fix(ocis): wire OCIS web SSO + Collabora document editing end to end
OCIS SSO was loading the SPA but never redirecting to Authentik: the default OCIS CSP only allows connect-src to itself + the awesome-ocis GitHub repo, so the metadata fetch to auth.dezky.local was blocked. Mount a custom csp.yaml and point PROXY_CSP_CONFIG_FILE_LOCATION at it (env var lives on the proxy service, not web — easy mistake). Also added the .html OIDC callback URIs to the ocis-provider in Authentik (run-time state, not in this commit). Collabora document editing required adding the OCIS collaboration service — the WOPI bridge between OCIS storage and Collabora. Key wiring: - ocis: expose embedded NATS (NATS_NATS_HOST=0.0.0.0) and gateway (GATEWAY_GRPC_ADDR=0.0.0.0:9142) so the new container can register and reach the rest of OCIS over the Docker network - collaboration: COLLABORATION_GRPC_ADDR=0.0.0.0:9301 so it registers itself in the service registry with a reachable address (default 127.0.0.1 was unreachable from cross-container callers) - collaboration: APP_ADDR uses the public host (office.dezky.local), not the internal Docker hostname — this value is sent to the browser as the iframe src - collabora: regenerate proof key on every start (coolconfig generate-proof-key) so its public key matches what coolwsd signs with; otherwise collaboration rejects WOPI calls with "ProofKeys verification failed" - collabora: ssl_verification=false (mkcert root not in Collabora's trust store), frame_ancestors=files.dezky.local (otherwise the iframe is blocked with a Danish "Indhold blokeret"), home_mode.enable=true to drop the "Explore The New" welcome popup and feedback prompt - ocis CSP: extend connect-src + frame-src to include the new hostnames Result: opening a .docx from OCIS now embeds Collabora in an iframe and the document opens for editing. Dev-mode caveats (not for prod): TLS verification disabled on Collabora's outbound WOPI calls; home_mode caps at 20 concurrent connections / 10 docs.
This commit is contained in:
Ronni Baslund
@@ -0,0 +1,48 @@
|
||||
# OCIS Web — Content Security Policy overrides for local development.
|
||||
#
|
||||
# Default OCIS CSP only allows connect-src to 'self' + the owncloud awesome-ocis
|
||||
# repo, which blocks the OIDC metadata fetch from Authentik. We extend connect-src
|
||||
# (and a few related directives) to include auth.dezky.local.
|
||||
#
|
||||
# Values like "blob:" and "data:" MUST be quoted — bare they're parsed as YAML
|
||||
# mappings and the proxy service crashes with "expected type 'string'".
|
||||
|
||||
directives:
|
||||
child-src:
|
||||
- "'self'"
|
||||
connect-src:
|
||||
- "'self'"
|
||||
- "blob:"
|
||||
- "https://auth.dezky.local"
|
||||
- "https://raw.githubusercontent.com/owncloud/awesome-ocis/"
|
||||
default-src:
|
||||
- "'none'"
|
||||
font-src:
|
||||
- "'self'"
|
||||
frame-ancestors:
|
||||
- "'self'"
|
||||
frame-src:
|
||||
- "'self'"
|
||||
- "blob:"
|
||||
- "https://embed.diagrams.net/"
|
||||
- "https://office.dezky.local"
|
||||
- "https://collaboration.dezky.local"
|
||||
img-src:
|
||||
- "'self'"
|
||||
- "data:"
|
||||
- "blob:"
|
||||
- "https://raw.githubusercontent.com/owncloud/awesome-ocis/"
|
||||
manifest-src:
|
||||
- "'self'"
|
||||
media-src:
|
||||
- "'self'"
|
||||
object-src:
|
||||
- "'self'"
|
||||
- "blob:"
|
||||
script-src:
|
||||
- "'self'"
|
||||
- "'unsafe-inline'"
|
||||
- "'unsafe-eval'"
|
||||
style-src:
|
||||
- "'self'"
|
||||
- "'unsafe-inline'"
|
||||
Reference in New Issue
Block a user