Open Forms configuration (CLI)
After deploying Open Forms, it needs to be configured to be fully functional. The
command line tool setup_configuration assists with this configuration by loading a
YAML file in which the configuration information is specified.
For general information on how the command line tool works, refer to the documentation.
Below are example configurations for all the configuration steps this application provides. They can be used as a starting point and combined into a single YAML to use as input for the command.
Warning
The values in the following YAML examples contain defaults and in some case dummy values, make sure to edit values of i.e. identifiers, secrets and other fields that have dummy values!
OpenID Connect configuration for admin authentication
- class mozilla_django_oidc_db.setup_configuration.steps.AdminOIDCConfigurationStep
Configure the necessary settings to enable OpenID Connect authentication for admin users.
This allows admin users to log in with Single Sign On (SSO) to access the management interface.
oidc_db_config_enable: true
oidc_db_config_admin_auth:
# DESCRIPTION: List of OIDC providers
# DEFAULT VALUE: []
# REQUIRED: false
providers:
-
# DESCRIPTION: a unique identifier for this OIDC provider.
# REQUIRED: true
identifier: test-oidc-provider
# REQUIRED: true
# This field can have multiple different kinds of value. All the
# alternatives are listed below and are divided by dashes. Only **one of
# them** can be commented out.
# -------------ALTERNATIVE 1-------------
# endpoint_config:
# # DESCRIPTION: URL of your provider discovery endpoint ending with a slash
# # (`.well-known/...` will be added automatically). If this is provided, the
# # remaining endpoints can be omitted, as they will be derived from this endpoint.
# # DEFAULT VALUE: ""
# # REQUIRED: false
# oidc_op_discovery_endpoint: http://keycloak.local:8080/realms/test/
# -------------ALTERNATIVE 2-------------
endpoint_config:
# DESCRIPTION: URL of your provider authorization endpoint
# REQUIRED: true
oidc_op_authorization_endpoint:
http://keycloak.local:8080/realms/test/openid-connect/auth
# DESCRIPTION: URL of your provider token endpoint
# REQUIRED: true
oidc_op_token_endpoint:
http://keycloak.local:8080/realms/test/protocol/openid-connect/token
# DESCRIPTION: URL of your provider userinfo endpoint.
# REQUIRED: true
oidc_op_user_endpoint:
http://keycloak.local:8080/realms/test/protocol/openid-connect/userinfo
# DESCRIPTION: URL of your provider logout endpoint.
# DEFAULT VALUE: ""
# REQUIRED: false
oidc_op_logout_endpoint:
http://keycloak.local:8080/realms/test/protocol/openid-connect/logout
# DESCRIPTION: URL of your provider JSON Web Key Set endpoint. Required if `RS256`
# is used as signing algorithm.
# DEFAULT VALUE: ""
# REQUIRED: false
oidc_op_jwks_endpoint:
http://keycloak.local:8080/realms/test/protocol/openid-connect/certs
# DESCRIPTION: If enabled, the client ID and secret are sent in the HTTP Basic
# auth header when obtaining the access token. Otherwise, they are sent in the
# request body.
# DEFAULT VALUE: false
# REQUIRED: false
oidc_token_use_basic_auth: false
# DESCRIPTION: Controls whether the client uses nonce verification
# DEFAULT VALUE: true
# REQUIRED: false
oidc_use_nonce: true
# DESCRIPTION: Sets the length of the random string used for nonce verification
# DEFAULT VALUE: 32
# REQUIRED: false
oidc_nonce_size: 32
# DESCRIPTION: Sets the length of the random string used for state verification
# DEFAULT VALUE: 32
# REQUIRED: false
oidc_state_size: 32
# REQUIRED: true
items:
-
# DESCRIPTION: a unique identifier for this configuration
# REQUIRED: true
identifier: admin-oidc
# DESCRIPTION: The client must be enabled before users can authenticate through
# it.
# DEFAULT VALUE: true
# REQUIRED: false
enabled: true
# DESCRIPTION: Scopes that are requested during login
# DEFAULT VALUE: ["openid", "email", "profile"]
# REQUIRED: false
oidc_rp_scopes_list:
- openid
- email
- profile
# DESCRIPTION: Options relevant for a specific Identity Provider.
# DEFAULT VALUE: {}
# REQUIRED: false
options:
user_settings:
claim_mappings:
username:
- sub
email:
- email
first_name:
- given_name
last_name:
- family_name
username_case_sensitive: false
groups_settings:
make_users_staff: true
superuser_group_names:
- superuser
sync: true
sync_pattern: '*'
claim_mapping:
- roles
# DEPRECATED: Moved to `providers.endpoint_config`
# DESCRIPTION: Configuration for the OIDC Provider endpoints.
# DEFAULT VALUE: null
# REQUIRED: false
# This field can have multiple different kinds of value. All the
# alternatives are listed below and are divided by dashes. Only **one of
# them** can be commented out.
# -------------ALTERNATIVE 1-------------
# endpoint_config:
# # DESCRIPTION: URL of your provider discovery endpoint ending with a slash
# # (`.well-known/...` will be added automatically). If this is provided, the
# # remaining endpoints can be omitted, as they will be derived from this endpoint.
# # DEFAULT VALUE: ""
# # REQUIRED: false
# oidc_op_discovery_endpoint: http://keycloak.local:8080/realms/test/
# -------------ALTERNATIVE 2-------------
endpoint_config:
# DESCRIPTION: URL of your provider authorization endpoint
# REQUIRED: true
oidc_op_authorization_endpoint:
http://keycloak.local:8080/realms/test/openid-connect/auth
# DESCRIPTION: URL of your provider token endpoint
# REQUIRED: true
oidc_op_token_endpoint:
http://keycloak.local:8080/realms/test/protocol/openid-connect/token
# DESCRIPTION: URL of your provider userinfo endpoint.
# REQUIRED: true
oidc_op_user_endpoint:
http://keycloak.local:8080/realms/test/protocol/openid-connect/userinfo
# DESCRIPTION: URL of your provider logout endpoint.
# DEFAULT VALUE: ""
# REQUIRED: false
oidc_op_logout_endpoint:
http://keycloak.local:8080/realms/test/protocol/openid-connect/logout
# DESCRIPTION: URL of your provider JSON Web Key Set endpoint. Required if `RS256`
# is used as signing algorithm.
# DEFAULT VALUE: ""
# REQUIRED: false
oidc_op_jwks_endpoint:
http://keycloak.local:8080/realms/test/protocol/openid-connect/certs
# DESCRIPTION: Unique identifier of the OIDC provider.
# DEFAULT VALUE: ""
# REQUIRED: false
oidc_provider_identifier: test-oidc-provider
# DEPRECATED: Moved to `items.options.user_settings.claim_mappings`
# DESCRIPTION: Mapping from User model field names to a path in the claim.
# DEFAULT VALUE: {"email": ["email"], "first_name": ["given_name"], "last_name": ["family_name"]}
# REQUIRED: false
claim_mapping:
email:
- email
first_name:
- given_name
last_name:
- family_name
# DEPRECATED: Moved to `providers.oidc_token_use_basic_auth`
# DESCRIPTION: If enabled, the client ID and secret are sent in the HTTP Basic
# auth header when obtaining the access token. Otherwise, they are sent in the
# request body.
# DEFAULT VALUE: false
# REQUIRED: false
oidc_token_use_basic_auth: false
# DEPRECATED: Moved to providers.oidc_use_nonce
# DESCRIPTION: Controls whether the client uses nonce verification
# DEFAULT VALUE: true
# REQUIRED: false
oidc_use_nonce: true
# DEPRECATED: Moved to `providers.oidc_nonce_size`
# DESCRIPTION: Sets the length of the random string used for nonce verification
# DEFAULT VALUE: 32
# REQUIRED: false
oidc_nonce_size: 32
# DEPRECATED: Moved to `providers.oidc_state_size`
# DESCRIPTION: Sets the length of the random string used for state verification
# DEFAULT VALUE: 32
# REQUIRED: false
oidc_state_size: 32
# DEPRECATED: Moved to `items.options.user_settings.claim_mappings.username`
# DESCRIPTION: Path in the claims to the value to use as username.
# DEFAULT VALUE: ["sub"]
# REQUIRED: false
username_claim:
- nested
- username
- claim
# DEPRECATED: Moved to `items.options.group_settings.claim_mapping`
# DESCRIPTION: Path in the claims to the value with group names.
# DEFAULT VALUE: ["roles"]
# REQUIRED: false
groups_claim:
- nested
- group
- claim
# DEPRECATED: Moved to `items.options.group_settings.superuser_group_names`
# DESCRIPTION: Superuser group names
# DEFAULT VALUE: []
# REQUIRED: false
superuser_group_names:
- superusers
# DEPRECATED: Moved `items.options.group_settings.default_groups`
# DESCRIPTION: Default group names
# DEFAULT VALUE: []
# REQUIRED: false
default_groups:
- read-only-users
# DEPRECATED: Moved to `items.options.group_settings.sync`
# DESCRIPTION: Whether to sync local groups
# DEFAULT VALUE: true
# REQUIRED: false
sync_groups: true
# DEPRECATED: Moved to `items.options.group_settings.sync_pattern`
# DESCRIPTION: Pattern that the group names to sync should follow.
# DEFAULT VALUE: "*"
# REQUIRED: false
sync_groups_glob_pattern: '*'
# DEPRECATED: Moved to `items.options.groups_settings.make_users_staff`
# DESCRIPTION: Whether to make the users staff.
# DEFAULT VALUE: false
# REQUIRED: false
make_users_staff: false
# DESCRIPTION: Client ID provided by the OIDC Provider
# REQUIRED: true
oidc_rp_client_id: modify-this
# DESCRIPTION: Secret provided by the OIDC Provider
# REQUIRED: true
oidc_rp_client_secret: modify-this
# DESCRIPTION: Algorithm the Identity Provider uses to sign ID tokens
# DEFAULT VALUE: "RS256"
# REQUIRED: false
oidc_rp_sign_algo: RS256
# DESCRIPTION: Key the Identity Provider uses to sign ID tokens in the case of an
# RSA sign algorithm. Should be the signing key in PEM or DER format.
# DEFAULT VALUE: ""
# REQUIRED: false
oidc_rp_idp_sign_key: modify-this
# DESCRIPTION: Specific for Keycloak: parameter that indicates which identity
# provider should be used (therefore skipping the Keycloak login screen).
# DEFAULT VALUE: ""
# REQUIRED: false
oidc_keycloak_idp_hint: some-identity-provider
# DESCRIPTION: Indicates the source from which the user information claims should
# be extracted. This can be the ID token or the User Info endpoint.
# POSSIBLE VALUES: ["userinfo_endpoint", "id_token"]
# DEFAULT VALUE: "userinfo_endpoint"
# REQUIRED: false
userinfo_claims_source: userinfo_endpoint
Services configuration
- class zgw_consumers.contrib.setup_configuration.steps.ServiceConfigurationStep
Configure one or more
Serviceinstances with their connection parameters and authentication credentials, which will allow this application to integrate with third-party systems in a consistent manner.
