      default:
    environment:
      # general config
-      OCIS_DOMAIN: ${OCIS_DOMAIN:-ocis.owncloud.test}
+      OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
      OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error}
      # proxy config
      PROXY_AUTOPROVISION_ACCOUNTS: "true"
@@ -58,10 +58,7 @@ services:
      WEB_OIDC_CLIENT_ID: ${OCIS_OIDC_CLIENT_ID:-web}
      WEB_OIDC_METADATA_URL: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}/auth/realms/${KEYCLOAK_REALM:-master}/.well-known/openid-configuration
      WEB_UI_CONFIG_APPS: files,draw-io,markdown-editor,media-viewer
-      WEB_UI_CONFIG_SERVER: https://${OCIS_DOMAIN:-ocis.owncloud.test}
      # storage config
-      STORAGE_DATAGATEWAY_PUBLIC_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}/data
-      STORAGE_FRONTEND_PUBLIC_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}/
      STORAGE_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}
      STORAGE_LDAP_IDP: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}
      # thumbnail config
--- a/deployments/examples/ocis_traefik/docker-compose.yml
+++ b/deployments/examples/ocis_traefik/docker-compose.yml
@@ -52,25 +52,16 @@ services:
      default:
    environment:
      # general config
-      OCIS_DOMAIN: ${OCIS_DOMAIN:-ocis.owncloud.test}
+      OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
      OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error}
      # proxy config
      PROXY_OIDC_INSECURE: "${INSECURE:-false}"
-      PROXY_OIDC_ISSUER: https://${OCIS_DOMAIN:-ocis.owncloud.test}
      PROXY_TLS: "false"
      # web config
-      WEB_OIDC_AUTHORITY: https://${OCIS_DOMAIN:-ocis.owncloud.test}
-      WEB_OIDC_METADATA_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}/.well-known/openid-configuration
      WEB_UI_CONFIG_APPS: files,draw-io,markdown-editor,media-viewer
-      WEB_UI_CONFIG_SERVER: https://${OCIS_DOMAIN:-ocis.owncloud.test}
      # storage config
-      STORAGE_DATAGATEWAY_PUBLIC_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}/data
-      STORAGE_FRONTEND_PUBLIC_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}/
-      STORAGE_OIDC_ISSUER: https://${OCIS_DOMAIN:-ocis.owncloud.test}
      STORAGE_OIDC_INSECURE: "${INSECURE:-false}"
-      STORAGE_LDAP_IDP: https://${OCIS_DOMAIN:-ocis.owncloud.test}
      # idp config
-      KONNECTD_ISS: https://${OCIS_DOMAIN:-ocis.owncloud.test}
      KONNECTD_TLS: 'false'
      # thumbnail config
      THUMBNAILS_WEBDAVSOURCE_BASEURL: http://localhost:9200/remote.php/webdav/
--- a/deployments/examples/owncloud10_with_oc_web/config/oc10/config.php
+++ b/deployments/examples/owncloud10_with_oc_web/config/oc10/config.php
@@ -32,7 +32,7 @@ function getConfigFromEnv() {
      0 => $domain
    ],
    'openid-connect' => [
-        'provider-url' => getenv('OCIS_DOMAIN'),
+        'provider-url' => getenv('OCIS_URL'),
        'client-id' => 'oc10',
        'client-secret' => 'super',
        'loginButtonName' => 'OpenId Connect',
@@ -50,8 +50,8 @@ function getConfigFromEnv() {
    'dbpassword' => getenv('OWNCLOUD_DB_PASSWORD'),
    'dbtableprefix' => getenv('OWNCLOUD_DB_PREFIX'),

-    'web.baseUrl' => getenv('OCIS_DOMAIN'),
-    'cors.allowed-domains' => [getenv('OCIS_DOMAIN')],
+    'web.baseUrl' => getenv('OCIS_URL'),
+    'cors.allowed-domains' => [getenv('OCIS_URL')],

    'log_type' => 'owncloud',

--- a/deployments/examples/owncloud10_with_oc_web/docker-compose.yml
+++ b/deployments/examples/owncloud10_with_oc_web/docker-compose.yml
@@ -63,7 +63,7 @@ services:
      default:
    environment:
      # general config
-      OCIS_DOMAIN: ${OCIS_DOMAIN:-ocis.owncloud.test}
+      OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
      OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error}
      # proxy
      PROXY_AUTOPROVISION_ACCOUNTS: "true"
@@ -71,12 +71,10 @@ services:
      PROXY_OIDC_INSECURE: "${INSECURE:-false}"
      PROXY_CONFIG_FILE: "/config/proxy-config.json"
      PROXY_ENABLE_PRESIGNEDURLS: "false"
-      PROXY_OIDC_ISSUER: https://${OCIS_DOMAIN:-ocis.owncloud.test}
      PROXY_TLS: "false"
      # konnectd - binddn must exist as oc10 admin user
      KONNECTD_IDENTIFIER_REGISTRATION_CONF: "/config/identifier-registration.yaml"
