After commit 52951b42b0 we need to set PROXY_USER_CS3_CLAIM and
PROXY_USER_OIDC_CLAIM for the keycloak example to still work.
Also update release notes to mentions the changed default.
Use the new PROXY_ROLE_ASSIGNMENT_DRIVER "oidc". This also means we can
now run with OCIS_ADMIN_USER_ID being empty. So that no admin user will
be created on startup and no default role assignment will happen.
By setting GRAPH_ASSIGN_DEFAULT_USER_ROLE to "false", we make sure to
not create the default "user" role assignment when auto provisioning a
user.
* ocis_keycloak: Add ocis roles as realm roles
This adds the roles ocisAdmin, ocisSpaceAdmin, ocisUser and ocisGuest as realm roles
to the the oCIS realm. It also assigns those roles to the demo users.
Additionally the missing demo user "Katherine Johnson" is added with the role of
"ocisSpaceAdmin".
* Expose realm_roles in "roles" claim of id tokens and userinfo
Allow to adjust the docker socket path used by traefik and the logging driver
so that this example can be more easily used with podman based setups.
With a running podman service ("podman system service --time 0"), this should
basically work:
export DOCKER_SOCKET_PATH="/run/user/1000/podman/podman.sock"
export LOG_DRIVER=journald
docker-compose -H unix:///run/user/1000/podman/podman.sock up
The auth-bearer service is currently not needed by ocis. Reva tookens
for oidc authenticated clients are currently minted via the auth-machine
service. This commit does not completely remove the service as we shoud
consider to rework the proxy's oidc middleware to use the auth-bearer
service in the future (see #4701)
Fixes: #4692
docker-compose doesn't like bare boolean values in the `environment`
section. From the compose-file docs:
Any boolean values (true, false, yes, no) need to be enclosed in quotes to
ensure they are not converted to True or False by the YML parser.