zgw_consumers_config_enable: true
zgw_consumers:
# REQUIRED: true
services:
-
# DESCRIPTION: Een unieke, voor mensen leesbare identificatie om deze service te
# herkennen. Hoofdzakelijk nuttig voor importeren en exporteren.
# REQUIRED: true
identifier: service-identifier
# REQUIRED: true
label: Short and human-friendly description of this service
# POSSIBLE VALUES: ["ac", "nrc", "zrc", "ztc", "drc", "brc", "rc", "kic", "oc",
# "ic", "pc", "ptc", "vrc", "tc", "bc", "cmc", "kc", "orc"]
# REQUIRED: true
api_type: ac
# DESCRIPTION: De basis-URL van de service om volledige URLs op te bouwen bij het
# maken van verzoeken.
# REQUIRED: true
api_root: https://example.com/api/v1/
# DESCRIPTION: Een pad/relatieve URL waartegen de verbindingstest uitgevoerd
# wordt. Indien geen waarde opgegeven is, dan wordt de basisurl van de API
# gebruikt. The verbindingstest wordt enkel uitgevoerd in de beheerpagina wanneer
# de instellingen weergegeven worden.
# DEFAULT VALUE: ""
# REQUIRED: false
api_connection_check_path: /some/relative/path
# DESCRIPTION: De soort autorisatie die op deze service van toepassing is.
# POSSIBLE VALUES: ["no_auth", "api_key", "zgw", "oauth2_client_credentials"]
# DEFAULT VALUE: "zgw"
# REQUIRED: false
auth_type: zgw
# DESCRIPTION: De client-iD die in het JSON Web Token opgenomen wordt om zich te
# authenticeren bij de service (enkel nodig bij autorisatietype `zgw` of
# `oauth2_client_credentials`).
# DEFAULT VALUE: ""
# REQUIRED: false
client_id: modify-this
# DESCRIPTION: De geheime sleutel waarmee het JSON Web Token ondertekend wordt om
# zich bij de service te authenticeren (enkel nodig bij autorisatietype `zgw`of
# `oauth2_client_credentials`).
# DEFAULT VALUE: ""
# REQUIRED: false
secret: modify-this
# DESCRIPTION: De naam van de header die de API-key bevat (enkel nodig bij
# autorisatietype `api_key`).
# DEFAULT VALUE: ""
# REQUIRED: false
header_key: Authorization
# DESCRIPTION: De waarde voor de API-key header (enkel nodig bij autorisatietype
# `api_key`).
# DEFAULT VALUE: ""
# REQUIRED: false
header_value: Token <modify-this>
# DESCRIPTION: NLX (outway)-adres
# DEFAULT VALUE: ""
# REQUIRED: false
nlx: http://some-outway-adress.local:8080/
# DESCRIPTION: User ID to use for the audit trail. Although these external API
# credentials are typically used by this API itself instead of a user, the user ID
# is required.
# DEFAULT VALUE: ""
# REQUIRED: false
user_id: client-id
# DESCRIPTION: Weergave van de gebruikersidentiteit voor mensen.
# DEFAULT VALUE: ""
# REQUIRED: false
user_representation: Name of the user
# DESCRIPTION: Time-out (in seconden) voor HTTP-calls. Na het verstrijken wordt
# het verzoek afgebroken.
# DEFAULT VALUE: 10
# REQUIRED: false
timeout: 10
# DESCRIPTION: Bepaalt de geldigheidsduur van een JWT, in seconden. Deze parameter
# heeft invloed op de 'exp' claim (enkel relevant bij autorisatietype `zgw`).
# DEFAULT VALUE: 43200
# REQUIRED: false
jwt_valid_for: 43200
# DESCRIPTION: De token-endpoint waar client-ID en secret uitgewisseld worden voor
# een token (enkel relevant voor de OAuth2-authenticatietype(n)).
# DEFAULT VALUE: ""
# REQUIRED: false
oauth2_token_url: example_string
# DESCRIPTION: Eventuele Oauth2 scope-namen om voor te autoriseren, gescheiden met
# spaties. Deze wordt meegestuurd bij het ophalen van een autorisatietoken (enkel
# relevant voor de OAuth2-authenticatietype(n)).
# DEFAULT VALUE: ""
# REQUIRED: false
oauth2_scope: example_string
Objects API registration configuration
- class openforms.contrib.objects_api.setup_configuration.steps.ObjectsAPIConfigurationStep
Configure groups for the Objects API backend. This step uses identifiers to refer to Services that should be loaded by the previous step that loads Services.
