Show scopes in OAuth authorization page

[cds-indico.git] / etc / indico.conf.sample

#--------------------------
# Indico configuration file
#--------------------------
#
# This file is read on Apache startup. If you change any value you will need to
# restart Apache afterwards to have its changes take effect.
#
# Lines starting with "#" are comments and they will be ignored by Indico.

#------------------------------------------------------------------------------
# ZODB
#------------------------------------------------------------------------------

DBConnectionParams   = ("localhost", 9675)
DBUserName           = ""
DBPassword           = ""
DBRealm              = ""

#------------------------------------------------------------------------------
# SQLAlchemy DB
#------------------------------------------------------------------------------

SQLAlchemyDatabaseURI  = 'postgresql://localhost/indico'

# Uncomment to echo requests
# SQLAlchemyEcho = True

# Uncomment if you wish to record queries
# SQLAlchemyRecordQueries = True

# Size of the connection pool (default = 5)
# SQLAlchemyPoolSize = 5

# Connection timeout
# SQLAlchemyPoolTimeout = 10

# Number of seconds after which a connection is automatically
# recycled (default = 120)
# SQLAlchemyPoolRecycle = 120

# Number of connections that can be breated after pool is at maximum
# size (default = 3)
# SQLAlchemyMaxOverflow = 3

#------------------------------------------------------------------------------
# REDIS
#------------------------------------------------------------------------------

# To enable redis, specify a valid redis connection string here.
# Example: redis://unused:password@localhost:6379/0
# You also need to install the python redis client (pip install redis hiredis)
# Note that the Redis server needs to run at least Redis 2.6 with LUA support.
#RedisConnectionURL = None

#------------------------------------------------------------------------------
# SECURITY
#------------------------------------------------------------------------------
# Possible values of SanitizationLevel:
#    0: Escape all HTML tags
#    1: Raise error if styles are used
#    2: Raise error if SCRIPT tag is used
#    3: No input filtering is done (DANGEROUS!)

SanitizationLevel    = 2

# AuthenticatedEnforceSecure controls whether HTTPS should be enforced for
# authentication and while logged in.
AuthenticatedEnforceSecure = "yes"

# Possible values of CSRFLevel:
#    0: Disable all CSRF checks (DANGEROUS!)
#    1: Check CSRF token for service requests
#    2: Check CSRF token for service requests and cookie-based API requests
#    3: The above & require an empty or valid referer for normal POST requests
CSRFLevel = 2

# To sign data such as activation tokens used in emails, Indico needs a secret
# key.  It should be a random string; the preferred way to generate it is using
# `import os; os.urandom(32)` in a Python shell.
SecretKey = ''

#------------------------------------------------------------------------------
# Development
#------------------------------------------------------------------------------
# Enable debug mode to get unminified assets, verbose error messages in the
# browser and various other things that are useful when developing indico or
# tracking down errors but should not be enabled for production systems.
#Debug = False
#
# You can force a certain number of (simulated) database conflicts on every
# by setting ForceConflicts to the number of conflict errors you want:
#ForceConflicts = 0
#
# You can cause all error-like exceptions (i.e. not something like AccessError)
# to be propagated outside the Indico WSGI app by enabling this option. This has
# the advantage of triggering the Werkzeug debugger of the embedded server even
# in case of e.g. a MaKaCError.
#PropagateAllExceptions = False

#------------------------------------------------------------------------------
# URLs
#------------------------------------------------------------------------------
# BaseURL is the url where Indico will be accessed:

BaseURL              = "http://localhost:8000"

# BaseSecureURL is the HTTPS location of Indico. Set empty string if you want to use http.

BaseSecureURL        = "https://localhost:8443"


# If you are using a custom user authentication system (see below) uncomment
# the following lines and specify the new URLs.
#
#   LoginURL             = ""
#   RegistrationURL      = ""

# Support the old mod_python-style URLs (conferenceDisplay.py?confId=123 etc.) by redirecting
# them to their new URL.
#RouteOldUrls = False


