# Start Service

ESS provides a service that acts as the starting point for the ESS user interface.

## Start Service Endpoint

ESS Start Service hosts an application that runs at:

```none
https://start.{ESS Domain}
```

## ESS Start Application

The ESS’ start application allows a user to sign up or login with the Identity Provider. You can replace the default start application with a custom start application.

### **Create a WebID**

Start applications can call [ESS’ WebID service](https://docs.inrupt.com/ess/2.3/services/service-webid) to create a WebID and manage the WebID profile document. The application can derive the WebID service’s [endpoints](https://docs.inrupt.com/ess/2.3/service-webid#webid-profile-document-endpoints) by concatenating:

* the WebID Service’s base URL and
* the username portion of the **`webid`** claim (from the [ID](https://docs.inrupt.com/ess/2.3/service-oidc#broker-token-claims) token).

### **Create a Pod for WebID**

Start applications can call [ESS’ Pod Provision Service](https://docs.inrupt.com/ess/2.3/services/service-pod-management/service-pod-provision) to provision the Pod for the user.

### **Add Pod Location to WebID Profile**

Once provisioned, start applications can call the [ESS’ WebID service](https://docs.inrupt.com/ess/2.3/services/service-webid) to update the WebID profile document with the Pod location.

### **Start Application Configuration**

To use with the various ESS services, the following configuration options must be set to the start application’s [Solid-OIDC Client ID](https://docs.inrupt.com/ess/2.3/services/service-oidc):

* [**`QUARKUS_OIDC_CLIENT_ID`**](#quarkus_oidc_client_id) configuration for the Start Service and
* [**`INRUPT_START_CLIENT_ID`**](https://docs.inrupt.com/ess/2.3/service-webid#inrupt_start_client_id) and [**`INRUPT_WEBID_ALLOWED_CLIENT_IDS`**](https://docs.inrupt.com/ess/2.3/service-webid#inrupt_webid_allowed_client_ids) configuration for the ESS [WebID Service](https://docs.inrupt.com/ess/2.3/services/service-webid).

For example, the default ESS start application has **`https://start.{ESS DOMAIN}/app/id`** as its Client ID, and the [provided overlays](https://docs.inrupt.com/ess/2.3/installation) use this value in the configuration.

If using a custom start application, update the configuration to the the custom start application’s Client ID.

See [Use a Custom Start Application](https://docs.inrupt.com/ess/2.3/installation/customize-configurations/customization-start-apps/use-custom-start-app).

## Configuration

As part of the [installation process](https://docs.inrupt.com/ess/2.3/installation), Inrupt provides base Kustomize overlays and associated files that require deployment-specific configuration inputs.

The following configuration options are available for the service and may be set as part of updating the inputs for your deployment. The Inrupt-provided base Kustomize overlays may be using updated configuration values that differ from the default values.

#### INRUPT\_PROVISION\_HTTP\_BASE\_URL

The base URL of the [Pod Provisioning Service](https://docs.inrupt.com/ess/2.3/services/service-pod-management/service-pod-provision).

{% hint style="warning" %}
**Important**\
The value requires a trailing slash **`/`** ; e.g., **`https://provision.{ESS_DOMAIN}/`** .
{% endhint %}

The ESS’ Start application uses this value to determine the [ESS’ Pod Provisioning endpoint](https://docs.inrupt.com/ess/2.3/service-pod-management/service-pod-provision#pod-provisioning-creation).

#### INRUPT\_WEBID\_HTTP\_BASE\_URL

The base URL of the [WebID Service](https://docs.inrupt.com/ess/2.3/services/service-webid).

{% hint style="warning" %}
**Important**\
The value requires a trailing slash **`/`** ; e.g., **`https://id.{ESS DOMAIN}/`** .
{% endhint %}

The ESS’ Start application uses this value to determine the base URL of the [ESS’ WebID Service endpoints](https://docs.inrupt.com/ess/2.3/service-webid#webid-profile-document-endpoints).

**QUARKUS\_LOG\_LEVEL**

*Default* : **`INFO`**

Logging level.

#### QUARKUS\_OIDC\_AUTH\_SERVER\_URL

The URL of the [Solid OIDC Broker Service](https://docs.inrupt.com/ess/2.3/services/service-oidc).

