Automatic configuration
The automatic configuration with django-setup-configuration supports configuring:
OIDC login
ZGW Services
General API configuration
You can find an example of a full setup configuration file here.
OIDC login
oidc_db_config_enable: true
oidc_db_config_admin_auth:
# DESCRIPTION: List of OIDC providers
# DEFAULT VALUE: []
# REQUIRED: false
providers:
-
# DESCRIPTION: a unique identifier for this OIDC provider.
# REQUIRED: true
identifier: test-oidc-provider
# REQUIRED: true
# This field can have multiple different kinds of value. All the
# alternatives are listed below and are divided by dashes. Only **one of
# them** can be commented out.
# -------------ALTERNATIVE 1-------------
# endpoint_config:
# # DESCRIPTION: URL of your provider discovery endpoint ending with a slash
# # (`.well-known/...` will be added automatically). If this is provided, the
# # remaining endpoints can be omitted, as they will be derived from this endpoint.
# # DEFAULT VALUE: ""
# # REQUIRED: false
# oidc_op_discovery_endpoint: http://keycloak.local:8080/realms/test/
# -------------ALTERNATIVE 2-------------
endpoint_config:
# DESCRIPTION: URL of your provider authorization endpoint
# REQUIRED: true
oidc_op_authorization_endpoint: http://keycloak.local:8080/realms/test/openid-connect/auth
# DESCRIPTION: URL of your provider token endpoint
# REQUIRED: true
oidc_op_token_endpoint: http://keycloak.local:8080/realms/test/protocol/openid-connect/token
# DESCRIPTION: URL of your provider userinfo endpoint.
# REQUIRED: true
oidc_op_user_endpoint: http://keycloak.local:8080/realms/test/protocol/openid-connect/userinfo
# DESCRIPTION: URL of your provider logout endpoint.
# DEFAULT VALUE: ""
# REQUIRED: false
oidc_op_logout_endpoint: http://keycloak.local:8080/realms/test/protocol/openid-connect/logout
# DESCRIPTION: URL of your provider JSON Web Key Set endpoint. Required if `RS256`
# is used as signing algorithm.
# DEFAULT VALUE: ""
# REQUIRED: false
oidc_op_jwks_endpoint: http://keycloak.local:8080/realms/test/protocol/openid-connect/certs
# DESCRIPTION: If enabled, the client ID and secret are sent in the HTTP Basic
# auth header when obtaining the access token. Otherwise, they are sent in the
# request body.
# DEFAULT VALUE: false
# REQUIRED: false
oidc_token_use_basic_auth: false
# DESCRIPTION: Controls whether the client uses nonce verification
# DEFAULT VALUE: true
# REQUIRED: false
oidc_use_nonce: true
# DESCRIPTION: Sets the length of the random string used for nonce verification
# DEFAULT VALUE: 32
# REQUIRED: false
oidc_nonce_size: 32
# DESCRIPTION: Sets the length of the random string used for state verification
# DEFAULT VALUE: 32
# REQUIRED: false
oidc_state_size: 32
# REQUIRED: true
items:
-
# DESCRIPTION: a unique identifier for this configuration
# REQUIRED: true
identifier: admin-oidc
# DESCRIPTION: The client must be enabled before users can authenticate through
# it.
# DEFAULT VALUE: true
# REQUIRED: false
enabled: true
# DESCRIPTION: Scopes that are requested during login
# DEFAULT VALUE: ["openid", "email", "profile"]
# REQUIRED: false
oidc_rp_scopes_list:
- openid
- email
- profile
# DESCRIPTION: Options relevant for a specific Identity Provider.
# DEFAULT VALUE: {}
# REQUIRED: false
options:
user_settings:
claim_mappings:
username:
- sub
email:
- email
first_name:
- given_name
last_name:
- family_name
username_case_sensitive: false
groups_settings:
make_users_staff: true
superuser_group_names:
- superuser
sync: true
sync_pattern: '*'
claim_mapping:
- roles
# DEPRECATED: Moved to `providers.endpoint_config`
# DESCRIPTION: Configuration for the OIDC Provider endpoints.
# DEFAULT VALUE: null
# REQUIRED: false
# This field can have multiple different kinds of value. All the
# alternatives are listed below and are divided by dashes. Only **one of
# them** can be commented out.
# -------------ALTERNATIVE 1-------------
# endpoint_config:
# # DESCRIPTION: URL of your provider discovery endpoint ending with a slash
# # (`.well-known/...` will be added automatically). If this is provided, the
# # remaining endpoints can be omitted, as they will be derived from this endpoint.
# # DEFAULT VALUE: ""
# # REQUIRED: false
# oidc_op_discovery_endpoint: http://keycloak.local:8080/realms/test/
# -------------ALTERNATIVE 2-------------
endpoint_config:
# DESCRIPTION: URL of your provider authorization endpoint
# REQUIRED: true
oidc_op_authorization_endpoint: http://keycloak.local:8080/realms/test/openid-connect/auth
# DESCRIPTION: URL of your provider token endpoint
# REQUIRED: true
oidc_op_token_endpoint: http://keycloak.local:8080/realms/test/protocol/openid-connect/token
# DESCRIPTION: URL of your provider userinfo endpoint.
# REQUIRED: true
oidc_op_user_endpoint: http://keycloak.local:8080/realms/test/protocol/openid-connect/userinfo
# DESCRIPTION: URL of your provider logout endpoint.
# DEFAULT VALUE: ""
# REQUIRED: false
oidc_op_logout_endpoint: http://keycloak.local:8080/realms/test/protocol/openid-connect/logout
# DESCRIPTION: URL of your provider JSON Web Key Set endpoint. Required if `RS256`
# is used as signing algorithm.
# DEFAULT VALUE: ""
# REQUIRED: false
oidc_op_jwks_endpoint: http://keycloak.local:8080/realms/test/protocol/openid-connect/certs
# DESCRIPTION: Unique identifier of the OIDC provider.
# DEFAULT VALUE: ""
# REQUIRED: false
oidc_provider_identifier: test-oidc-provider
# DEPRECATED: Moved to `items.options.user_settings.claim_mappings`
# DESCRIPTION: Mapping from User model field names to a path in the claim.
# DEFAULT VALUE: {"email": ["email"], "first_name": ["given_name"], "last_name": ["family_name"]}
# REQUIRED: false
claim_mapping:
email:
- email
first_name:
- given_name
last_name:
- family_name
# DEPRECATED: Moved to `providers.oidc_token_use_basic_auth`
# DESCRIPTION: If enabled, the client ID and secret are sent in the HTTP Basic
# auth header when obtaining the access token. Otherwise, they are sent in the
# request body.
# DEFAULT VALUE: false
# REQUIRED: false
oidc_token_use_basic_auth: false
# DEPRECATED: Moved to providers.oidc_use_nonce
# DESCRIPTION: Controls whether the client uses nonce verification
# DEFAULT VALUE: true
# REQUIRED: false
oidc_use_nonce: true
# DEPRECATED: Moved to `providers.oidc_nonce_size`
# DESCRIPTION: Sets the length of the random string used for nonce verification
# DEFAULT VALUE: 32
# REQUIRED: false
oidc_nonce_size: 32
# DEPRECATED: Moved to `providers.oidc_state_size`
# DESCRIPTION: Sets the length of the random string used for state verification
# DEFAULT VALUE: 32
# REQUIRED: false
oidc_state_size: 32
# DEPRECATED: Moved to `items.options.user_settings.claim_mappings.username`
# DESCRIPTION: Path in the claims to the value to use as username.
# DEFAULT VALUE: ["sub"]
# REQUIRED: false
username_claim:
- nested
- username
- claim
# DEPRECATED: Moved to `items.options.group_settings.claim_mapping`
# DESCRIPTION: Path in the claims to the value with group names.
# DEFAULT VALUE: ["roles"]
# REQUIRED: false
groups_claim:
- nested
- group
- claim
# DEPRECATED: Moved to `items.options.group_settings.superuser_group_names`
# DESCRIPTION: Superuser group names
# DEFAULT VALUE: []
# REQUIRED: false
superuser_group_names:
- superusers
# DEPRECATED: Moved `items.options.group_settings.default_groups`
# DESCRIPTION: Default group names
# DEFAULT VALUE: []
# REQUIRED: false
default_groups:
- read-only-users
# DEPRECATED: Moved to `items.options.group_settings.sync`
# DESCRIPTION: Whether to sync local groups
# DEFAULT VALUE: true
# REQUIRED: false
sync_groups: true
# DEPRECATED: Moved to `items.options.group_settings.sync_pattern`
# DESCRIPTION: Pattern that the group names to sync should follow.
# DEFAULT VALUE: "*"
# REQUIRED: false
sync_groups_glob_pattern: '*'