      KONNECTD_INSECURE: "${INSECURE:-false}"
-      KONNECTD_ISS: https://${OCIS_DOMAIN:-ocis.owncloud.test}
      KONNECTD_SIGNING_KID: super
      KONNECTD_TLS: 0
      LDAP_BASEDN: "dc=example,dc=org"
@@ -99,12 +97,8 @@ services:
      # web ui
      WEB_UI_CONFIG: "/config/config.json"
      # storage - although not used, yet
-      STORAGE_OIDC_ISSUER: https://${OCIS_DOMAIN:-ocis.owncloud.test}
      STORAGE_OIDC_INSECURE: "${INSECURE:-false}"
      STORAGE_TRANSFER_EXPIRES: 86400
-      STORAGE_FRONTEND_PUBLIC_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
-      STORAGE_DATAGATEWAY_PUBLIC_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}/data
-      STORAGE_LDAP_IDP: https://${OCIS_DOMAIN:-ocis.owncloud.test}
    volumes:
      - ./config/ocis:/config
      - ocis-data:/var/tmp/ocis
@@ -129,7 +123,7 @@ services:
      - redis
    environment:
      PROXY_LOG_LEVEL: debug
-      OCIS_DOMAIN: https://${OCIS_DOMAIN:-ocis.owncloud.test}
+      OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
      OWNCLOUD_DOMAIN: ${OC10_DOMAIN:-oc10.owncloud.test}
      OWNCLOUD_DB_TYPE: mysql
      OWNCLOUD_DB_NAME: owncloud
--- a/docs/ocis/deployment/basic-remote-setup.md
+++ b/docs/ocis/deployment/basic-remote-setup.md
@@ -58,13 +58,7 @@ You need to configure `your-host` in some services to provide the needed public

 ```bash
 PROXY_HTTP_ADDR=0.0.0.0:9200 \
-KONNECTD_ISS=https://your-server:9200 \
-REVA_OIDC_ISSUER=https://your-server:9200 \
-WEB_OIDC_AUTHORITY=https://your-server:9200 \
-WEB_UI_CONFIG_SERVER=https://your-server:9200 \
-WEB_OIDC_METADATA_URL=https://your-server:9200/.well-known/openid-configuration \
-REVA_DATAGATEWAY_URL=https://your-server:9200/data \
-REVA_FRONTEND_URL=https://your-server:9200 \
+OCIS_URL=https://your-server:9200 \
 PROXY_TRANSPORT_TLS_KEY=./certs/your-host.key \
 PROXY_TRANSPORT_TLS_CERT=./certs/your-host.crt \
 KONNECTD_TLS=0 \
@@ -93,8 +87,7 @@ cd compose-playground/compose/ocis
 sed -i -e 's/your-url/192.168.103.195/g' config/identifier-registration.yml

 cat << EOF > .env
-OCIS_BASE_URL=192.168.103.195
-OCIS_HTTP_PORT=9200
+OCIS_URL=https://192.168.103.195
 OCIS_DOCKER_TAG=latest
 EOF

--- a/konnectd/Makefile
+++ b/konnectd/Makefile
@@ -92,9 +92,9 @@ generate: assets

 # TODO find a docker container with go and yarn so we can properly build assets in ci
 #assets: assets/identifier/static assets/identifier/index.html
-assets: static-assets
+assets: assets/identifier/static

-static-assets:
+assets/identifier/static:
 	mkdir -p assets/identifier/static
 	curl -o assets/identifier/static/logo.svg ${LOGO_URL}
 	curl -o assets/identifier/static/favicon.ico ${FAVICON_URL}
--- a/konnectd/assets/identifier-registration.yaml
+++ b/konnectd/assets/identifier-registration.yaml
@@ -7,15 +7,11 @@ clients:
    trusted: yes
    insecure: yes
    redirect_uris:
-      - https://localhost:9200/
-      - https://localhost:9200/oidc-callback.html
-      - https://localhost:9200/oidc-silent-redirect.html
-      - http://localhost:9100/
-      - http://localhost:9100/oidc-callback.html
-      - http://localhost:9100/oidc-silent-redirect.html
+      - {{OCIS_URL}}/
+      - {{OCIS_URL}}/oidc-callback.html
+      - {{OCIS_URL}}/oidc-silent-redirect.html
    origins:
-      - https://localhost:9200
-      - http://localhost:9100
+      - {{OCIS_URL}}

  - id: ocis-explorer.js
    name: oCIS Graph Explorer
--- a/konnectd/pkg/assets/embed.go
+++ b/konnectd/pkg/assets/embed.go
--- a/konnectd/pkg/flagset/flagset.go
+++ b/konnectd/pkg/flagset/flagset.go
@@ -167,7 +167,7 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
 		&cli.StringFlag{
 			Name:        "iss",
 			Usage:       "OIDC issuer URL",
-			EnvVars:     []string{"KONNECTD_ISS"},
+			EnvVars:     []string{"KONNECTD_ISS", "OCIS_URL"}, // KONNECTD_ISS takes precedence over OCIS_URL
 			Value:       "https://localhost:9200",
 			Destination: &cfg.Konnectd.Iss,
 		},
--- a/konnectd/pkg/service/v0/service.go
+++ b/konnectd/pkg/service/v0/service.go
@@ -7,6 +7,7 @@ import (
 	"io/ioutil"
 	"net/http"
 	"os"
+	"strings"

 	"github.com/go-chi/chi"
 	"github.com/gorilla/mux"
@@ -41,7 +42,7 @@ func NewService(opts ...Option) Service {
 		logger.Fatal().Err(err).Msg("could not initialize env vars")