#### QUARKUS\_OIDC\_CLIENT\_ID

*Default* : **`https://start.{ESS DOMAIN}/app/id`** The Solid-OIDC Client ID (i.e., the URL that dereferences to a Client ID document) of the start app for signing in/up with the Identity Provider.

See also:

* [**`INRUPT_START_CLIENT_ID`**](https://docs.inrupt.com/ess/2.3/service-webid#inrupt_start_client_id)
* [**`INRUPT_WEBID_ALLOWED_CLIENT_IDS`**](https://docs.inrupt.com/ess/2.3/service-webid#inrupt_webid_allowed_client_ids)

{% hint style="warning" %}
**Important**\
Please ensure that the [**`INRUPT_WEBID_ALLOWED_CLIENT_IDS`**](https://docs.inrupt.com/ess/2.3/service-webid#inrupt_webid_allowed_client_ids) includes the value used for the Start service Client ID, defined in [**`INRUPT_START_CLIENT_ID`**](https://docs.inrupt.com/ess/2.3/service-webid#inrupt_start_client_id) .
{% endhint %}

### Configuration Logging

ESS services log their startup configuration.

{% hint style="info" %}
**Note**\
Whitespaces are **preserved** when parsing comma-delimited lists (i.e., the parsed string values are not trimmed). For example, when parsed, **`"value1, value2,value3 "`** results in **`"value1"`** , **`" value2"`** , **`"value3 "`** .
{% endhint %}

#### INRUPT\_LOGGING\_CONFIGURATION\_PREFIX\_ALLOW

*Default* : inrupt,quarkus.oidc.auth-server-url

A comma-separated list of configuration property prefixes ( **case-sensitive** ) that determine which configurations are logged:

* If the list is empty, **NO** configuration property is logged.
* If a configuration property starts with a listed prefix ( **case-sensitive** ), the configuration property and its value are logged **unless** the configuration also matches a prefix in [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_DENY`**](#inrupt_logging_configuration_prefix_deny) (which acts as a filter on [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_ALLOW`**](#inrupt_logging_configuration_prefix_allow) list).\
  As such, if the configuration matches prefix in both [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_ALLOW`**](#inrupt_logging_configuration_prefix_allow) and [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_DENY`**](#inrupt_logging_configuration_prefix_deny), the [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_DENY`**](#inrupt_logging_configuration_prefix_deny) takes precedence and the configuration is not logged. For example, if **`inrupt.`** is an allow prefix, but **`inrupt.kafka.`** is a deny prefix, all configurations that start with **`inrupt.kafka.`** are excluded from the logs.

When specifying the prefixes, you can specify the prefixes using one of two formats:

* using dot notation (e.g., **`inrupt.foobar.`** ), or
* using the [MicroProfile Config environmental variables conversion value](https://quarkus.io/guides/config-reference#environment-variables) (e.g., **`INRUPT_FOOBAR_`** ).

{% hint style="danger" %}
**Warning**\
Use the same format for **both** [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_ALLOW`**](#inrupt_logging_configuration_prefix_allow) and [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_DENY`**](#inrupt_logging_configuration_prefix_deny) .

For example, if you change the format of [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_ALLOW`**](#inrupt_logging_configuration_prefix_allow), change the format of [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_DENY`**](#inrupt_logging_configuration_prefix_deny) as well.
{% endhint %}

{% hint style="info" %}
**Tip**\
To avoid allowing more than desired configurations, specify as much of the prefix as possible. If the prefix specifies the complete prefix term, include the term delineator. For example:

* If using dot-notation, if you want to match configuration properties of the form **`foobar.<xxxx>...`** , specify **`foobar.`** (including the dot **`.`** ) instead of, for example, **`foo`** or **`foobar`** .
* If using converted form, if you want to match configuration properties of the form **`FOOBAR_<XXXX>...`** , specify **`FOOBAR_`** (including the underscore **`_`** ) instead of, for example, **`FOO`** or **`FOOBAR`** .
  {% endhint %}

