General Options
is.delete.restore
: Defines how long after soft-deletion an entity can be restored
Database Options
The Identity Server needs to be connected to a PostgreSQL-compatible database. Details for the form of the URI can be found in the PostgreSQL documentation.
is.database-uri
: Database connection URIis.database-max-idle-conns
: Maximum number of idle database connections (default10
)is.database-max-open-conns
: Maximum number of open database connections (default20
)is.read-database-uri
: Read-Only database connection URI
Email Options
The Identity Server can be configured with different providers for sending emails. Currently the sendgrid
, smtp
and dir
providers are implemented.
is.email.provider
: Email provider to use
When sendgrid
is used as provider, an API key is required. For testing, use the sandbox to prevent emails from actually being sent.
is.email.sendgrid.api-key
: The SendGrid API key to useis.email.sendgrid.sandbox
: Use SendGrid sandbox mode for testing
When smtp
is used as provider, provide the address of the SMTP server (host:port
), as well as the username and password for the SMTP server.
is.email.smtp.address
: SMTP server addressis.email.smtp.username
: Username to authenticate withis.email.smtp.password
: Password to authenticate withis.email.smtp.connections
: Maximum number of connections to the SMTP server
When dir
is used as provider, provide the path to the local directory where email messages should be written to.
is.email.dir
: Path to the local directory where email messages should be written to
The email address and name of the sender should be configured regardless of the provider that is used.
is.email.sender-address
: The address of the senderis.email.sender-name
: The name of the sender
Most emails contain the name of the network and links to the Identity Server or Console.
-
is.email.network.name
: The name of the network -
is.email.network.identity-server-url
: The URL of the Identity Server -
is.email.network.console-url
: The URL of the Console -
is.email.templates.source
: Source of the email template files (directory, url, blob) Deprecated in 3.19 -
is.email.templates.directory
: Directory on the filesystem where email templates are located Deprecated in 3.19 -
is.email.templates.url
: URL where email templates are located Deprecated in 3.19 -
is.email.templates.blob.bucket
: Bucket where email templates are located Deprecated in 3.19 -
is.email.templates.blob.path
: Path within the bucket Deprecated in 3.19
If your custom templates rely on other files, such as headers or footers, those files need to be included.
is.email.templates.includes
: The email templates that will be preloaded on startup Deprecated in 3.19
OAuth UI Options
The OAuth user interface needs to be configured with at least the canonical URL and the base URL of the Identity Server’s HTTP API. The canonical URL needs to be the full URL of the UI, and looks like https://thethings.example.com/oauth
. The base URL of the Identity Server’s HTTP API looks like https://thethings.example.com/api/v3
.
is.oauth.ui.canonical-url
: The page canonical URLis.oauth.ui.console-url
: The URL that points to the root of the Consoleis.oauth.ui.is.base-url
: Base URL to the HTTP APIis.oauth.ui.is.enabled
: Enable this API (defaulttrue
)
If you do not want to serve the OAuth user interface on /oauth
, you may customize the mount path.
is.oauth.mount
: Path on the server where the OAuth server will be served
If page assets for the OAuth UI are served from a CDN or on a different path on the server, the base URL needs to be customized as well. If you want to customize the branding of the OAuth UI, you can set the base URL for where your branding assets are located.
is.oauth.ui.assets-base-url
: The base URL to the page assetsis.oauth.ui.branding-base-url
: The base URL to the branding assetsis.oauth.ui.branding-cluster-id
: The cluster ID to show below the logois.oauth.ui.branding-text
: The branding text to show below the logois.oauth.ui.cluster-picker-url
: A URL to the a cluster picker to enable users to pick the correct cluster of the deployment
The appearance of The Things Stack can optionally be customized.
is.oauth.ui.site-name
: The site nameis.oauth.ui.title
: The page titleis.oauth.ui.sub-title
: The page sub-titleis.oauth.ui.descriptions
: The page descriptionis.oauth.ui.language
: The page languageis.oauth.ui.theme-color
: The page theme color
Further customization of the CSS files, JS files and icons is also possible:
is.oauth.ui.css-file
: The names of the CSS filesis.oauth.ui.js-file
: The names of the JS filesis.oauth.ui.icon-prefix
: The prefix to put before the page icons (favicon.ico, touch-icon.png, og-image.png)
It is possible to highlight some deployment information and disclaimers in the header of the Account App:
is.oauth.ui.fair-use-policy-information-url
: A URL with information about the applicable fair use policy of the deploymentis.oauth.ui.sla-applies
: The applicable Service Level Agreement of this deployment, e.g.>99.9%
is.oauth.ui.sla-information-url
: A URL with information about the SLA applicable for this deploymentis.oauth.ui.support-plan-applies
: The applicable support plan of this deployment, e.g.priority
,24h
is.oauth.ui.support-plan-information-url
: A URL with information about the support plan applicable for this deployment
It is possible to configure Identity Server to use Sentry for monitoring events.
is.oauth.ui.sentry-dsn
: The Sentry DSN
Profile Picture Storage Options
The profile pictures that users upload for their accounts are stored in a blob bucket. The global blob configuration is used for this. In addition to those options, specify the name of the bucket and the public URL to the bucket.
