4cddfcf2f3
Backend Tests / Tests (other) (push) Failing after 1s
Backend Tests / Static Checks (push) Failing after 2s
Backend Tests / Tests (internal) (push) Failing after 2s
Backend Tests / Tests (server) (push) Failing after 1s
Backend Tests / Tests (store) (push) Failing after 1s
Build Canary Image / build-frontend (push) Failing after 1s
Frontend Tests / Lint (push) Failing after 1s
Build Canary Image / build-push (linux/amd64) (push) Has been skipped
Build Canary Image / build-push (linux/arm64) (push) Has been skipped
Build Canary Image / merge (push) Has been skipped
Frontend Tests / Build (push) Failing after 1s
Release Please / release-please (push) Failing after 0s
Proto Linter / Lint Protos (push) Failing after 2s
43 lines
1.9 KiB
Markdown
43 lines
1.9 KiB
Markdown
# Identity Provider Bootstrap
|
|
|
|
Memos automatically reconciles OAuth2 identity providers from JSON files before the server starts. This is useful when a deployment platform provides configuration as mounted secret files.
|
|
|
|
By default, Memos scans `/etc/secrets` for files named `memos-idp-*.json`:
|
|
|
|
```bash
|
|
memos
|
|
```
|
|
|
|
For example, `/etc/secrets/memos-idp-primary.json` can contain:
|
|
|
|
```json
|
|
{
|
|
"uid": "primary-sso",
|
|
"name": "Company SSO",
|
|
"type": "OAUTH2",
|
|
"identifierFilter": "",
|
|
"config": {
|
|
"oauth2Config": {
|
|
"clientId": "client-id",
|
|
"clientSecret": "client-secret",
|
|
"authUrl": "https://idp.example.com/oauth/authorize",
|
|
"tokenUrl": "https://idp.example.com/oauth/token",
|
|
"userInfoUrl": "https://idp.example.com/oauth/userinfo",
|
|
"scopes": ["profile", "email"],
|
|
"fieldMapping": {
|
|
"identifier": "sub",
|
|
"displayName": "name",
|
|
"email": "email",
|
|
"avatarUrl": "picture"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
```
|
|
|
|
Each file contains exactly one `memos.store.IdentityProvider` encoded as protobuf JSON. The database-generated numeric `id` must be omitted; `uid` is the provider's stable identifier.
|
|
|
|
After database migrations and demo seeding, Memos reads all matching files in filename order and validates every provider before writing anything. Each provider is then created or updated by its stable `uid`; providers omitted from the files are left unchanged. Reapplying the files is safe and updates credentials on restart, which supports secret rotation. Duplicate provider UIDs across files are rejected.
|
|
|
|
A missing directory or a directory without matching files is a normal no-op. If a matching file is unreadable, oversized, or invalid, Memos does not start. Files with other names are ignored so the directory can safely contain unrelated secrets. Keep files containing `clientSecret` outside source control and provide them through the deployment platform's secret-management facility.
|