Do not start auth-bearer service by default

The auth-bearer service is currently not needed by ocis. Reva tookens
for oidc authenticated clients are currently minted via the auth-machine
service.  This commit does not completely remove the service as we shoud
consider to rework the proxy's oidc middleware to use the auth-bearer
service in the future (see #4701)

Fixes: #4692

.drone.star

@@ -1943,7 +1943,7 @@ def ocisServer(storage, accounts_hash_difficulty = 4, volumes = [], depends_on =
             "SHARING_USER_OWNCLOUDSQL_DB_NAME": "owncloud",
             # General oCIS config
             # OCIS_RUN_SERVICES specifies to start all fullstack services except idm and idp. These are replaced by external services
-            "OCIS_RUN_SERVICES": "app-registry,app-provider,auth-basic,auth-bearer,auth-machine,frontend,gateway,graph,graph-explorer,groups,nats,notifications,ocdav,ocs,proxy,search,settings,sharing,storage-system,storage-publiclink,storage-shares,storage-users,store,thumbnails,users,web,webdav",
+            "OCIS_RUN_SERVICES": "app-registry,app-provider,auth-basic,auth-machine,frontend,gateway,graph,graph-explorer,groups,nats,notifications,ocdav,ocs,proxy,search,settings,sharing,storage-system,storage-publiclink,storage-shares,storage-users,store,thumbnails,users,web,webdav",
             "OCIS_LOG_LEVEL": "info",
             "OCIS_URL": OCIS_URL,
             "OCIS_BASE_DATA_PATH": "/mnt/data/ocis",

.vscode/launch.json

@@ -27,7 +27,7 @@
                 // demo users
                 "IDM_CREATE_DEMO_USERS": "true",
                 // OCIS_RUN_SERVICES allows to start a subset of services even in the supervised mode
-                //"OCIS_RUN_SERVICES": "settings,storage-system,graph,graph-explorer,idp,idm,ocs,store,thumbnails,web,webdav,frontend,gateway,users,groups,auth-basic,auth-bearer,storage-authmachine,storage-users,storage-shares,storage-publiclink,storage-system,app-provider,sharing,proxy,ocdav",
+                //"OCIS_RUN_SERVICES": "settings,storage-system,graph,graph-explorer,idp,idm,ocs,store,thumbnails,web,webdav,frontend,gateway,users,groups,auth-basic,storage-authmachine,storage-users,storage-shares,storage-publiclink,storage-system,app-provider,sharing,proxy,ocdav",
 
                 /*
                  * Keep secrets and passwords in one block to allow easy uncommenting

changelog/unreleased/fix-no-auth-bearer.md

@@ -0,0 +1,8 @@
+Bugfix: Don't run auth-bearer service by default
+
+We no longer start the auth-bearer service by default. This service is
+currently unused and not required to run ocis. The equivalent functionality
+to verify OpenID connect tokens and to mint reva tokes for OIDC authenticated
+clients is currently implemented inside the oidc-auth middleware of the proxy.
+
+https://github.com/owncloud/ocis/issues/4692

deployments/examples/oc10_ocis_parallel/docker-compose.yml

@@ -111,7 +111,7 @@ services:
       OCIS_STORAGE_READ_ONLY: "false" # TODO: conflict with OWNCLOUDSQL -> https://github.com/owncloud/ocis/issues/2303
       # General oCIS config
       # OCIS_RUN_SERVICES specifies to start all fullstack services except idm and idp. These are replaced by external services
-      OCIS_RUN_SERVICES: app-registry,app-provider,auth-basic,auth-bearer,auth-machine,frontend,gateway,graph,graph-explorer,groups,nats,notifications,ocdav,ocs,proxy,search,settings,sharing,storage-system,storage-publiclink,storage-shares,storage-users,store,thumbnails,users,web,webdav
+      OCIS_RUN_SERVICES: app-registry,app-provider,auth-basic,auth-machine,frontend,gateway,graph,graph-explorer,groups,nats,notifications,ocdav,ocs,proxy,search,settings,sharing,storage-system,storage-publiclink,storage-shares,storage-users,store,thumbnails,users,web,webdav
       OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose
       OCIS_LOG_COLOR: "${OCIS_LOG_COLOR:-false}"
       OCIS_URL: https://${CLOUD_DOMAIN:-cloud.owncloud.test}

deployments/examples/oc10_ocis_parallel/monitoring_tracing/docker-compose-additions.yml

