OpenConext · phavekes · Oct 9, 2025 · Oct 7, 2025 · Oct 8, 2025 · Oct 8, 2025
diff --git a/core/README.md b/core/README.md
@@ -65,6 +65,7 @@ Since the OpenConext suite is composed of multiple docker containers, you can us
 - No profile: Starts the core services: Engineblock, manage, mujina and profile (plus loadbalancer and databases).
 - oidc: Starts oidc as well.
 - teams: Starts services needed for teams (oidcng, voot and teams)
+- invite: Starts services needed for Openconext-Invite (oidcng, voot and teams)
 - extras: Starts extras (currently pdp)
 
 If you want to start all services, you can use extras. A profile can be started by using the --profile argument to the `docker compose up` command. For example:

diff --git a/core/docker-compose.yml b/core/docker-compose.yml
@@ -1,4 +1,5 @@
 ---
+#name: openconext-core
 services:
   haproxy:
     image: ghcr.io/openconext/openconext-basecontainers/haproxy28:latest
@@ -28,6 +29,7 @@ services:
           - spdashboard.dev.openconext.local
           - mujina-idp.dev.openconext.local
           - invite.dev.openconext.local
+          - welcome.dev.openconext.local
           - sbs.dev.openconext.local
           - spdashboard.dev.openconext.local
     hostname: haproxy.docker
@@ -226,6 +228,7 @@ services:
       - "oidc"
       - "teams"
       - "extras"
+      - "invite"
 
   oidcplaygroundgui:
     image: ghcr.io/openconext/openconext-oidc-playground/oidc-playground-gui:3.0.1
@@ -304,16 +307,21 @@ services:
     volumes:
       - ./haproxy/haproxy.crt:/certificates/haproxy.crt
       - ./cacert/__cacert_entrypoint.sh:/__cacert_entrypoint.sh
+      - ./invite:/config
     networks:
       coreconextdev:
     entrypoint: /__cacert_entrypoint.sh
+    depends_on:
+      oidcng:
+        condition: service_started
     command: "java -jar app.jar --spring.profiles.active=devconf"
     hostname: inviteserver.docker
     working_dir: /
     profiles:
       - "php"
       - "teams"
       - "extras"
+      - "invite"
 
   inviteclient:
     image: ghcr.io/openconext/openconext-invite/inviteclient:0.0.23
@@ -330,9 +338,12 @@ services:
         condition: service_healthy
       mariadb:
         condition: service_healthy
+      inviteserver:
+        condition: service_started
     profiles:
       - "extras"
       - "teams"
+      - "invite"
 
   invitewelcome:
     image: ghcr.io/openconext/openconext-invite/invitewelcome:0.0.23
@@ -349,9 +360,12 @@ services:
         condition: service_healthy
       mariadb:
         condition: service_healthy
+      inviteserver:
+        condition: service_started
     profiles:
       - "extras"
       - "teams"
+      - "invite"
 