#------------------------------------------------------------------------------
# DIRECTORIES
#------------------------------------------------------------------------------
ArchiveDir           = "/opt/indico/archive"
BinDir               = "/opt/indico/bin"
ConfigurationDir     = "/opt/indico/etc"
DocumentationDir     = "/opt/indico/doc"
HtdocsDir            = "/opt/indico/htdocs"
LogDir               = "/opt/indico/log"
UploadedFilesTempDir = "/opt/indico/tmp"
XMLCacheDir          = "/opt/indico/cache"
# You can use 'redis', 'memcached' or 'files'. The files backend caches objects in
# XMLCacheDir while the Memcached backend uses one or more memcached servers.
#CacheBackend         = 'files'
# When using memcached, provide a tuple containing 'ip:port' entries for the
# memcached servers. Do not forget to firewall those servers as memcached has no
# authentication at all!
#MemcachedServers     = ('127.0.0.1:11211',)
# When using redis, provide a redis connection string for the Redis server.
#RedisCacheURL = 'redis://unused:password@localhost:6379/1'

#------------------------------------------------------------------------------
# SMTP
#------------------------------------------------------------------------------
SmtpServer           = ("localhost", 8025)
SmtpLogin            = ""
SmtpPassword         = ""

# If your SMTP server is using TLS write "yes", otherwise write "no"

SmtpUseTLS           = "no"

#------------------------------------------------------------------------------
# EMAIL ADDRESSES
#------------------------------------------------------------------------------
# SupportEmail is the email address where all automatically generated
# application errors will be sent to.

SupportEmail         = "root@localhost"


# PublicSupportEmail is an email address that will be shown in Indico and where
# users are expected to find help when they have using the website.

PublicSupportEmail   = "root@localhost"

# NoReplyEmail is the email address showed when we do not want the users to answer
# an automatically generated email.

NoReplyEmail         = "noreply-root@localhost"


#------------------------------------------------------------------------------
# FILE UPLOAD
#------------------------------------------------------------------------------
# Here you can limit the maximum size of all the uploaded files (in MB) in a
# request
# default: 0 (unlimited)

MaxUploadFilesTotalSize = 0

# Here you can limit the maximum size of an uploaded file (in MB)
# default: 0 (unlimited)

MaxUploadFileSize = 0


#------------------------------------------------------------------------------
# FILE CONVERSION
#------------------------------------------------------------------------------
# Indico has an interface to interact with an external file conversion system
# to convert from some formats to others but right now there is no publicly
# available file conversion software.
#
# If you are interested in this feature please contact us at:
#   indico-team@cern.ch
#
# FileConverter = {"conversion_server": "http://conversion.cern.ch/getSegFile.py",
#                  "response_url": "http://localhost/conversion-finished"}

#------------------------------------------------------------------------------
# AUTOMATIC MAINTENANCE
#------------------------------------------------------------------------------
# Indico can automatically delete events older than a specified number of days.
# This is set on a per-category basis:
#
# CategoryCleanup = {
#   '2': 30  # delete events in category '2' that have been created more than 30 days ago
# }
#
# If you want maintenance operations to be logged under a user other than the
# the server administrator (id 0), you can customize it here:
#
# JanitorUserId = 0

#------------------------------------------------------------------------------
# STATIC FILE DELIVERY
#------------------------------------------------------------------------------
# Indico supports the use of the X-Sendfile and X-Accel-Redirect headers:
#
# http://blog.lighttpd.net/articles/2006/07/02/x-sendfile
# http://wiki.nginx.org/X-accel
#
# If your webserver supports this feature and you want to activate it,
# you should enable it here
#
# X-Sendfile (apache with mod_xsendfile, lighttpd):
# StaticFileMethod = 'xsendfile'
#
# X-Accel-Redirect (nginx):
# StaticFileMethod = ('xaccelredirect', {
#     '/opt/indico/archive': '/.xsf/archive',
#     '/opt/indico/cache': '/.xsf/cache',
#     '/opt/indico/htdocs': '/.xsf/htdocs'
# })
# Because of the way nginx works (using URLs instead of paths) you also need to map the .xsf urls to
# the paths in your nginx config (for each entry in the dict above):
# location /.xsf/archive/ {
#     internal;
#     alias /opt/indico/archive/;
# }
# DO NOT forget the "internal;" statement - it prevents users from accessing those URLs directly.