@@ -18,7 +18,6 @@ services:
       PROXY_DEBUG_ADDR: 0.0.0.0:9205
       SETTINGS_DEBUG_ADDR: 0.0.0.0:9194
       STORAGE_AUTH_BASIC_DEBUG_ADDR: 0.0.0.0:9147
-      STORAGE_AUTH_BEARER_DEBUG_ADDR: 0.0.0.0:9149
       STORAGE_AUTH_MACHINE_DEBUG_ADDR: 0.0.0.0:9167
       STORAGE_FRONTEND_DEBUG_ADDR: 0.0.0.0:9141
       STORAGE_GATEWAY_DEBUG_ADDR: 0.0.0.0:9143

deployments/examples/ocis_hello/monitoring_tracing/docker-compose-additions.yml

@@ -18,7 +18,6 @@ services:
       PROXY_DEBUG_ADDR: 0.0.0.0:9205
       SETTINGS_DEBUG_ADDR: 0.0.0.0:9194
       STORAGE_AUTH_BASIC_DEBUG_ADDR: 0.0.0.0:9147
-      STORAGE_AUTH_BEARER_DEBUG_ADDR: 0.0.0.0:9149
       STORAGE_AUTH_MACHINE_DEBUG_ADDR: 0.0.0.0:9167
       STORAGE_FRONTEND_DEBUG_ADDR: 0.0.0.0:9141
       STORAGE_GATEWAY_DEBUG_ADDR: 0.0.0.0:9143

deployments/examples/ocis_individual_services/docker-compose.yml

@@ -625,31 +625,6 @@ services:
       driver: "local"
     restart: always
 
-  auth-bearer:
-    image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest}
-    deploy:
-      replicas: ${OCIS_SCALE:-1}
-    networks:
-      ocis-net:
-    entrypoint:
-      - ocis
-      - auth-bearer
-      - server
-    environment:
-      AUTH_BEARER_LOG_LEVEL: "${OCIS_LOG_LEVEL:-error}"
-      AUTH_BEARER_LOG_COLOR: "${OCIS_LOG_COLOR:-false}"
-      AUTH_BEARER_LOG_PRETTY: "${OCIS_LOG_PRETTY:-false}"
-
-      AUTH_BEARER_GRPC_ADDR: 0.0.0.0:9148
-
-      AUTH_BEARER_JWT_SECRET: ${OCIS_JWT_SECRET}
-      REVA_GATEWAY: gateway:9142
-      AUTH_BEARER_OIDC_ISSUER: https://${OCIS_DOMAIN}
-
-    logging:
-      driver: "local"
-    restart: always
-
   storage-shares:
     image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest}
     deploy:
@@ -873,8 +848,6 @@ services:
       GATEWAY_USERS_ENDPOINT: users:9144
       GATEWAY_GROUPS_ENDPOINT: groups:9160
       GATEWAY_AUTH_BASIC_ENDPOINT: auth-basic:9146
-      GATEWAY_AUTH_BEARER_ENDPOINT: auth-bearer:9148
-      GATEWAY_AUTH_MACHINE_ENDPOINT: auth-machine:9166
       GATEWAY_PERMISSIONS_ENDPOINT: settings:9191
       GATEWAY_SHARING_ENDPOINT: sharing:9150
       GATEWAY_STORAGE_PUBLIC_LINK_ENDPOINT: storage-publiclink:9178

deployments/examples/ocis_individual_services/monitoring_tracing/docker-compose-additions.yml