#### INRUPT\_LOGGING\_CONFIGURATION\_PREFIX\_DENY

A comma-separated list of configuration name prefixes (case-sensitive) that determines which configurations (that would otherwise match the [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_ALLOW`**](#inrupt_logging_configuration_prefix_allow) ) are not logged. That is, [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_DENY`**](#inrupt_logging_configuration_prefix_deny) acts as a filter on [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_ALLOW`**](#inrupt_logging_configuration_prefix_allow) . For example:

* If **`foobar.`** is an allowed prefix, to suppress **`foobar.private.<anything>`** , you can specify **`foobar.private.`** to the deny list.
* If **`foobar.`** is **not** an allowed prefix, no property starting with **`foobar.`** is logged. As such, you do not need to specify **`foobar.private`** to the deny list.

When specifying the prefixes, you can specify the prefixes using one of two formats:

* using dot notation (e.g., **`inrupt.foobar.`** ), or
* using the [MicroProfile Config environmental variables conversion value](https://quarkus.io/guides/config-reference#environment-variables) (e.g., **`INRUPT_FOOBAR_`** ).

{% hint style="danger" %}
**Warning**\
Use the same format for **both** [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_ALLOW`**](#inrupt_logging_configuration_prefix_allow) and [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_DENY`**](#inrupt_logging_configuration_prefix_deny) .

For example, if you change the format of [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_ALLOW`**](#inrupt_logging_configuration_prefix_allow), change the format of [**`INRUPT_LOGGING_CONFIGURATION_PREFIX_DENY`**](#inrupt_logging_configuration_prefix_deny) as well.
{% endhint %}

### Logging Redaction

#### INRUPT\_LOGGING\_REDACTION\_NAME\_ACTION

*Default* : **REPLACE**

Type of the redaction to perform. Supported values are:

<table><thead><tr><th width="156.29046630859375">Action</th><th>Description</th></tr></thead><tbody><tr><td><strong><code>REPLACE</code></strong></td><td>Default. Replaces the matching text with a specified replacement.</td></tr><tr><td><strong><code>PLAIN</code></strong></td><td>Leaves the matching field unprocessed. Only available if the redaction target is a field (i.e., <strong><code>INRUPT_LOGGING_REDACTION_{NAME}_FIELD</code></strong>).</td></tr><tr><td><strong><code>DROP</code></strong></td><td>Suppresses the matching field. Only available if the redaction target is a field (i.e., <strong><code>INRUPT_LOGGING_REDACTION_{NAME}_FIELD</code></strong>).</td></tr><tr><td><strong><code>PRIORITIZE</code></strong></td><td>Changes the log level of the matching message.</td></tr><tr><td><strong><code>SHA256</code></strong></td><td>Replaces the matching text with its hash.</td></tr></tbody></table>

* If the action is **`REPLACE`** ( *default* ), see also **`INRUPT_LOGGING_REDACTION_{NAME}_REPLACEMENT`** .
* If the action is to **`PRIORITIZE`** , see also **I`NRUPT_LOGGING_REDACTION_{NAME}_LEVEL`** .

For more information on log redaction, see [Logging Redaction](https://docs.inrupt.com/ess/2.3/administration/logging/logging-redaction).

#### INRUPT\_LOGGING\_REDACTION\_NAME\_ENABLED

*Default* : **`true`**

A boolean that determines whether the redaction configurations with the specified **`INRUPT_LOGGING_REDACTION_{NAME}_`** prefix is enabled.

For more information on log redaction, see [Logging Redaction](https://docs.inrupt.com/ess/2.3/administration/logging/logging-redaction).

#### INRUPT\_LOGGING\_REDACTION\_NAME\_EXCEPTION

Fully qualified name of the exception class to match in the log messages (includes inner exception). Configure to target an exception message class.

For more information on log redaction, see [Logging Redaction](https://docs.inrupt.com/ess/2.3/administration/logging/logging-redaction).

#### INRUPT\_LOGGING\_REDACTION\_NAME\_FIELD

Exact name of the field to match in the log messages. Configure to target a specific log message field for redaction.

For more information on log redaction, see [Logging Redaction](https://docs.inrupt.com/ess/2.3/administration/logging/logging-redaction).