 	}

-	if err := createConfigsIfNotExist(assetVFS); err != nil {
+	if err := createConfigsIfNotExist(assetVFS, options.Config.Konnectd.Iss); err != nil {
 		logger.Fatal().Err(err).Msg("could not create default config")
 	}

@@ -68,7 +69,7 @@ func NewService(opts ...Option) Service {
 	return svc
 }

-func createConfigsIfNotExist(assets http.FileSystem) error {
+func createConfigsIfNotExist(assets http.FileSystem, ocisURL string) error {
 	if _, err := os.Stat("./config"); os.IsNotExist(err) {
 		if err := os.Mkdir("./config", 0700); err != nil {
 			return err
@@ -95,6 +96,9 @@ func createConfigsIfNotExist(assets http.FileSystem) error {
 			return err
 		}

+		// replace placeholder {{OCIS_URL}} with https://localhost:9200 / correct host
+		conf = []byte(strings.ReplaceAll(string(conf), "{{OCIS_URL}}", strings.TrimRight(ocisURL, "/")))
+
 		err = ioutil.WriteFile("./config/identifier-registration.yaml", conf, 0600)
 		if err != nil {
 			return err
--- a/ocis/docker-compose-eos-test.yml
+++ b/ocis/docker-compose-eos-test.yml
@@ -30,14 +30,7 @@ services:
      OCIS_LOG_LEVEL: debug
      # domain setup
      # TODO currently the below lines hardcode the port to 9200, use an OCIS_URL that includes protocol and port
-      OCIS_DOMAIN: ${OCIS_DOMAIN:-localhost}
-      PROXY_OIDC_ISSUER: https://${OCIS_DOMAIN:-localhost}:9200
-      KONNECTD_ISS: https://${OCIS_DOMAIN:-localhost}:9200
-      WEB_OIDC_AUTHORITY: https://${OCIS_DOMAIN:-localhost}:9200
-      WEB_OIDC_METADATA_URL: https://${OCIS_DOMAIN:-localhost}:9200/.well-known/openid-configuration
-      WEB_UI_CONFIG_SERVER: https://${OCIS_DOMAIN:-localhost}:9200
-      STORAGE_OIDC_ISSUER: https://${OCIS_DOMAIN:-localhost}:9200
-      STORAGE_LDAP_IDP: https://${OCIS_DOMAIN:-localhost}:9200
+      OCIS_URL: https://${OCIS_DOMAIN:-localhost:9200}
      # make home and users storages use eos
      STORAGE_HOME_DRIVER: eoshome
      STORAGE_USERS_DRIVER: eos
@@ -47,8 +40,6 @@ services:
      ACCOUNTS_STORAGE_DISK_PATH: /var/tmp/ocis/accounts
      # TODO make id the default in ocis-storage
      STORAGE_DRIVER_EOS_LAYOUT: "{{substr 0 1 .Id.OpaqueId}}/{{.Id.OpaqueId}}"
-      STORAGE_FRONTEND_PUBLIC_URL: https://${OCIS_DOMAIN:-localhost}:9200
-      STORAGE_DATAGATEWAY_PUBLIC_URL: https://${OCIS_DOMAIN:-localhost}:9200/data
      # common eos settings used for both drivers: eos and eoshome
      STORAGE_DRIVER_EOS_MASTER_URL: ${EOS_MGM_URL:-root://mgm-master.testnet:1094}
      STORAGE_DRIVER_EOS_SLAVE_URL: ${EOS_MGM_URL:-root://mgm-master.testnet:1094}
--- a/ocis/docker-compose.yml
+++ b/ocis/docker-compose.yml
@@ -38,18 +38,9 @@ services:
      OCIS_LOG_LEVEL: debug
      # domain setup
      # TODO currently the below lines hardcode the port to 9200, use an OCIS_URL that includes protocol and port
-      OCIS_DOMAIN: ${OCIS_DOMAIN:-localhost}
-      PROXY_OIDC_ISSUER: https://${OCIS_DOMAIN:-localhost}:9200
-      KONNECTD_ISS: https://${OCIS_DOMAIN:-localhost}:9200
-      WEB_OIDC_AUTHORITY: https://${OCIS_DOMAIN:-localhost}:9200
-      WEB_OIDC_METADATA_URL: https://${OCIS_DOMAIN:-localhost}:9200/.well-known/openid-configuration
-      WEB_UI_CONFIG_SERVER: https://${OCIS_DOMAIN:-localhost}:9200
-      STORAGE_OIDC_ISSUER: https://${OCIS_DOMAIN:-localhost}:9200
-      STORAGE_LDAP_IDP: https://${OCIS_DOMAIN:-localhost}:9200
+      OCIS_URL: https://${OCIS_DOMAIN:-localhost:9200}
      # TODO make id the default in ocis-storage
      STORAGE_DRIVER_EOS_LAYOUT: "{{substr 0 1 .Id.OpaqueId}}/{{.Id.OpaqueId}}"
-      STORAGE_FRONTEND_PUBLIC_URL: https://${OCIS_DOMAIN:-localhost}:9200
-      STORAGE_DATAGATEWAY_PUBLIC_URL: https://${OCIS_DOMAIN:-localhost}:9200/data
      # common eos settings used for both drivers: eos and eoshome
      STORAGE_DRIVER_EOS_MASTER_URL: ${EOS_MGM_URL:-root://mgm-master.testnet:1094}
      STORAGE_DRIVER_EOS_SLAVE_URL: ${EOS_MGM_URL:-root://mgm-master.testnet:1094}
--- a/ocis/go.sum
+++ b/ocis/go.sum
@@ -217,6 +217,7 @@ github.com/bwmarrin/discordgo v0.20.2/go.mod h1:O9S4p+ofTFwB02em7jkpkV8M3R0/PUVO
 github.com/c-bata/go-prompt v0.2.5/go.mod h1:vFnjEGDIIA/Lib7giyE4E9c50Lvl8j0S+7FVlAwDAVw=
 github.com/caddyserver/certmagic v0.10.6 h1:sCya6FmfaN74oZE46kqfaFOVoROD/mF36rTQfjN7TZc=