@@ -115,14 +115,6 @@ services:
       OCIS_TRACING_ENDPOINT: jaeger-agent:6831
       # metrics
       STORAGE_AUTH_MACHINE_DEBUG_ADDR: 0.0.0.0:9167
-  storage-authbearer:
-    environment:
-      # tracing
-      OCIS_TRACING_ENABLED: "true"
-      OCIS_TRACING_TYPE: jaeger
-      OCIS_TRACING_ENDPOINT: jaeger-agent:6831
-      # metrics
-      STORAGE_AUTH_BEARER_DEBUG_ADDR: 0.0.0.0:9149
   storage-shares:
     environment:
       # tracing

deployments/examples/ocis_keycloak/monitoring_tracing/docker-compose-additions.yml

@@ -18,7 +18,6 @@ services:
       PROXY_DEBUG_ADDR: 0.0.0.0:9205
       SETTINGS_DEBUG_ADDR: 0.0.0.0:9194
       STORAGE_AUTH_BASIC_DEBUG_ADDR: 0.0.0.0:9147
-      STORAGE_AUTH_BEARER_DEBUG_ADDR: 0.0.0.0:9149
       STORAGE_AUTH_MACHINE_DEBUG_ADDR: 0.0.0.0:9167
       STORAGE_FRONTEND_DEBUG_ADDR: 0.0.0.0:9141
       STORAGE_GATEWAY_DEBUG_ADDR: 0.0.0.0:9143

deployments/examples/ocis_ldap/docker-compose.yml

@@ -74,7 +74,7 @@ services:
       IDP_LDAP_UUID_ATTRIBUTE_TYPE: binary
       GRAPH_LDAP_SERVER_WRITE_ENABLED: "false" # assuming the external ldap is readonly
       # OCIS_RUN_SERVICES specifies to start all services except glauth, idm and accounts. These are replaced by external services
-      OCIS_RUN_SERVICES: app-registry,app-provider,audit,auth-basic,auth-bearer,auth-machine,frontend,gateway,graph,graph-explorer,groups,idp,nats,notifications,ocdav,ocs,proxy,search,settings,sharing,storage-system,storage-publiclink,storage-shares,storage-users,store,thumbnails,users,web,webdav
+      OCIS_RUN_SERVICES: app-registry,app-provider,audit,auth-basic,auth-machine,frontend,gateway,graph,graph-explorer,groups,idp,nats,notifications,ocdav,ocs,proxy,search,settings,sharing,storage-system,storage-publiclink,storage-shares,storage-users,store,thumbnails,users,web,webdav
       # General oCIS config
       OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
       OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose

deployments/examples/ocis_ldap/monitoring_tracing/docker-compose-additions.yml

@@ -18,7 +18,6 @@ services:
       PROXY_DEBUG_ADDR: 0.0.0.0:9205
       SETTINGS_DEBUG_ADDR: 0.0.0.0:9194
       STORAGE_AUTH_BASIC_DEBUG_ADDR: 0.0.0.0:9147
-      STORAGE_AUTH_BEARER_DEBUG_ADDR: 0.0.0.0:9149
       STORAGE_AUTH_MACHINE_DEBUG_ADDR: 0.0.0.0:9167
       STORAGE_FRONTEND_DEBUG_ADDR: 0.0.0.0:9141
       STORAGE_GATEWAY_DEBUG_ADDR: 0.0.0.0:9143

deployments/examples/ocis_s3/monitoring_tracing/docker-compose-additions.yml

@@ -18,7 +18,6 @@ services:
       PROXY_DEBUG_ADDR: 0.0.0.0:9205
       SETTINGS_DEBUG_ADDR: 0.0.0.0:9194
       STORAGE_AUTH_BASIC_DEBUG_ADDR: 0.0.0.0:9147
-      STORAGE_AUTH_BEARER_DEBUG_ADDR: 0.0.0.0:9149
       STORAGE_AUTH_MACHINE_DEBUG_ADDR: 0.0.0.0:9167
       STORAGE_FRONTEND_DEBUG_ADDR: 0.0.0.0:9141
       STORAGE_GATEWAY_DEBUG_ADDR: 0.0.0.0:9143

deployments/examples/ocis_traefik/monitoring_tracing/docker-compose-additions.yml