#StaticFileMethod = None


# Sessions are only stored for a certain time. You can modify the duration here. By setting
# the lifetime to 0 the cookie will expire when the browser is closed.
#SessionLifetime = 86400 * 31

# If indico is behind a proxy, the user's IP needs to be retrieved from the
# HTTP_X_FORWARDED_FOR header. To enable this behavior, set UseProxy to True.
# Note that this MUST NOT be enabled if the machine is accessible directly or
# users will be able to spoof their IP address!
#UseProxy = False


#------------------------------------------------------------------------------
# LOGGING
#------------------------------------------------------------------------------
# Indico lets you log error messages using two methods:
#
#  * Simple log files (default)
#  * Sentry (https://github.com/getsentry/sentry)
#
# Loggers              = ['sentry', 'files']
# SentryDSN            = 'http://user:password@logger.example.com/n'
# SentryLoggingLevel   = 'ERROR'  # default: 'WARNING'


#------------------------------------------------------------------------------
# OFFLINE WEBSITE PACKAGES CREATION
#------------------------------------------------------------------------------
# Indico allows users to download their event so they can run it offline.
#
# The OfflineStore variable points to a directory that Indico will use to store
# the offline website packages.
#
# If the OfflineStore variable is not set, the functionality will be disabled.
#
# OfflineStore         = "/opt/indico/archive"


#------------------------------------------------------------------------------
# LATEX/PDF GENERATION
#------------------------------------------------------------------------------
# Set the path to pdflatex if it's not within PATH:
# PDFLatexProgram = 'pdflatex'
#
# In strict mode, a non-zero status code is considered failure. Disable this if
# you have old contributions that contain invalid LaTeX and you prefer possibly
# weird-looking PDFs over an error and no PDF at all.
# StrictLatex = True

#------------------------------------------------------------------------------
# INDICO MOBILE
#------------------------------------------------------------------------------

# If you have an installation of the mobile version of Indico, you can enable the
# notification that encourages its usage when the user accesses the Desktop Indico
# from a mobile device. One only needs to add the URL of Indico mobile here:
# MobileURL = "http://m.indico.your.domain"

#------------------------------------------------------------------------------
# ACTIVE PLUGINS
#------------------------------------------------------------------------------

# List of plugins to be loaded on server start.
#
# Plugins = {'example'}

#------------------------------------------------------------------------------
# AUTHENTICATION
#------------------------------------------------------------------------------
# If you do not need integration with an existing authentication infrastructure
# such as LDAP, OAuth or a SSO system like Shibboleth, you do not have to set
# anything here. Having local identities enabled is sufficient:
# LocalIdentities = True

# When `LocalIdentities` is set to False, a link to an external registration
# page can be configured here:
# ExternalRegistrationURL = ''