 github.com/caddyserver/certmagic v0.10.6/go.mod h1:Y8jcUBctgk/IhpAzlHKfimZNyXCkfGgRTC0orl8gROQ=
+github.com/cenkalti/backoff v2.1.1+incompatible h1:tKJnvO2kl0zmb/jA5UKAt4VoEVw1qxKWjE/Bpp46npY=
 github.com/cenkalti/backoff v2.1.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM=
 github.com/cenkalti/backoff v2.2.1+incompatible h1:tNowT99t7UNflLxfYYSlKYsBpXdEet03Pg2g16Swow4=
 github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM=
--- a/ocis/pkg/command/accounts.go
+++ b/ocis/pkg/command/accounts.go
@@ -28,12 +28,8 @@ func AccountsCommand(cfg *config.Config) *cli.Command {
 			command.PrintVersion(cfg.Accounts),
 		},
 		Action: func(c *cli.Context) error {
-			accountsCommand := command.Server(configureAccounts(cfg))
-			if err := accountsCommand.Before(c); err != nil {
-				return err
-			}
-
-			return cli.HandleAction(accountsCommand.Action, c)
+			origCmd := command.Server(configureAccounts(cfg))
+			return handleOriginalAction(c, origCmd)
 		},
 	}
 }
--- a/ocis/pkg/command/common.go
+++ b/ocis/pkg/command/common.go
@@ -0,0 +1,14 @@
+package command
+
+import "github.com/micro/cli/v2"
+
+func handleOriginalAction(c *cli.Context, cmd *cli.Command) error {
+
+	if cmd.Before != nil {
+		if err := cmd.Before(c); err != nil {
+			return err
+		}
+	}
+
+	return cli.HandleAction(cmd.Action, c)
+}
--- a/ocis/pkg/command/glauth.go
+++ b/ocis/pkg/command/glauth.go
@@ -18,16 +18,8 @@ func GLAuthCommand(cfg *config.Config) *cli.Command {
 		Category: "Extensions",
 		Flags:    flagset.ServerWithConfig(cfg.GLAuth),
 		Action: func(c *cli.Context) error {
-
-			cfg.GLAuth.Backend.Servers = c.StringSlice("backend-server")
-			cfg.GLAuth.Fallback.Servers = c.StringSlice("fallback-server")
-
-			scfg := configureGLAuth(cfg)
-
-			return cli.HandleAction(
-				command.Server(scfg).Action,
-				c,
-			)
+			origCmd := command.Server(configureGLAuth(cfg))
+			return handleOriginalAction(c, origCmd)
 		},
 	}
 }
--- a/ocis/pkg/command/ocs.go
+++ b/ocis/pkg/command/ocs.go
@@ -22,14 +22,9 @@ func OCSCommand(cfg *config.Config) *cli.Command {
 		Subcommands: []*cli.Command{
 			command.PrintVersion(cfg.OCS),
 		},
-		Action: func(ctx *cli.Context) error {
-			ocsCommand := command.Server(configureOCS(cfg))
-
-			if err := ocsCommand.Before(ctx); err != nil {
-				return err
-			}
-
-			return cli.HandleAction(ocsCommand.Action, ctx)
+		Action: func(c *cli.Context) error {
+			origCmd := command.Server(configureOCS(cfg))
+			return handleOriginalAction(c, origCmd)
 		},
 	}
 }
--- a/ocis/pkg/command/onlyoffice.go
+++ b/ocis/pkg/command/onlyoffice.go
@@ -1,12 +1,11 @@
 package command

 import (
-	"strings"
-
 	"github.com/micro/cli/v2"
 	"github.com/owncloud/ocis/ocis/pkg/config"
 	"github.com/owncloud/ocis/ocis/pkg/register"
 	"github.com/owncloud/ocis/onlyoffice/pkg/command"
+	svcconfig "github.com/owncloud/ocis/onlyoffice/pkg/config"
 	"github.com/owncloud/ocis/onlyoffice/pkg/flagset"
 )

@@ -17,26 +16,14 @@ func OnlyofficeCommand(cfg *config.Config) *cli.Command {
 		Usage:    "Start onlyoffice server",
 		Category: "Extensions",
 		Flags:    flagset.ServerWithConfig(cfg.Onlyoffice),
-		Before: func(c *cli.Context) error {
-			if cfg.HTTP.Root != "/" {
-				cfg.HTTP.Root = strings.TrimSuffix(cfg.HTTP.Root, "/")
-			}
-
-			return nil
-		},
 		Action: func(c *cli.Context) error {
-			onlyofficeCommand := command.Server(configureOnlyoffice(cfg).Onlyoffice)
-
-			if err := onlyofficeCommand.Before(c); err != nil {
-				return err
-			}
-
-			return cli.HandleAction(onlyofficeCommand.Action, c)
+			origCmd := command.Server(configureOnlyoffice(cfg))
+			return handleOriginalAction(c, origCmd)
 		},
 	}
 }

-func configureOnlyoffice(cfg *config.Config) *config.Config {
+func configureOnlyoffice(cfg *config.Config) *svcconfig.Config {
 	cfg.Onlyoffice.Log.Level = cfg.Log.Level
 	cfg.Onlyoffice.Log.Pretty = cfg.Log.Pretty
 	cfg.Onlyoffice.Log.Color = cfg.Log.Color
@@ -48,7 +35,7 @@ func configureOnlyoffice(cfg *config.Config) *config.Config {
 		cfg.Onlyoffice.Tracing.Collector = cfg.Tracing.Collector
 	}

-	return cfg
+	return cfg.Onlyoffice
 }

 func init() {
--- a/ocis/pkg/command/proxy.go
+++ b/ocis/pkg/command/proxy.go
@@ -22,14 +22,9 @@ func ProxyCommand(cfg *config.Config) *cli.Command {