@@ -18,7 +18,6 @@ services:
       PROXY_DEBUG_ADDR: 0.0.0.0:9205
       SETTINGS_DEBUG_ADDR: 0.0.0.0:9194
       STORAGE_AUTH_BASIC_DEBUG_ADDR: 0.0.0.0:9147
-      STORAGE_AUTH_BEARER_DEBUG_ADDR: 0.0.0.0:9149
       STORAGE_AUTH_MACHINE_DEBUG_ADDR: 0.0.0.0:9167
       STORAGE_FRONTEND_DEBUG_ADDR: 0.0.0.0:9141
       STORAGE_GATEWAY_DEBUG_ADDR: 0.0.0.0:9143

deployments/examples/ocis_wopi/monitoring_tracing/docker-compose-additions.yml

@@ -18,7 +18,6 @@ services:
       PROXY_DEBUG_ADDR: 0.0.0.0:9205
       SETTINGS_DEBUG_ADDR: 0.0.0.0:9194
       STORAGE_AUTH_BASIC_DEBUG_ADDR: 0.0.0.0:9147
-      STORAGE_AUTH_BEARER_DEBUG_ADDR: 0.0.0.0:9149
       STORAGE_AUTH_MACHINE_DEBUG_ADDR: 0.0.0.0:9167
       STORAGE_FRONTEND_DEBUG_ADDR: 0.0.0.0:9141
       STORAGE_GATEWAY_DEBUG_ADDR: 0.0.0.0:9143

ocis/pkg/runtime/service/service.go

@@ -23,7 +23,6 @@ import (
 	appProvider "github.com/owncloud/ocis/v2/services/app-provider/pkg/command"
 	appRegistry "github.com/owncloud/ocis/v2/services/app-registry/pkg/command"
 	authbasic "github.com/owncloud/ocis/v2/services/auth-basic/pkg/command"
-	authbearer "github.com/owncloud/ocis/v2/services/auth-bearer/pkg/command"
 	authmachine "github.com/owncloud/ocis/v2/services/auth-machine/pkg/command"
 	frontend "github.com/owncloud/ocis/v2/services/frontend/pkg/command"
 	gateway "github.com/owncloud/ocis/v2/services/gateway/pkg/command"
@@ -121,7 +120,6 @@ func NewService(options ...Option) (*Service, error) {
 	s.ServicesRegistry[opts.Config.Users.Service.Name] = users.NewSutureService
 	s.ServicesRegistry[opts.Config.Groups.Service.Name] = groups.NewSutureService
 	s.ServicesRegistry[opts.Config.AuthBasic.Service.Name] = authbasic.NewSutureService
-	s.ServicesRegistry[opts.Config.AuthBearer.Service.Name] = authbearer.NewSutureService
 	s.ServicesRegistry[opts.Config.AuthMachine.Service.Name] = authmachine.NewSutureService
 	s.ServicesRegistry[opts.Config.StorageUsers.Service.Name] = storageusers.NewSutureService
 	s.ServicesRegistry[opts.Config.StorageShares.Service.Name] = storageshares.NewSutureService

services/gateway/pkg/config/defaults/defaultconfig.go

@@ -47,7 +47,6 @@ func DefaultConfig() *config.Config {
 
 		AppRegistryEndpoint:       "localhost:9242",
 		AuthBasicEndpoint:         "localhost:9146",
-		AuthBearerEndpoint:        "localhost:9148",
 		AuthMachineEndpoint:       "localhost:9166",
 		GroupsEndpoint:            "localhost:9160",
 		PermissionsEndpoint:       "localhost:9191",

services/gateway/pkg/revaconfig/config.go

@@ -65,7 +65,6 @@ func GatewayConfigFromStruct(cfg *config.Config, logger log.Logger) map[string]i
 						"static": map[string]interface{}{
 							"rules": map[string]interface{}{
 								"basic":        cfg.AuthBasicEndpoint,
-								"bearer":       cfg.AuthBearerEndpoint,
 								"machine":      cfg.AuthMachineEndpoint,
 								"publicshares": cfg.StoragePublicLinkEndpoint,
 							},