   voot:
     image: ghcr.io/openconext/openconext-voot/voot:6.2.0

diff --git a/core/invite/application.yml b/core/invite/application.yml
@@ -0,0 +1,133 @@
+---
+server:
+  port: 8080
+  error:
+    path: "/error"
+    include-message: always
+  forward-headers-strategy: native
+  servlet:
+    session:
+      cookie:
+        secure: false
+
+spring:
+  main:
+    banner-mode: "off"
+  session:
+    jdbc:
+      cleanup-cron: "-"
+      initialize-schema: always
+    store-type: jdbc
+    timeout: 8h
+  mvc:
+    log-request-details: false
+  security:
+    oauth2:
+      client:
+        registration:
+          oidcng:
+            client-id: invite.dev.openconext.local
+            client-secret: secretsecret
+            redirect-uri: "https://{baseHost}{basePort}{basePath}/login/oauth2/code/{registrationId}"
+            authorization-grant-type: "authorization_code"
+            scope: openid
+        provider:
+          oidcng:
+            authorization-uri: "https://connect.dev.openconext.local/oidc/authorize"
+            token-uri: "https://connect.dev.openconext.local/oidc/token"
+            user-info-uri: "https://connect.dev.openconext.local/oidc/userinfo"
+            jwk-set-uri: "https://connect.dev.openconext.local/oidc/certs"
+            user-name-attribute: sub
+            user-info-authentication-method: client_secret_basic
+  jpa:
+    properties:
+      hibernate:
+        naming-strategy: org.hibernate.cfg.ImprovedNamingStrategy
+        dialect: org.hibernate.dialect.MySQLDialect
+    open-in-view: false
+    show-sql: false
+  datasource:
+    driver-class-name: org.mariadb.jdbc.Driver
+    url: jdbc:mariadb://mariadb/invite?autoReconnect=true
+    username: inviterw
+    password: secret
+  flyway:
+    locations: classpath:db/mysql/migration
+    fail-on-missing-locations: true
+  mail:
+    host: localhost
+    port: 1025
+
+oidcng:
+  discovery-url: "https://connect.dev.openconext.local/oidc/.well-known/openid-configuration"
+  introspect-url: "https://connect.dev.openconext.local/oidc/introspect"
+  resource-server-id: inviters.dev.openconext.local
+  resource-server-secret: secretsecret
+  base-url: https://invite.dev.openconext.local
+
+super-admin:
+  users:
+    - "urn:collab:person:example.com:admin"
+
+institution-admin:
+  entitlement: "urn:mace:surfnet.nl:surfnet.nl:sab:role:SURFconextverantwoordelijke"
+  organization-guid-prefix: "urn:mace:surfnet.nl:surfnet.nl:sab:organizationGUID:"
+
+gui:
+  disclaimer:
+    background-color: red
+    content: DEV
+
+config:
+  client-url: "https://invite.dev.openconext.local"
+  welcome-url: "https://welcome.dev.openconext.local"
+  server-url: "https://invite.dev.openconext.local"
+  server-welcome-url: "https://welcome.dev.openconext.local"
+  eduid-entity-id: "https://login.dev.openconext.local"
+  role-search-required: false
+  past-date-allowed: true
+  eduid-idp-schac-home-organization: "dev.eduid.nl"
+
+feature:
+  enable-performance-seed: False
+
+# We don't encode in-memory passwords, so we need to prefix them with {noop}
+external-api-configuration:
+  remote-users:
+    - username: voot
+      password: "secret"
+      scopes:
+        - voot
+    - username: teams
+      password: "secret"
+      scopes:
+        - teams
+    - username: aa
+      password: "secret"
+      scopes:
+        - attribute_aggregation
+    - username: lifecycle
+      password: "secret"
+      scopes:
+        - lifecycle
+    - username: profile
+      password: "secret"
+      scopes:
+        - profile
+    - username: sp_dashboard
+      password: "secret"
+      scopes:
+        - sp_dashboard
+
+voot:
+  group_urn_domain: urn:mace:surf.nl:test.surfaccess.nl
+
+manage:
+  # enabled: True
+  enabled: False
+  url: "https://manage.dev.openconext.local"
+  user: invite
+  password: secret
+  # If you want to run the mock Manage against a git ignored file with sensitive data, e.g. manage/provisioning.local.json file
+  #  local: True
+  staticManageDirectory: classpath:/manage
diff --git a/core/scripts/init.sh b/core/scripts/init.sh
@@ -2,6 +2,7 @@
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 ORANGE='\033[0;33m'
+BLUE='\033[0;34m'
 NOCOLOR='\033[0m'
 CWD=$(dirname $0)
 manageurl=https://manage.dev.openconext.local/manage/api/internal/
@@ -61,10 +62,10 @@ echo -e "${ORANGE}Send a PUSH in Manage, which pushes the entities to EngineBloc
 docker compose exec managegui curl -q -s -k -u sysadmin:secret $manageurl/push >/dev/null
 
 printf "\n"
-echo -e "${RED}Please add the following line to your /etc/hosts:${NOCOLOR}${GREEN} \xE2\x9C\x94${NOCOLOR}"
+echo -e "${BLUE}Please add the following line to your /etc/hosts:${NOCOLOR}${GREEN} \xE2\x9C\x94${NOCOLOR}"
 printf "\n"
 
-echo "127.0.0.1 engine.dev.openconext.local manage.dev.openconext.local profile.dev.openconext.local engine-api.dev.openconext.local mujina-idp.dev.openconext.local profile.dev.openconext.local connect.dev.openconext.local teams.dev.openconext.local voot.dev.openconext.local"
+echo "127.0.0.1 engine.dev.openconext.local manage.dev.openconext.local profile.dev.openconext.local engine-api.dev.openconext.local mujina-idp.dev.openconext.local profile.dev.openconext.local connect.dev.openconext.local teams.dev.openconext.local voot.dev.openconext.local invite.dev.openconext.local welcome.dev.openconext.local"
 
 printf "\n"
 echo "You can now login. If you want to bring the environment down, use the command below"