 		Subcommands: []*cli.Command{
 			command.PrintVersion(cfg.Proxy),
 		},
-		Action: func(ctx *cli.Context) error {
-			proxyCommand := command.Server(configureProxy(cfg))
-
-			if err := proxyCommand.Before(ctx); err != nil {
-				return err
-			}
-
-			return cli.HandleAction(proxyCommand.Action, ctx)
+		Action: func(c *cli.Context) error {
+			origCmd := command.Server(configureProxy(cfg))
+			return handleOriginalAction(c, origCmd)
 		},
 	}
 }
--- a/ocis/pkg/command/settings.go
+++ b/ocis/pkg/command/settings.go
@@ -22,14 +22,9 @@ func SettingsCommand(cfg *config.Config) *cli.Command {
 		Subcommands: []*cli.Command{
 			command.PrintVersion(cfg.Settings),
 		},
-		Action: func(ctx *cli.Context) error {
-			settingsCommand := command.Server(configureSettings(cfg))
-
-			if err := settingsCommand.Before(ctx); err != nil {
-				return err
-			}
-
-			return cli.HandleAction(settingsCommand.Action, ctx)
+		Action: func(c *cli.Context) error {
+			origCmd := command.Server(configureSettings(cfg))
+			return handleOriginalAction(c, origCmd)
 		},
 	}
 }
--- a/ocis/pkg/command/storageauthbasic.go
+++ b/ocis/pkg/command/storageauthbasic.go
@@ -19,12 +19,8 @@ func StorageAuthBasicCommand(cfg *config.Config) *cli.Command {
 		Category: "Extensions",
 		Flags:    flagset.AuthBasicWithConfig(cfg.Storage),
 		Action: func(c *cli.Context) error {
-			scfg := configureStorageAuthBasic(cfg)
-
-			return cli.HandleAction(
-				command.AuthBasic(scfg).Action,
-				c,
-			)
+			origCmd := command.AuthBasic(configureStorageAuthBasic(cfg))
+			return handleOriginalAction(c, origCmd)
 		},
 	}
 }
--- a/ocis/pkg/command/storageauthbearer.go
+++ b/ocis/pkg/command/storageauthbearer.go
@@ -19,12 +19,8 @@ func StorageAuthBearerCommand(cfg *config.Config) *cli.Command {
 		Category: "Extensions",
 		Flags:    flagset.AuthBearerWithConfig(cfg.Storage),
 		Action: func(c *cli.Context) error {
-			scfg := configureStorageAuthBearer(cfg)
-
-			return cli.HandleAction(
-				command.AuthBearer(scfg).Action,
-				c,
-			)
+			origCmd := command.AuthBearer(configureStorageAuthBearer(cfg))
+			return handleOriginalAction(c, origCmd)
 		},
 	}
 }
--- a/ocis/pkg/command/storagefrontend.go
+++ b/ocis/pkg/command/storagefrontend.go
@@ -19,16 +19,8 @@ func StorageFrontendCommand(cfg *config.Config) *cli.Command {
 		Category: "Extensions",
 		Flags:    flagset.FrontendWithConfig(cfg.Storage),
 		Action: func(c *cli.Context) error {
-			scfg := configureStorageFrontend(cfg)
-
-			if err := command.Frontend(scfg).Before(c); err != nil {
-				return err
-			}
-
-			return cli.HandleAction(
-				command.Frontend(scfg).Action,
-				c,
-			)
+			origCmd := command.Frontend(configureStorageFrontend(cfg))
+			return handleOriginalAction(c, origCmd)
 		},
 	}
 }
--- a/ocis/pkg/command/storagegateway.go
+++ b/ocis/pkg/command/storagegateway.go
@@ -19,12 +19,8 @@ func StorageGatewayCommand(cfg *config.Config) *cli.Command {
 		Category: "Extensions",
 		Flags:    flagset.GatewayWithConfig(cfg.Storage),
 		Action: func(c *cli.Context) error {
-			scfg := configureStorageGateway(cfg)
-
-			return cli.HandleAction(
-				command.Gateway(scfg).Action,
-				c,
-			)
+			origCmd := command.Gateway(configureStorageGateway(cfg))
+			return handleOriginalAction(c, origCmd)
 		},
 	}
 }
--- a/ocis/pkg/command/storagehome.go
+++ b/ocis/pkg/command/storagehome.go
@@ -19,12 +19,8 @@ func StorageHomeCommand(cfg *config.Config) *cli.Command {
 		Category: "Extensions",
 		Flags:    flagset.StorageHomeWithConfig(cfg.Storage),
 		Action: func(c *cli.Context) error {
-			scfg := configureStorageHome(cfg)
-
-			return cli.HandleAction(
-				command.StorageHome(scfg).Action,
-				c,
-			)
+			origCmd := command.StorageHome(configureStorageHome(cfg))
+			return handleOriginalAction(c, origCmd)
 		},
 	}
 }
--- a/ocis/pkg/command/storagemetadata.go
+++ b/ocis/pkg/command/storagemetadata.go
@@ -17,13 +17,8 @@ func StorageMetadataCommand(cfg *config.Config) *cli.Command {
 		Category: "Extensions",
 		Flags:    flagset.StorageMetadata(cfg.Storage),
 		Action: func(c *cli.Context) error {
-			revaStorageMetadataCommand := command.StorageMetadata(configureStorageMetadata(cfg))
-
-			if err := revaStorageMetadataCommand.Before(c); err != nil {