# DEPRECATED: Moved to `items.options.groups_settings.make_users_staff`
# DESCRIPTION: Whether to make the users staff.
# DEFAULT VALUE: false
# REQUIRED: false
make_users_staff: false
# DESCRIPTION: Client ID provided by the OIDC Provider
# REQUIRED: true
oidc_rp_client_id: modify-this
# DESCRIPTION: Secret provided by the OIDC Provider
# REQUIRED: true
oidc_rp_client_secret: modify-this
# DESCRIPTION: Algorithm the Identity Provider uses to sign ID tokens
# DEFAULT VALUE: "RS256"
# REQUIRED: false
oidc_rp_sign_algo: RS256
# DESCRIPTION: Key the Identity Provider uses to sign ID tokens in the case of an
# RSA sign algorithm. Should be the signing key in PEM or DER format.
# DEFAULT VALUE: ""
# REQUIRED: false
oidc_rp_idp_sign_key: modify-this
# DESCRIPTION: Specific for Keycloak: parameter that indicates which identity
# provider should be used (therefore skipping the Keycloak login screen).
# DEFAULT VALUE: ""
# REQUIRED: false
oidc_keycloak_idp_hint: some-identity-provider
# DESCRIPTION: Indicates the source from which the user information claims should
# be extracted. This can be the ID token or the User Info endpoint.
# POSSIBLE VALUES: ["userinfo_endpoint", "id_token"]
# DEFAULT VALUE: "userinfo_endpoint"
# REQUIRED: false
userinfo_claims_source: userinfo_endpoint
ZGW Services
zgw_consumers_config_enable: true
zgw_consumers:
# REQUIRED: true
services:
-
# DESCRIPTION: A unique, human-friendly slug to identify this service. Primarily
# useful for cross-instance import/export.
# REQUIRED: true
identifier: service-identifier
# REQUIRED: true
label: Short and human-friendly description of this service
# POSSIBLE VALUES: ["ac", "nrc", "zrc", "ztc", "drc", "brc", "cmc", "kc", "vrc",
# "orc"]
# REQUIRED: true
api_type: ac
# DESCRIPTION: The root URL of the service that will be used to construct the URLs
# when making requests.
# REQUIRED: true
api_root: https://example.com/api/v1/
# DESCRIPTION: A relative URL to perform a connection test. If left blank, the API
# root itself is used. This connection check is only performed in the admin when
# viewing the service configuration.
# DEFAULT VALUE: ""
# REQUIRED: false
api_connection_check_path: /some/relative/path
# DESCRIPTION: The type of authorization to use for this service.
# POSSIBLE VALUES: ["no_auth", "api_key", "zgw", "oauth2_client_credentials"]
# DEFAULT VALUE: "zgw"
# REQUIRED: false
auth_type: zgw
# DESCRIPTION: The client ID used to construct the JSON Web Token to connect with
# the service (only needed if auth type is `zgw` or `oauth2_client_credentials`).
# DEFAULT VALUE: ""
# REQUIRED: false
client_id: modify-this
# DESCRIPTION: The secret used to construct the JSON Web Token to connect with the
# service (only needed if auth type is `zgw` or `oauth2_client_credentials`).
# DEFAULT VALUE: ""
# REQUIRED: false
secret: modify-this
# DESCRIPTION: The header key used to store the API key (only needed if auth type
# is `api_key`).
# DEFAULT VALUE: ""
# REQUIRED: false
header_key: Authorization
# DESCRIPTION: The API key to connect with the service (only needed if auth type
# is `api_key`).
# DEFAULT VALUE: ""
# REQUIRED: false
header_value: Token <modify-this>
# DESCRIPTION: NLX (outway) address.
# DEFAULT VALUE: ""
# REQUIRED: false
nlx: http://some-outway-adress.local:8080/
# DESCRIPTION: User ID to use for the audit trail. Although these external API
# credentials are typically used bythis API itself instead of a user, the user ID
# is required.
# DEFAULT VALUE: ""
# REQUIRED: false
user_id: client-id
# DESCRIPTION: Human readable representation of the user.
# DEFAULT VALUE: ""
# REQUIRED: false
user_representation: Name of the user
# DESCRIPTION: Timeout (in seconds) for HTTP calls.
# DEFAULT VALUE: 10
# REQUIRED: false
timeout: 10
# DESCRIPTION: How long a JWT is valid for, in seconds. This controls the 'exp'
# claim (only used if auth type is `zgw`).
# DEFAULT VALUE: 43200
# REQUIRED: false
jwt_valid_for: 43200
General API configuration
The values of the selectielijst_service_identifier and the objecttypen_service_identifier should refer to
the identifier (slug) of the corresponding ZGW service.
api_configuration_enabled: true
api_configuration:
# DESCRIPTION: Which service to use to query the Selectielijst API.
# DEFAULT VALUE: null
# REQUIRED: false
selectielijst_service_identifier: example_string
# DESCRIPTION: Which service to use to query the Objecttypen API.
# DEFAULT VALUE: null
# REQUIRED: false
objecttypen_service_identifier: example_string