#### INRUPT\_LOGGING\_REDACTION\_NAME\_LEVEL

A new log level to use for the log message if the **`INRUPT_LOGGING_REDACTION_{NAME}_ACTION`** is **`PRIORITIZE`** .

#### INRUPT\_LOGGING\_REDACTION\_NAME\_PATTERN

A regex (see [Java regex pattern](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/util/regex/Pattern.html#sum)) to match in the log messages. Configure to target log message text that matches a specified pattern.

For more information on log redaction, see [Logging Redaction](https://docs.inrupt.com/ess/2.3/administration/logging/logging-redaction).

#### INRUPT\_LOGGING\_REDACTION\_NAME\_REPLACEMENT

Replacement text to use if the **`INRUPT_LOGGING_REDACTION_{NAME}_ACTION`** is **`REPLACE`** .

If unspecified, defaults to **`[REDACTED]`** .

For more information on log redaction, see [Logging Redaction](https://docs.inrupt.com/ess/2.3/administration/logging/logging-redaction).

### Application-Defined Metadata Propagation

#### INRUPT\_AUDIT\_PRODUCER\_REQUEST\_METADATA\_ALLOW

A comma-separated list of application-defined properties that can be included in the associated [audit events](https://docs.inrupt.com/ess/2.3/service-auditing#audit-events) (unless specified in the corresponding [**`INRUPT_AUDIT_PRODUCER_REQUEST_METADATA_DENY`**](#inrupt_audit_producer_request_metadata_deny)) .

This configuration is **case-sensitive** to the propagated properties in the baggage.

{% hint style="info" %}
**Tip**\
To include a propagated property that was added via the [**`INRUPT_REQUEST_METADATA_PROPAGATOR_HEADER_ALLOW`**](#inrupt_request_metadata_propagator_header_allow) configuration, ensure that the cases of these properties match.
{% endhint %}

See:

* [Manage Application-Defined Metadata Propagation](https://docs.inrupt.com/ess/2.3/installation/customize-configurations/customization-logging/manage-app-defined-metadata) to configure.
* [Application-Defined Metadata](https://docs.inrupt.com/ess/2.3/administration/application-defined-metadata) for more information.

#### INRUPT\_AUDIT\_PRODUCER\_REQUEST\_METADATA\_DENY

A comma-separated list of application-defined properties to exclude from the associated audit messages. This setting takes precedence over [**`INRUPT_AUDIT_PRODUCER_REQUEST_METADATA_ALLOW`**](#inrupt_audit_producer_request_metadata_allow).

This configuration is **case-sensitive** to the propagated properties in the baggage.

{% hint style="info" %}
**Tip**\
To exclude a propagated property that was added via the [**`INRUPT_REQUEST_METADATA_PROPAGATOR_HEADER_ALLOW`**](#inrupt_request_metadata_propagator_header_allow) configuration, ensure that the cases of these properties match.
{% endhint %}

See:

* [Manage Application-Defined Metadata Propagation](https://docs.inrupt.com/ess/2.3/installation/customize-configurations/customization-logging/manage-app-defined-metadata) to configure.
* [Application-Defined Metadata](https://docs.inrupt.com/ess/2.3/administration/application-defined-metadata) for more information.

#### INRUPT\_LOGGING\_REQUEST\_METADATA\_ALLOW

A comma-separated list of application-defined properties that can be included in the associated [log messages](https://docs.inrupt.com/ess/2.3/installation/customize-configurations/customization-logging/manage-app-defined-metadata) (unless specified in the corresponding [**`INRUPT_LOGGING_REQUEST_METADATA_DENY`**](#inrupt_logging_request_metadata_deny)) .

This configuration is **case-sensitive** to the propagated properties in the baggage.

{% hint style="info" %}
**Tip**\
To include a propagated property that was added via the [**`INRUPT_REQUEST_METADATA_PROPAGATOR_HEADER_ALLOW`**](#inrupt_request_metadata_propagator_header_allow) configuration, ensure that the cases of these properties match.
{% endhint %}

See:

* [Manage Application-Defined Metadata Propagation](https://docs.inrupt.com/ess/2.3/installation/customize-configurations/customization-logging/manage-app-defined-metadata) to configure.
* [Application-Defined Metadata](https://docs.inrupt.com/ess/2.3/administration/application-defined-metadata) for more information.