-				return err
-			}
-
-			return cli.HandleAction(revaStorageMetadataCommand.Action, c)
+			origCmd := command.StorageMetadata(configureStorageMetadata(cfg))
+			return handleOriginalAction(c, origCmd)
 		},
 	}
 }
--- a/ocis/pkg/command/storagepubliclink.go
+++ b/ocis/pkg/command/storagepubliclink.go
@@ -19,12 +19,8 @@ func StoragePublicLinkCommand(cfg *config.Config) *cli.Command {
 		Category: "Extensions",
 		Flags:    flagset.StoragePublicLink(cfg.Storage),
 		Action: func(c *cli.Context) error {
-			scfg := configureStoragePublicLink(cfg)
-
-			return cli.HandleAction(
-				command.StoragePublicLink(scfg).Action,
-				c,
-			)
+			origCmd := command.StoragePublicLink(configureStoragePublicLink(cfg))
+			return handleOriginalAction(c, origCmd)
 		},
 	}
 }
--- a/ocis/pkg/command/storagesharing.go
+++ b/ocis/pkg/command/storagesharing.go
@@ -19,12 +19,8 @@ func StorageSharingCommand(cfg *config.Config) *cli.Command {
 		Category: "Extensions",
 		Flags:    flagset.SharingWithConfig(cfg.Storage),
 		Action: func(c *cli.Context) error {
-			scfg := configureStorageSharing(cfg)
-
-			return cli.HandleAction(
-				command.Sharing(scfg).Action,
-				c,
-			)
+			origCmd := command.Sharing(configureStorageSharing(cfg))
+			return handleOriginalAction(c, origCmd)
 		},
 	}
 }
--- a/ocis/pkg/command/storageuserprovider.go
+++ b/ocis/pkg/command/storageuserprovider.go
@@ -19,12 +19,8 @@ func StorageUserProviderCommand(cfg *config.Config) *cli.Command {
 		Category: "Extensions",
 		Flags:    flagset.UsersWithConfig(cfg.Storage),
 		Action: func(c *cli.Context) error {
-			scfg := configureStorageUserProvider(cfg)
-
-			return cli.HandleAction(
-				command.Users(scfg).Action,
-				c,
-			)
+			origCmd := command.Users(configureStorageUserProvider(cfg))
+			return handleOriginalAction(c, origCmd)
 		},
 	}
 }
--- a/ocis/pkg/command/storageusers.go
+++ b/ocis/pkg/command/storageusers.go
@@ -19,12 +19,8 @@ func StorageUsersCommand(cfg *config.Config) *cli.Command {
 		Category: "Extensions",
 		Flags:    flagset.StorageUsersWithConfig(cfg.Storage),
 		Action: func(c *cli.Context) error {
-			scfg := configureStorageUsers(cfg)
-
-			return cli.HandleAction(
-				command.StorageUsers(scfg).Action,
-				c,
-			)
+			origCmd := command.StorageUsers(configureStorageUsers(cfg))
+			return handleOriginalAction(c, origCmd)
 		},
 	}
 }
--- a/ocis/pkg/command/store.go
+++ b/ocis/pkg/command/store.go
@@ -22,14 +22,9 @@ func StoreCommand(cfg *config.Config) *cli.Command {
 		Subcommands: []*cli.Command{
 			command.PrintVersion(cfg.Store),
 		},
-		Action: func(ctx *cli.Context) error {
-			storeCommand := command.Server(configureStore(cfg))
-
-			if err := storeCommand.Before(ctx); err != nil {
-				return err
-			}
-
-			return cli.HandleAction(storeCommand.Action, ctx)
+		Action: func(c *cli.Context) error {
+			origCmd := command.Server(configureStore(cfg))
+			return handleOriginalAction(c, origCmd)
 		},
 	}
 }
--- a/ocis/pkg/command/thumbnails.go
+++ b/ocis/pkg/command/thumbnails.go
@@ -24,13 +24,8 @@ func ThumbnailsCommand(cfg *config.Config) *cli.Command {
 			command.PrintVersion(cfg.Thumbnails),
 		},
 		Action: func(c *cli.Context) error {
-			thumbnailsCommand := command.Server(configureThumbnails(cfg))
-
-			if err := thumbnailsCommand.Before(c); err != nil {
-				return err
-			}
-
-			return cli.HandleAction(thumbnailsCommand.Action, c)
+			origCmd := command.Server(configureThumbnails(cfg))
+			return handleOriginalAction(c, origCmd)
 		},
 	}
 }
--- a/ocis/pkg/command/web.go
+++ b/ocis/pkg/command/web.go
@@ -1,12 +1,11 @@
 package command

 import (
-	"strings"
-
 	"github.com/micro/cli/v2"
 	"github.com/owncloud/ocis/ocis/pkg/config"
 	"github.com/owncloud/ocis/ocis/pkg/register"
 	"github.com/owncloud/ocis/web/pkg/command"
+	svcconfig "github.com/owncloud/ocis/web/pkg/config"
 	"github.com/owncloud/ocis/web/pkg/flagset"
 )

@@ -17,27 +16,14 @@ func WebCommand(cfg *config.Config) *cli.Command {
 		Usage:    "Start web server",
 		Category: "Extensions",
 		Flags:    flagset.ServerWithConfig(cfg.Web),
-		Before: func(c *cli.Context) error {
-			if cfg.HTTP.Root != "/" {
-				cfg.HTTP.Root = strings.TrimSuffix(cfg.HTTP.Root, "/")
-			}
-
