Open Forms configuration (CLI)
After deploying Open Forms, it needs to be configured to be fully functional. The
command line tool setup_configuration assists with this configuration by loading a
YAML file in which the configuration information is specified.
For general information on how the command line tool works, refer to the documentation.
Below are example configurations for all the configuration steps this application provides. They can be used as a starting point and combined into a single YAML to use as input for the command.
Warning
The values in the following YAML examples contain defaults and in some case dummy values, make sure to edit values of i.e. identifiers, secrets and other fields that have dummy values!
OpenID Connect configuration for admin authentication
- class mozilla_django_oidc_db.setup_configuration.steps.AdminOIDCConfigurationStep
Configure the necessary settings to enable OpenID Connect authentication for admin users.
This allows admin users to log in with Single Sign On (SSO) to access the management interface.
oidc_db_config_enable: true
oidc_db_config_admin_auth:
# DESCRIPTION: List of OIDC providers
# DEFAULT VALUE: []
# REQUIRED: false
providers:
-
# DESCRIPTION: a unique identifier for this OIDC provider.
# REQUIRED: true
identifier: test-oidc-provider
# REQUIRED: true
# This field can have multiple different kinds of value. All the
# alternatives are listed below and are divided by dashes. Only **one of
# them** can be commented out.
# -------------ALTERNATIVE 1-------------
# endpoint_config:
# # DESCRIPTION: URL of your provider discovery endpoint ending with a slash
# # (`.well-known/...` will be added automatically). If this is provided, the
# # remaining endpoints can be omitted, as they will be derived from this endpoint.
# # DEFAULT VALUE: ""
# # REQUIRED: false
# oidc_op_discovery_endpoint: http://keycloak.local:8080/realms/test/
# -------------ALTERNATIVE 2-------------
endpoint_config:
# DESCRIPTION: URL of your provider authorization endpoint
# REQUIRED: true
oidc_op_authorization_endpoint:
http://keycloak.local:8080/realms/test/openid-connect/auth
# DESCRIPTION: URL of your provider token endpoint
# REQUIRED: true
oidc_op_token_endpoint:
http://keycloak.local:8080/realms/test/protocol/openid-connect/token
# DESCRIPTION: URL of your provider userinfo endpoint.
# REQUIRED: true
oidc_op_user_endpoint:
http://keycloak.local:8080/realms/test/protocol/openid-connect/userinfo
# DESCRIPTION: URL of your provider logout endpoint.
# DEFAULT VALUE: ""
# REQUIRED: false
oidc_op_logout_endpoint:
http://keycloak.local:8080/realms/test/protocol/openid-connect/logout
# DESCRIPTION: URL of your provider JSON Web Key Set endpoint. Required if `RS256`
# is used as signing algorithm.
# DEFAULT VALUE: ""
# REQUIRED: false
oidc_op_jwks_endpoint:
http://keycloak.local:8080/realms/test/protocol/openid-connect/certs
# DESCRIPTION: If enabled, the client ID and secret are sent in the HTTP Basic
# auth header when obtaining the access token. Otherwise, they are sent in the
# request body.
# DEFAULT VALUE: false
# REQUIRED: false
oidc_token_use_basic_auth: false
# DESCRIPTION: Controls whether the client uses nonce verification
# DEFAULT VALUE: true
# REQUIRED: false
oidc_use_nonce: true
# DESCRIPTION: Sets the length of the random string used for nonce verification
# DEFAULT VALUE: 32
# REQUIRED: false
oidc_nonce_size: 32
# DESCRIPTION: Sets the length of the random string used for state verification
# DEFAULT VALUE: 32
# REQUIRED: false
oidc_state_size: 32
# REQUIRED: true
items:
-
# DESCRIPTION: a unique identifier for this configuration
# REQUIRED: true
identifier: admin-oidc
# DESCRIPTION: The client must be enabled before users can authenticate through
# it.
# DEFAULT VALUE: true
# REQUIRED: false
enabled: true
# DESCRIPTION: Scopes that are requested during login
# DEFAULT VALUE: ["openid", "email", "profile"]
# REQUIRED: false
oidc_rp_scopes_list:
- openid
- email
- profile
# DESCRIPTION: Options relevant for a specific Identity Provider.
# DEFAULT VALUE: {}
# REQUIRED: false
options:
user_settings:
claim_mappings:
username:
- sub
email:
- email
first_name:
- given_name
last_name:
- family_name
username_case_sensitive: false
groups_settings:
make_users_staff: true
superuser_group_names:
- superuser
sync: true
sync_pattern: '*'
claim_mapping:
- roles
# DEPRECATED: Moved to `providers.endpoint_config`
# DESCRIPTION: Configuration for the OIDC Provider endpoints.
# DEFAULT VALUE: null
# REQUIRED: false
# This field can have multiple different kinds of value. All the
# alternatives are listed below and are divided by dashes. Only **one of
# them** can be commented out.
# -------------ALTERNATIVE 1-------------
# endpoint_config:
# # DESCRIPTION: URL of your provider discovery endpoint ending with a slash
# # (`.well-known/...` will be added automatically). If this is provided, the
# # remaining endpoints can be omitted, as they will be derived from this endpoint.
# # DEFAULT VALUE: ""
# # REQUIRED: false
# oidc_op_discovery_endpoint: http://keycloak.local:8080/realms/test/
# -------------ALTERNATIVE 2-------------
endpoint_config:
# DESCRIPTION: URL of your provider authorization endpoint
# REQUIRED: true
oidc_op_authorization_endpoint:
http://keycloak.local:8080/realms/test/openid-connect/auth
# DESCRIPTION: URL of your provider token endpoint
# REQUIRED: true
oidc_op_token_endpoint:
http://keycloak.local:8080/realms/test/protocol/openid-connect/token
# DESCRIPTION: URL of your provider userinfo endpoint.
# REQUIRED: true
oidc_op_user_endpoint:
http://keycloak.local:8080/realms/test/protocol/openid-connect/userinfo
# DESCRIPTION: URL of your provider logout endpoint.
# DEFAULT VALUE: ""
# REQUIRED: false
oidc_op_logout_endpoint:
http://keycloak.local:8080/realms/test/protocol/openid-connect/logout
# DESCRIPTION: URL of your provider JSON Web Key Set endpoint. Required if `RS256`
# is used as signing algorithm.
# DEFAULT VALUE: ""
# REQUIRED: false
oidc_op_jwks_endpoint:
http://keycloak.local:8080/realms/test/protocol/openid-connect/certs
# DESCRIPTION: Unique identifier of the OIDC provider.
# DEFAULT VALUE: ""
# REQUIRED: false
oidc_provider_identifier: test-oidc-provider
# DEPRECATED: Moved to `items.options.user_settings.claim_mappings`
# DESCRIPTION: Mapping from User model field names to a path in the claim.
# DEFAULT VALUE: {"email": ["email"], "first_name": ["given_name"], "last_name": ["family_name"]}
# REQUIRED: false
claim_mapping:
email:
- email
first_name:
- given_name
last_name:
- family_name
# DEPRECATED: Moved to `providers.oidc_token_use_basic_auth`
# DESCRIPTION: If enabled, the client ID and secret are sent in the HTTP Basic
# auth header when obtaining the access token. Otherwise, they are sent in the
# request body.
# DEFAULT VALUE: false
# REQUIRED: false
oidc_token_use_basic_auth: false
# DEPRECATED: Moved to providers.oidc_use_nonce
# DESCRIPTION: Controls whether the client uses nonce verification
# DEFAULT VALUE: true
# REQUIRED: false
oidc_use_nonce: true
# DEPRECATED: Moved to `providers.oidc_nonce_size`
# DESCRIPTION: Sets the length of the random string used for nonce verification
# DEFAULT VALUE: 32
# REQUIRED: false
oidc_nonce_size: 32
# DEPRECATED: Moved to `providers.oidc_state_size`
# DESCRIPTION: Sets the length of the random string used for state verification
# DEFAULT VALUE: 32
# REQUIRED: false
oidc_state_size: 32
# DEPRECATED: Moved to `items.options.user_settings.claim_mappings.username`
# DESCRIPTION: Path in the claims to the value to use as username.
# DEFAULT VALUE: ["sub"]
# REQUIRED: false
username_claim:
- nested
- username
- claim
# DEPRECATED: Moved to `items.options.group_settings.claim_mapping`
# DESCRIPTION: Path in the claims to the value with group names.
# DEFAULT VALUE: ["roles"]
# REQUIRED: false
groups_claim:
- nested
- group
- claim
# DEPRECATED: Moved to `items.options.group_settings.superuser_group_names`
# DESCRIPTION: Superuser group names
# DEFAULT VALUE: []
# REQUIRED: false
superuser_group_names:
- superusers
# DEPRECATED: Moved `items.options.group_settings.default_groups`
# DESCRIPTION: Default group names
# DEFAULT VALUE: []
# REQUIRED: false
default_groups:
- read-only-users
# DEPRECATED: Moved to `items.options.group_settings.sync`
# DESCRIPTION: Whether to sync local groups
# DEFAULT VALUE: true
# REQUIRED: false
sync_groups: true
# DEPRECATED: Moved to `items.options.group_settings.sync_pattern`
# DESCRIPTION: Pattern that the group names to sync should follow.
# DEFAULT VALUE: "*"
# REQUIRED: false
sync_groups_glob_pattern: '*'
# DEPRECATED: Moved to `items.options.groups_settings.make_users_staff`
# DESCRIPTION: Whether to make the users staff.
# DEFAULT VALUE: false
# REQUIRED: false
make_users_staff: false
# DESCRIPTION: Client ID provided by the OIDC Provider
# REQUIRED: true
oidc_rp_client_id: modify-this
# DESCRIPTION: Secret provided by the OIDC Provider
# REQUIRED: true
oidc_rp_client_secret: modify-this
# DESCRIPTION: Algorithm the Identity Provider uses to sign ID tokens
# DEFAULT VALUE: "RS256"
# REQUIRED: false
oidc_rp_sign_algo: RS256
# DESCRIPTION: Key the Identity Provider uses to sign ID tokens in the case of an
# RSA sign algorithm. Should be the signing key in PEM or DER format.
# DEFAULT VALUE: ""
# REQUIRED: false
oidc_rp_idp_sign_key: modify-this
# DESCRIPTION: Specific for Keycloak: parameter that indicates which identity
# provider should be used (therefore skipping the Keycloak login screen).
# DEFAULT VALUE: ""
# REQUIRED: false
oidc_keycloak_idp_hint: some-identity-provider
# DESCRIPTION: Indicates the source from which the user information claims should
# be extracted. This can be the ID token or the User Info endpoint.
# POSSIBLE VALUES: ["userinfo_endpoint", "id_token"]
# DEFAULT VALUE: "userinfo_endpoint"
# REQUIRED: false
userinfo_claims_source: userinfo_endpoint
Services configuration
- class zgw_consumers.contrib.setup_configuration.steps.ServiceConfigurationStep
Configure one or more
Serviceinstances with their connection parameters and authentication credentials, which will allow this application to integrate with third-party systems in a consistent manner.
zgw_consumers_config_enable: true
zgw_consumers:
# REQUIRED: true
services:
-
# DESCRIPTION: A unique, human-friendly slug to identify this service. Primarily
# useful for cross-instance import/export.
# REQUIRED: true
identifier: service-identifier
# REQUIRED: true
label: Short and human-friendly description of this service
# POSSIBLE VALUES: ["ac", "nrc", "zrc", "ztc", "drc", "brc", "cmc", "kc", "vrc",
# "orc"]
# REQUIRED: true
api_type: ac
# DESCRIPTION: The root URL of the service that will be used to construct the URLs
# when making requests.
# REQUIRED: true
api_root: https://example.com/api/v1/
# DESCRIPTION: A relative URL to perform a connection test. If left blank, the API
# root itself is used. This connection check is only performed in the admin when
# viewing the service configuration.
# DEFAULT VALUE: ""
# REQUIRED: false
api_connection_check_path: /some/relative/path
# DESCRIPTION: The type of authorization to use for this service.
# POSSIBLE VALUES: ["no_auth", "api_key", "zgw", "oauth2_client_credentials"]
# DEFAULT VALUE: "zgw"
# REQUIRED: false
auth_type: zgw
# DESCRIPTION: The client ID used to construct the JSON Web Token to connect with
# the service (only needed if auth type is `zgw` or `oauth2_client_credentials`).
# DEFAULT VALUE: ""
# REQUIRED: false
client_id: modify-this
# DESCRIPTION: The secret used to construct the JSON Web Token to connect with the
# service (only needed if auth type is `zgw` or `oauth2_client_credentials`).
# DEFAULT VALUE: ""
# REQUIRED: false
secret: modify-this
# DESCRIPTION: The header key used to store the API key (only needed if auth type
# is `api_key`).
# DEFAULT VALUE: ""
# REQUIRED: false
header_key: Authorization
# DESCRIPTION: The API key to connect with the service (only needed if auth type
# is `api_key`).
# DEFAULT VALUE: ""
# REQUIRED: false
header_value: Token <modify-this>
# DESCRIPTION: NLX (outway) address.
# DEFAULT VALUE: ""
# REQUIRED: false
nlx: http://some-outway-adress.local:8080/
# DESCRIPTION: User ID to use for the audit trail. Although these external API
# credentials are typically used bythis API itself instead of a user, the user ID
# is required.
# DEFAULT VALUE: ""
# REQUIRED: false
user_id: client-id
# DESCRIPTION: Human readable representation of the user.
# DEFAULT VALUE: ""
# REQUIRED: false
user_representation: Name of the user
# DESCRIPTION: Timeout (in seconds) for HTTP calls.
# DEFAULT VALUE: 10
# REQUIRED: false
timeout: 10
# DESCRIPTION: How long a JWT is valid for, in seconds. This controls the 'exp'
# claim (only used if auth type is `zgw`).
# DEFAULT VALUE: 43200
# REQUIRED: false
jwt_valid_for: 43200
# DESCRIPTION: OAuth2 token endpoint for client credentials flow. (Only needed if
# auth type is OAuth2)
# DEFAULT VALUE: ""
# REQUIRED: false
oauth2_token_url: example_string
# DESCRIPTION: Optional OAuth2 scope (space-separated). Included in the token
# request body if defined. (Only needed if auth type is OAuth2)
# DEFAULT VALUE: ""
# REQUIRED: false
oauth2_scope: example_string
Objects API registration configuration
- class openforms.contrib.objects_api.setup_configuration.steps.ObjectsAPIConfigurationStep
Configure groups for the Objects API backend. This step uses identifiers to refer to Services that should be loaded by the previous step that loads Services.
objects_api_config_enable: true
objects_api:
# REQUIRED: true
groups:
-
# REQUIRED: true
objects_service_identifier: objects-api
# REQUIRED: true
objecttypes_service_identifier: objecttypes-api
# DEFAULT VALUE: ""
# REQUIRED: false
documenten_service_identifier: documenten-api
# DEFAULT VALUE: ""
# REQUIRED: false
catalogi_service_identifier: catalogi-api
# DESCRIPTION: Description of the document type in the Catalogi API to be used for
# the submission report PDF (i.e. the INFORMATIEOBJECTTYPE.omschrijving
# attribute). The appropriate version will automatically be selected based on the
# submission timestamp and validity dates of the document type versions.
# DEFAULT VALUE: ""
# REQUIRED: false
document_type_submission_report: PDF Informatieobjecttype
# DESCRIPTION: Description of the document type in the Catalogi API to be used for
# the submission report CSV (i.e. the INFORMATIEOBJECTTYPE.omschrijving
# attribute). The appropriate version will automatically be selected based on the
# submission timestamp and validity dates of the document type versions.
# DEFAULT VALUE: ""
# REQUIRED: false
document_type_submission_csv: CSV Informatieobjecttype
# DESCRIPTION: Description of the document type in the Catalogi API to be used for
# the submission attachments (i.e. the INFORMATIEOBJECTTYPE.omschrijving
# attribute). The appropriate version will automatically be selected based on the
# submission timestamp and validity dates of the document type versions.
# DEFAULT VALUE: ""
# REQUIRED: false
document_type_attachment: Attachment Informatieobjecttype
# DESCRIPTION: A recognisable name for this set of Objects APIs.
# REQUIRED: true
name: Objecten acceptance environment
# DESCRIPTION: A unique, human-friendly identifier to identify this group.
# REQUIRED: true
identifier: objects-api-acceptance
# DESCRIPTION: The 'domein' attribute for the Catalogus resource in the Catalogi
# API.
# DEFAULT VALUE: ""
# REQUIRED: false
catalogue_domain: ABCD
# DESCRIPTION: The 'rsin' attribute for the Catalogus resource in the Catalogi
# API.
# DEFAULT VALUE: ""
# REQUIRED: false
catalogue_rsin: '111222333'
# DESCRIPTION: Default RSIN of organization, which creates the INFORMATIEOBJECT
# DEFAULT VALUE: ""
# REQUIRED: false
organisatie_rsin: '123456782'
ZGW APIs registration configuration
- class openforms.registrations.contrib.zgw_apis.setup_configuration.steps.ZGWApiConfigurationStep
Configure groups for the ZGW APIs registration backend. This step uses identifiers to refer to Services that should be loaded by the previous step that loads Services.
zgw_api_config_enable: true
zgw_api:
# REQUIRED: true
groups:
-
# REQUIRED: true
zaken_service_identifier: example_string
# REQUIRED: true
documenten_service_identifier: example_string
# REQUIRED: true
catalogi_service_identifier: example_string
# DESCRIPTION: This template is evaluated with the submission data and the
# resulting JSON is sent to the objects API.
# DEFAULT VALUE: {
# "data": {% json_summary %},
# "type": "{{ productaanvraag_type }}",
# "bsn": "{{ variables.auth_bsn }}",
# "submission_id": "{{ submission.kenmerk }}",
# "language_code": "{{ submission.language_code }}"
# }
# REQUIRED: false
objects_api_json_content_template: |-
{
"data": {% json_summary %},
"type": "{{ productaanvraag_type }}",
"bsn": "{{ variables.auth_bsn }}",
"submission_id": "{{ submission.kenmerk }}",
"language_code": "{{ submission.language_code }}"
}
# DESCRIPTION: A recognisable name for this set of ZGW APIs.
# REQUIRED: true
name: Open Zaak acceptance environment
# DESCRIPTION: A unique, human-friendly identifier to identify this group.
# REQUIRED: true
identifier: open-zaak-acceptance
# DESCRIPTION: The 'domein' attribute for the Catalogus resource in the Catalogi
# API.
# DEFAULT VALUE: ""
# REQUIRED: false
catalogue_domain: ABCD
# DESCRIPTION: The 'rsin' attribute for the Catalogus resource in the Catalogi
# API.
# DEFAULT VALUE: ""
# REQUIRED: false
catalogue_rsin: '111222333'
# DESCRIPTION: Default RSIN of organization, which creates the ZAAK
# DEFAULT VALUE: ""
# REQUIRED: false
organisatie_rsin: '123456782'
# DESCRIPTION: The value of the `author` field for documents that will be created
# in Documenten API.
# DEFAULT VALUE: "Aanvrager"
# REQUIRED: false
auteur: Aanvrager
# DESCRIPTION: Indication of the level to which extend the ZAAK is meant to be
# public. Can be overridden in the Registration tab of a given form.
# POSSIBLE VALUES: ["openbaar", "beperkt_openbaar", "intern", "zaakvertrouwelijk",
# "vertrouwelijk", "confidentieel", "geheim", "zeer_geheim"]
# DEFAULT VALUE: ""
# REQUIRED: false
zaak_vertrouwelijkheidaanduiding: openbaar
# DESCRIPTION: Indication of the level to which extend the document associated
# with the ZAAK is meant to be public. Can be overridden in the file upload
# component of a given form.
# POSSIBLE VALUES: ["openbaar", "beperkt_openbaar", "intern", "zaakvertrouwelijk",
# "vertrouwelijk", "confidentieel", "geheim", "zeer_geheim"]
# DEFAULT VALUE: ""
# REQUIRED: false
doc_vertrouwelijkheidaanduiding: openbaar