How to run the Connect2id server in a Docker container

The Connect2id server is now also available as a Docker image for easy container-based setup and evaluation.

1. Docker quick start

1.1 Installing Docker

If Docker isn't installed on your computer you can find instructions here. The Community Edition (CE) is sufficient to run a Connect2id server.

1.2 Content of the Docker image

The provided Docker image includes the required Java runtime and an exploded copy of the ZIP package we make available for download -- a Tomcat servlet container with a Connect2id server WAR, an OpenID relying party client and a few other sample WARs deployed in it. A relational database (H2 in embedded mode) for the Connect2id server to persist its own data is also included.

1.3 Configuring the Connect2id server

The Connect2id server configuration is located in a set of properties files in the /WEB-INF/ directory of its web application archive (WAR).

Any of those properties can be overridden by injecting a text file with the new properties into the Docker container at /etc/c2id/ The injection can be done by means of a volume, bind mount or a custom storage driver. The steps below use the bind mount method.

1.4 To run in a container

Important: The provided Docker image uses host networking, which has no isolation between host and container and is limited to Linux hosts.

The steps to run the Connect2id server in a Docker container:

  1. Pull the latest image from Docker Hub

    The available versions are listed in the c2id Docker repository.

    docker pull c2id/c2id-server:[version]

  2. (Optional) Save your custom properties in a file

    For example:

    op.issuer                   =
    op.authz.endpoint           =
    op.authz.apiAccessToken     = vuxiehaiGhohrahJeik0ui0aib9jai9c
    op.reg.apiAccessToken       = Oosoje7choh1dom8ahng4kueQuoo6la0
    op.logout.apiAccessToken    = eik1Oosahpaic5dei2ioco4og9rahkee
    authzStore.apiAccessToken   = Ahrek9shie3Eidaex9lu4biem7ahpeeb
    sessionStore.apiAccessToken = foo7ahM5koo9eiziah7ahwaequaek5ta
    monitor.apiAccessToken      = caew6jaeX2phah8oolaoghaec0Heer8l
    jose.jwkSet                 = eyAia2V5cyIgOiBbIHsgImt0eSIgOi...
  3. Run a container with the Connect2id server image

    Replace host_port with an available port on your host.

    • To use the default server setting and embedded H2 database:

      docker run -p host_port:8080 --network host c2id/c2id-server:[version]

    • To pass your own server settings in via bind mount:

      docker run -p host_port:8080 --mount type=bind,source="/directory/containing/override/file",target=/etc/c2id c2id/c2id-server:[version]

For extra options that may be of use see the Docker run command reference.

2. Sample minimal Docker file

Minimal Docker file where the Connect2id server is the sole application in Apache Tomcat. Login page, other UIs and web hook based components are deployed separately.

# Need Java 11 with Tomcat 9.x
FROM tomcat:9-jdk11-openjdk

# Add the Connect2id server WAR as the root (/) web application
ADD target/c2id.war /usr/local/tomcat/webapps/ROOT.war

# Direct Connect2id server logging to STDOUT, add more Java system properties
# if needed. Note, Tomcat's own logging still goes to /usr/local/tomcat/logs
ENV CATALINA_OPTS="$CATALINA_OPTS -Dlog4j.loggers.root.appender=console"

# Tomcat binds on port 8080

# Launch Tomcat
CMD ["bash", "/usr/local/tomcat/bin/", "run"]

3. Database connectivity

Make sure the database parameters in the Connect2id server configuration are correctly set so that the server can connect via TCP/IP to the intended database for persisting its objects.

An occasional mistake with Docker host networking where the database is also deployed on the same host is trying to connect to localhost, which is actually the container with the Connect2id server itself.

In some cases the Docker container environment may require an additional setup.

4. Logging

The Connect2id server ships with a configuration for writing the log messages to tomcat/logs/c2id-server.log. When running the server in a Docker container it may be more useful to write the logs to the standard output, which can then be monitored with docker logs or other tools.

To write the logs to the standard output, replace the WEB-INF/log4j.xml configuration in c2id.war with this one.

4.1 AWS CloudWatch

Connect2id server deployments in AWS Elastic Container Service (ECS) can be made to have their logs collected in AWS CloudWatch.

  • First, make sure the server is configured to write the logs to the standard output, as explained above.

  • In the AWS CloudWatch console, create a new log group with a suitable name, e.g. c2id-docker (Log groups → Actions → Create log group).

  • In the AWS ECS console, set the definition for your Connect2id server Docker container to use the log driver awslogs, and then its parameters to point to the desired log group, e.g.

    • awslogs-group = c2id-docker (the CloudWatch log group name)
    • awslogs-region = eu-central (the region of the CloudWatch log group)