objects_api_config_enable: true
objects_api:
# REQUIRED: true
groups:
-
# REQUIRED: true
objects_service_identifier: objects-api
# REQUIRED: true
objecttypes_service_identifier: objecttypes-api
# DEFAULT VALUE: ""
# REQUIRED: false
documenten_service_identifier: documenten-api
# DEFAULT VALUE: ""
# REQUIRED: false
catalogi_service_identifier: catalogi-api
# DESCRIPTION: A recognisable name for this set of Objects APIs.
# REQUIRED: true
name: Objecten acceptance environment
# DESCRIPTION: A unique, human-friendly identifier to identify this group.
# REQUIRED: true
identifier: objects-api-acceptance
# DESCRIPTION: Default RSIN of organization, which creates the INFORMATIEOBJECT
# DEFAULT VALUE: ""
# REQUIRED: false
organisatie_rsin: '123456782'
ZGW APIs registration configuration
- class openforms.registrations.contrib.zgw_apis.setup_configuration.steps.ZGWApiConfigurationStep
Configure groups for the ZGW APIs registration backend. This step uses identifiers to refer to Services that should be loaded by the previous step that loads Services.
zgw_api_config_enable: true
zgw_api:
# REQUIRED: true
groups:
-
# REQUIRED: true
zaken_service_identifier: example_string
# REQUIRED: true
documenten_service_identifier: example_string
# REQUIRED: true
catalogi_service_identifier: example_string
# DESCRIPTION: This template is evaluated with the submission data and the
# resulting JSON is sent to the objects API.
# DEFAULT VALUE: {
# "data": {% json_summary %},
# "type": "{{ productaanvraag_type }}",
# "bsn": "{{ variables.auth_bsn }}",
# "submission_id": "{{ submission.kenmerk }}",
# "language_code": "{{ submission.language_code }}"
# }
# REQUIRED: false
objects_api_json_content_template: |-
{
"data": {% json_summary %},
"type": "{{ productaanvraag_type }}",
"bsn": "{{ variables.auth_bsn }}",
"submission_id": "{{ submission.kenmerk }}",
"language_code": "{{ submission.language_code }}"
}
# DESCRIPTION: A recognisable name for this set of ZGW APIs.
# REQUIRED: true
name: Open Zaak acceptance environment
# DESCRIPTION: A unique, human-friendly identifier to identify this group.
# REQUIRED: true
identifier: open-zaak-acceptance
# DESCRIPTION: Default RSIN of organization, which creates the ZAAK
# DEFAULT VALUE: ""
# REQUIRED: false
organisatie_rsin: '123456782'
# DESCRIPTION: The value of the `author` field for documents that will be created
# in Documenten API.
# DEFAULT VALUE: "Aanvrager"
# REQUIRED: false
auteur: Aanvrager
# DESCRIPTION: Indication of the level to which extend the ZAAK is meant to be
# public. Can be overridden in the Registration tab of a given form.
# POSSIBLE VALUES: ["openbaar", "beperkt_openbaar", "intern", "zaakvertrouwelijk",
# "vertrouwelijk", "confidentieel", "geheim", "zeer_geheim"]
# DEFAULT VALUE: ""
# REQUIRED: false
zaak_vertrouwelijkheidaanduiding: openbaar
# DESCRIPTION: Indication of the level to which extend the document associated
# with the ZAAK is meant to be public. Can be overridden in the file upload
# component of a given form.
# POSSIBLE VALUES: ["openbaar", "beperkt_openbaar", "intern", "zaakvertrouwelijk",
# "vertrouwelijk", "confidentieel", "geheim", "zeer_geheim"]
# DEFAULT VALUE: ""
# REQUIRED: false
doc_vertrouwelijkheidaanduiding: openbaar