-			cfg.Web.Web.Config.Apps = c.StringSlice("web-config-app")
-			return nil
-		},
 		Action: func(c *cli.Context) error {
-			webCommand := command.Server(configureWeb(cfg).Web)
-
-			if err := webCommand.Before(c); err != nil {
-				return err
-			}
-
-			return cli.HandleAction(webCommand.Action, c)
+			origCmd := command.Server(configureWeb(cfg))
+			return handleOriginalAction(c, origCmd)
 		},
 	}
 }

-func configureWeb(cfg *config.Config) *config.Config {
+func configureWeb(cfg *config.Config) *svcconfig.Config {
 	cfg.Web.Log.Level = cfg.Log.Level
 	cfg.Web.Log.Pretty = cfg.Log.Pretty
 	cfg.Web.Log.Color = cfg.Log.Color
@@ -49,7 +35,7 @@ func configureWeb(cfg *config.Config) *config.Config {
 		cfg.Web.Tracing.Collector = cfg.Tracing.Collector
 	}

-	return cfg
+	return cfg.Web
 }

 func init() {
--- a/ocis/pkg/command/webdav.go
+++ b/ocis/pkg/command/webdav.go
@@ -23,13 +23,8 @@ func WebDAVCommand(cfg *config.Config) *cli.Command {
 			command.PrintVersion(cfg.WebDAV),
 		},
 		Action: func(c *cli.Context) error {
-			webdavCommand := command.Server(configureWebDAV(cfg))
-
-			if err := webdavCommand.Before(c); err != nil {
-				return err
-			}
-
-			return cli.HandleAction(webdavCommand.Action, c)
+			origCmd := command.Server(configureWebDAV(cfg))
+			return handleOriginalAction(c, origCmd)
 		},
 	}
 }
--- a/onlyoffice/pkg/command/server.go
+++ b/onlyoffice/pkg/command/server.go
@@ -34,8 +34,6 @@ func Server(cfg *config.Config) *cli.Command {
 				cfg.HTTP.Root = strings.TrimSuffix(cfg.HTTP.Root, "/")
 			}

-			// When running on single binary mode the before hook from the root command won't get called. We manually
-			// call this before hook from ocis command, so the configuration can be loaded.
 			return ParseConfig(ctx, cfg)
 		},
 		Action: func(c *cli.Context) error {
--- a/proxy/pkg/command/server.go
+++ b/proxy/pkg/command/server.go
@@ -4,13 +4,14 @@ import (
 	"context"
 	"crypto/tls"
 	"fmt"
-	"github.com/owncloud/ocis/proxy/pkg/user/backend"
 	"net/http"
 	"os"
 	"os/signal"
 	"strings"
 	"time"

+	"github.com/owncloud/ocis/proxy/pkg/user/backend"
+
 	"contrib.go.opencensus.io/exporter/jaeger"
 	"contrib.go.opencensus.io/exporter/ocagent"
 	"contrib.go.opencensus.io/exporter/zipkin"
@@ -55,7 +56,14 @@ func Server(cfg *config.Config) *cli.Command {
 				return err
 			}

-			return ParseConfig(ctx, cfg)
+			if err := ParseConfig(ctx, cfg); err != nil {
+				return err
+			}
+
+			// TODO we could parse OCIS_URL and set the PROXY_HTTP_ADDR port but that would make it harder to deploy with a
+			// reverse proxy ... wouldn't it?
+
+			return nil
 		},
 		Action: func(c *cli.Context) error {
 			logger := NewLogger(cfg)
--- a/proxy/pkg/flagset/flagset.go
+++ b/proxy/pkg/flagset/flagset.go
@@ -199,7 +199,7 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
 			Name:        "oidc-issuer",
 			Value:       "https://localhost:9200",
 			Usage:       "OIDC issuer",
-			EnvVars:     []string{"PROXY_OIDC_ISSUER"},
+			EnvVars:     []string{"PROXY_OIDC_ISSUER", "OCIS_URL"}, // PROXY_OIDC_ISSUER takes precedence over OCIS_URL
 			Destination: &cfg.OIDC.Issuer,
 		},
 		&cli.BoolFlag{
--- a/storage/pkg/command/gateway.go
+++ b/storage/pkg/command/gateway.go
@@ -28,6 +28,10 @@ func Gateway(cfg *config.Config) *cli.Command {
 			cfg.Reva.Gateway.Services = c.StringSlice("service")
 			cfg.Reva.StorageRegistry.Rules = c.StringSlice("storage-registry-rule")

+			if cfg.Reva.DataGateway.PublicURL == "" {
+				cfg.Reva.DataGateway.PublicURL = strings.TrimRight(cfg.Reva.Frontend.PublicURL, "/") + "/data"
+			}
+
 			return nil
 		},
 		Action: func(c *cli.Context) error {
--- a/storage/pkg/flagset/authbearer.go
+++ b/storage/pkg/flagset/authbearer.go
@@ -24,7 +24,7 @@ func AuthBearerWithConfig(cfg *config.Config) []cli.Flag {
 			Name:        "oidc-issuer",
 			Value:       "https://localhost:9200",
 			Usage:       "OIDC issuer",
-			EnvVars:     []string{"STORAGE_OIDC_ISSUER"},
+			EnvVars:     []string{"STORAGE_OIDC_ISSUER", "OCIS_URL"}, // STORAGE_OIDC_ISSUER takes precedence over OCIS_URL
 			Destination: &cfg.Reva.OIDC.Issuer,
 		},
 		&cli.BoolFlag{
--- a/storage/pkg/flagset/frontend.go
+++ b/storage/pkg/flagset/frontend.go
@@ -80,7 +80,7 @@ func FrontendWithConfig(cfg *config.Config) []cli.Flag {