# For advanced authentication and user information retrieval, Indico uses the
# Flask-Multipass library, so you can use any registered multipass auth/identity
# provider in Indico.  Using such providers requires additional configuration.
# Please note that the name of an identity provider MUST NOT be changed once
# it has been used, as it is referenced internally. Changing the title is fine
# though.
#
# For documentation on the providers and their config options see the
# documentation of multipass on the following site:
# https://flask-multipass.readthedocs.org/en/latest/
#
# In addition to the settings handled by multipass, you may use the following
# settings:
#
# Auth providers:
# - `default`
#    This must be set to `True` for exactly one form-based authentication
#    provide in case you have more than one form-based provider.  If omitted,
#    the default login form will be for local indico accounts (if enabled).
#
# Identity providers:
# - `default_group_provider`
#   If you have any identity providers which provide groups, it is highly
#   recommended to enable this for exactly one of these providers.  This
#   is extremely important if you migrated an old database and have ACLs
#   which don't contain provider references yet.
# - `trusted_email`
#   If all emails received from the provider are trustworthy, i.e. it is
#   guaranteed that the emails actually belong to the user.  This should
#   be enabled e.g. for corporate SSO systems so people do not have to go
#   through an email verification step the first time they login/signup.
# - `synced_fields`
#   This may be set in no more than one identity provider and enables user
#   data synchronization. Its value should be a set of user attributes that
#   can be synchronized. The following attributes are supported:
#   'first_name', 'last_name', 'affiliation', 'phone', 'address'
#
# Indico uses the following identity info keys from multipass, so you need
# to configure the mappings in your identity providers accordingly:
# 'first_name', 'last_name', 'email', 'affiliation', 'phone', 'address'
# All keys are optional, so if a provider does not contain data for a field,
# you can override `identity_info_keys` and only specify the keys you want.
# However, if a provider does not have at least  'email', external users
# returned by this provider will never show up in search results. Likewise,
# an external user with no email will not appear in search results.
#
# Auth and identity providers with the same name are linked automatically
# unless ProviderMap is specified.  If specified it should be a dictionary
# suitable for the MULTIPASS_PROVIDER_MAP setting of multipass.
#AuthProviders = {}
#IdentityProviders = {}
#ProviderMap = {}

#------------------------------------------------------------------------------
# GLOBAL DEFAULTS
#------------------------------------------------------------------------------

# The timezone that is used by default. This also affects the timezone used by
# periodic tasks.
#DefaultTimezone = 'UTC'


#------------------------------------------------------------------------------
# CELERY
#------------------------------------------------------------------------------

# Indico uses Celery to run time-consuming background tasks and periodic jobs.
# You must configure a Celery "broker" which is used to  communicate between
# Indico and the worker(s).
# We recommend Redis as it is very easy to set up. For details, see the Celery
# documentation:
# http://celery.readthedocs.org/en/latest/getting-started/brokers/redis.html
#CeleryBroker = 'redis://unused:password@localhost:6379/0'
#
# By default, task results are stored in the broker backend, but you can
# override it.
#CeleryResultBackend = None
#
# By default, all periodic tasks are enabled and use a schedule that is
# considered appropriate by the Indico developers.  You can override this
# for specific tasks using the `ScheduledTaskOverride` dict.  The key is the
# name of the task and the value can be one of the following:
# - `None` or `False`: Disables the task completely
# - A dictionary, as described in the Celery documentation
#   http://celery.readthedocs.org/en/latest/userguide/periodic-tasks.html#available-fields
#   The `task` key is not necessary in this case, as it is set automatically.
# - A `timedelta` or `crontab` object which will just override the schedule
#   and not touch any other options of the task.
#ScheduledTaskOverride = {}
#
# You can use the `CeleryConfig` settings to specify/override any config option
# supported by Celery. For the full list of options, see the Celery docs at
# http://celery.readthedocs.org/en/latest/configuration.html
#CeleryConfig = {}
#
# Your Celery workers can be monitored using Flower.  To use it, simply start it
# using `indico celery flower`; by default it will listen on the same host as
# specified in BaseURL (non-SSL) on port 5555.  However, having an open Flower
# instance is a security issue as it will allow anyone to shut down your celery
# workers.  To avoid this, you can use Indico's OAuth2 provider to restrict the
# access to flower to Indico administrators.  To do so, register a new OAuth
# application in the administration interface (`Server admin > Applications`)
# and set the `FlowerClientId` option to its Client ID.
#FlowerClientId = None
#
# To get a link to Flower in the administration menu, set `FlowerURL` to the URL
# under which your Flower instance is accessible:
#FlowerURL = None


# ------------------------------------------------------------------------------
# Indico Checkin
# ------------------------------------------------------------------------------

# In order to use Indico check-in app, first register the application manually
# within `Server admin > Applications` and then fill in here the client_id
# assigned to it.
#CheckinAppClientId = ''