is.profile-picture.bucket
: Bucket used for storing profile picturesis.profile-picture.bucket-url
: Base URL for public bucket access
It is also possible to disable uploads:
is.profile-picture.disable-upload
: Disable profile picture uploads
It is also possible to use Gravatar for profile pictures.
is.profile-picture.use-gravatar
: Use Gravatar fallback for users without profile picture
End Device Picture Storage Options
Similar to profile pictures, end devices can have pictures associated with them.
is.end-device-picture.bucket
: Bucket used for storing end device picturesis.end-device-picture.bucket-url
: Base URL for public bucket access
It is also possible to disable uploads:
is.end-device-picture.disable-upload
: Disable end device picture uploads
User Registration Options
By default, users can register their own user accounts. User accounts can also be registered by admin users in the network. The user registration process can be customized by requiring approval by admin users, requiring email validation or by requiring new users to be invited by existing users.
is.user-registration.enabled
: Enable user registration. If user registration is disabled, admin users can still create users.is.user-registration.admin-approval.required
: Require admin approval for new usersis.user-registration.contact-info-validation.required
: Require contact info validation for new usersis.user-registration.contact-info-validation.token-ttl
: TTL of contact info validation tokensis.user-registration.invitation.required
: Require invitations for new usersis.user-registration.invitation.token-ttl
: TTL of user invitation tokens
There are several options to customize the requirements for user passwords.
is.user-registration.password-requirements.max-length
: Maximum password lengthis.user-registration.password-requirements.min-digits
: Minimum number of digitsis.user-registration.password-requirements.min-length
: Minimum password lengthis.user-registration.password-requirements.min-special
: Minimum number of special charactersis.user-registration.password-requirements.min-uppercase
: Minimum number of uppercase lettersis.user-registration.password-requirements.reject-common
: Reject common passwordsis.user-registration.password-requirements.reject-user-id
: Reject passwords that contain user ID
There is also an option to disable login with credentials. In that case, The Things Stack will only allow a login with configured external (OpenID Connect) providers.
User Rights Options
By default users can create applications, gateways, organizations and OAuth clients. With the following configuration options it is possible to restrict this, in which case only admin users are allowed to create these entities. By adding users to organizations, and assigning the appropriate rights, they can still create these entities in the organization.
is.user-rights.create-applications
: Allow non-admin users to create applications in their user accountis.user-rights.create-clients
: Allow non-admin users to create OAuth clients in their user accountis.user-rights.create-gateways
: Allow non-admin users to create gateways in their user accountis.user-rights.create-organizations
: Allow non-admin users to create organizations in their user account
Entity Limits Options
By default, users can create an unlimited number of applications, gateways, organizations and OAuth clients. With the following configuration options, it is possible to restrict this. These configuration options apply to newly created applications, organizations and users. Limits for existing applications, organizations and users can be modified by admin users.
is.application-limits.end-devices
: The end devices limit for newly created applications.is.organization-limits.applications
: The applications limit for newly created organizations.is.organization-limits.clients
: The clients limit for newly created organizations.is.organization-limits.gateways
: The gateways limit for newly created organizations.is.user-limits.applications
: The applications limit for newly created users; this limit applies to direct memberships, not to indirect memberships through organizations.is.user-limits.clients
: The clients limit for newly created users; this limit applies to direct memberships, not to indirect memberships through organizations.is.user-limits.gateways
: The gateways limit for newly created users; this limit applies to direct memberships, not to indirect memberships through organizations.is.user-limits.organizations
: The organizations limit for newly created users.
Admin Rights Options
By default admins are granted almost all rights on all entities in the network. The default configuration does not allow admins to read secrets, such as the root keys of end devices, and the CUPS/LNS secrets of gateways. This also means that admins can not assign those rights to others. The following option can be used to grant admin users all possible rights.
is.admin-rights.all
: Grant all rights to admins, including_KEYS
and_ALL
Gateway Secrets Encryption Options
is.gateways.encryption-key-id
: ID of the key used to encrypt gateway secrets at rest.
Tenant Administration Options
In multi-tenant deployments, tenants are managed with “tenant admin keys”. These keys need to be configured in the Identity Server.
is.tenancy.admin-keys
: Keys that can be used for tenant administration (16, 24 or 32 hex-encoded bytes)
Cache Options
is.auth-cache.membership-ttl
: TTL of membership caches
DevEUI Issuer Options
is.dev-eui-block.enabled
: Enable DevEUI address issuing from IEEE MAC blockis.dev-eui-block.application-limit
: Maximum DevEUI addresses to be issued per applicationis.dev-eui-block.init-counter
: Initial counter value for the addresses to be issued (default 0)is.dev-eui-block.prefix
: DevEUI block prefix (default “0000000000000000/0”)
Login Tokens
The Things Stack allows using login tokens (magic login links) for password-less login.
is.login-tokens.enabled
: Enable users requesting login tokensis.login-tokens.token-ttl
: TTL of login tokens
Network Options
The Things Stack Identity Server supports LoRaWAN® Backend Interfaces, so it is possible to obtain an end device’s NetID, Tenant ID and Network Server address with the use of a vendor-specific extension.
is.network.net-id
: The NetID of the network. When running a Network Server, this needs to be the same value asns.net-id
.is.network.tenant-id
: The Tenant ID in the host NetID. Leave blank if the used NetID is dedicated for this Identity Server.