 			Name:        "public-url",
 			Value:       "https://localhost:9200",
 			Usage:       "URL to use for the storage service",
-			EnvVars:     []string{"STORAGE_FRONTEND_PUBLIC_URL"},
+			EnvVars:     []string{"STORAGE_FRONTEND_PUBLIC_URL", "OCIS_URL"}, // STORAGE_FRONTEND_PUBLIC_URL takes precedence over OCIS_URL
 			Destination: &cfg.Reva.Frontend.PublicURL,
 		},
 		&cli.StringSliceFlag{
--- a/storage/pkg/flagset/gateway.go
+++ b/storage/pkg/flagset/gateway.go
@@ -146,13 +146,13 @@ func GatewayWithConfig(cfg *config.Config) []cli.Flag {
 			Name:        "public-url",
 			Value:       "https://localhost:9200",
 			Usage:       "URL to use for the storage service",
-			EnvVars:     []string{"STORAGE_FRONTEND_PUBLIC_URL"},
+			EnvVars:     []string{"STORAGE_FRONTEND_PUBLIC_URL", "OCIS_URL"}, // STORAGE_FRONTEND_PUBLIC_URL takes precedence over OCIS_URL
 			Destination: &cfg.Reva.Frontend.PublicURL,
 		},
 		&cli.StringFlag{
 			Name:        "datagateway-url",
-			Value:       "https://localhost:9200/data",
-			Usage:       "URL to use for the storage datagateway",
+			Value:       "",
+			Usage:       "URL to use for the storage datagateway, defaults to <STORAGE_FRONTEND_PUBLIC_URL>/data",
 			EnvVars:     []string{"STORAGE_DATAGATEWAY_PUBLIC_URL"},
 			Destination: &cfg.Reva.DataGateway.PublicURL,
 		},
--- a/storage/pkg/flagset/ldap.go
+++ b/storage/pkg/flagset/ldap.go
@@ -84,7 +84,7 @@ func LDAPWithConfig(cfg *config.Config) []cli.Flag {
 			Name:        "ldap-idp",
 			Value:       "https://localhost:9200",
 			Usage:       "Identity provider to use for users",
-			EnvVars:     []string{"STORAGE_LDAP_IDP"},
+			EnvVars:     []string{"STORAGE_LDAP_IDP", "OCIS_URL"}, // STORAGE_LDAP_IDP takes precedence over OCIS_URL
 			Destination: &cfg.Reva.LDAP.IDP,
 		},
 		// ldap dn is always the dn
--- a/web/pkg/command/server.go
+++ b/web/pkg/command/server.go
@@ -33,12 +33,21 @@ func Server(cfg *config.Config) *cli.Command {
 		Flags: flagset.ServerWithConfig(cfg),
 		Before: func(c *cli.Context) error {
 			if cfg.HTTP.Root != "/" {
-				cfg.HTTP.Root = strings.TrimSuffix(cfg.HTTP.Root, "/")
+				cfg.HTTP.Root = strings.TrimRight(cfg.HTTP.Root, "/")
 			}

 			cfg.Web.Config.Apps = c.StringSlice("web-config-app")

-			return ParseConfig(c, cfg)
+			if err := ParseConfig(c, cfg); err != nil {
+				return err
+			}
+
+			// build well known openid-configuration endpoint if it is not set
+			if cfg.Web.Config.OpenIDConnect.MetadataURL == "" {
+				cfg.Web.Config.OpenIDConnect.MetadataURL = strings.TrimRight(cfg.Web.Config.OpenIDConnect.Authority, "/") + "/.well-known/openid-configuration"
+			}
+
+			return nil
 		},
 		Action: func(c *cli.Context) error {
 			logger := NewLogger(cfg)
--- a/web/pkg/flagset/flagset.go
+++ b/web/pkg/flagset/flagset.go
@@ -161,7 +161,7 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
 			Name:        "web-config-server",
 			Value:       "https://localhost:9200",
 			Usage:       "Server URL",
-			EnvVars:     []string{"WEB_UI_CONFIG_SERVER"},
+			EnvVars:     []string{"WEB_UI_CONFIG_SERVER", "OCIS_URL"}, // WEB_UI_CONFIG_SERVER takes precedence over OCIS_URL
 			Destination: &cfg.Web.Config.Server,
 		},
 		&cli.StringFlag{
@@ -186,16 +186,16 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
 		},
 		&cli.StringFlag{
 			Name:        "oidc-metadata-url",
-			Value:       "https://localhost:9200/.well-known/openid-configuration",
-			Usage:       "OpenID Connect metadata URL",
+			Value:       "",
+			Usage:       "OpenID Connect metadata URL, defaults to <WEB_OIDC_AUTHORITY>/.well-known/openid-configuration",
 			EnvVars:     []string{"WEB_OIDC_METADATA_URL"},
 			Destination: &cfg.Web.Config.OpenIDConnect.MetadataURL,
 		},
 		&cli.StringFlag{
 			Name:        "oidc-authority",
 			Value:       "https://localhost:9200",
-			Usage:       "OpenID Connect authority", // TODO rename to Issuer
-			EnvVars:     []string{"WEB_OIDC_AUTHORITY"},
+			Usage:       "OpenID Connect authority",                 // TODO rename to Issuer
+			EnvVars:     []string{"WEB_OIDC_AUTHORITY", "OCIS_URL"}, // WEB_OIDC_AUTHORITY takes precedence over OCIS_URL
 			Destination: &cfg.Web.Config.OpenIDConnect.Authority,
 		},
 		&cli.StringFlag{