#### INRUPT\_LOGGING\_REQUEST\_METADATA\_DENY

A comma-separated list of application-defined properties to exclude from the associated log messages. This setting takes precedence over [**`INRUPT_LOGGING_REQUEST_METADATA_ALLOW`**](#inrupt_logging_request_metadata_allow).

This configuration is **case-sensitive** to the propagated properties in the baggage.

{% hint style="info" %}
**Tip**\
To exclude a propagated property that was added via the [**`INRUPT_REQUEST_METADATA_PROPAGATOR_HEADER_ALLOW`**](#inrupt_request_metadata_propagator_header_allow) configuration, ensure that the cases of these properties match.
{% endhint %}

See:

* [Manage Application-Defined Metadata Propagation](https://docs.inrupt.com/ess/2.3/installation/customize-configurations/customization-logging/manage-app-defined-metadata) to configure.
* [Application-Defined Metadata](https://docs.inrupt.com/ess/2.3/administration/application-defined-metadata) for more information.

#### INRUPT\_REQUEST\_METADATA\_PROPAGATOR\_HEADER\_ALLOW

A comma-separated list of non-baggage request headers to add to the [baggage](https://www.w3.org/TR/baggage/) (unless specified in the corresponding [**`INRUPT_REQUEST_METADATA_PROPAGATOR_HEADER_DENY`**](#inrupt_request_metadata_propagator_header_deny)) ; i.e., include these non-baggage request headers as application-defined properties.

The configuration is case-insensitive; i.e., the listed headers do **not** need to match the case of the client request headers. For example, a list that includes **`x-correlation-id`** can match **`x-correlation-id`** header, **`X-CoRrElAtIoN-Id`** header, etc.

See:

* [Manage Application-Defined Metadata Propagation](https://docs.inrupt.com/ess/2.3/installation/customize-configurations/customization-logging/manage-app-defined-metadata) to configure.
* [Application-Defined Metadata](https://docs.inrupt.com/ess/2.3/administration/application-defined-metadata) for more information.

#### INRUPT\_REQUEST\_METADATA\_PROPAGATOR\_HEADER\_DENY

A comma-separated list of non-baggage request headers to exclude from being added to the [baggage](https://www.w3.org/TR/baggage/) ; i.e., excludes these headers as application-defined properties. This setting takes precedence over [**`INRUPT_REQUEST_METADATA_PROPAGATOR_HEADER_ALLOW`**](#inrupt_request_metadata_propagator_header_allow).

The configuration is case-insensitive; i.e., the listed headers do **not** need to match the case of the client request headers. For example, a list that includes **`x-correlation-id`** can match (and exclude) **`x-correlation-id`** header, **`X-CoRrElAtIoN-Id`** header, etc.

See:

* [Manage Application-Defined Metadata Propagation](https://docs.inrupt.com/ess/2.3/installation/customize-configurations/customization-logging/manage-app-defined-metadata) to configure.
* [Application-Defined Metadata](https://docs.inrupt.com/ess/2.3/administration/application-defined-metadata) for more information.

#### INRUPT\_REQUEST\_METADATA\_PROPAGATOR\_HEADER\_OVERRIDES

A flag that determines ESS behavior when metadata property is defined both as a header and as a baggage entry:

* If **`true`** ESS updates/overrides the baggage entry with the header value.
* If **`false`** (the default), ESS keeps the baggage entry.

For details, [Duplicate Property Definition](https://docs.inrupt.com/ess/administration/application-defined-metadata#duplicate-property-definition).

#### INRUPT\_REQUEST\_METADATA\_REFLECTOR\_HEADER\_ALLOW

A comma-separated list of application-defined properties that can return as response headers (unless specified in the corresponding [**`INRUPT_REQUEST_METADATA_REFLECTOR_HEADER_DENY`**](#inrupt_request_metadata_reflector_header_deny)) .

This configuration is **case-sensitive** to the propagated properties in the baggage.

{% hint style="info" %}
**Tip**

* To return a propagated property that was added via the [**`INRUPT_REQUEST_METADATA_PROPAGATOR_HEADER_ALLOW`**](#inrupt_request_metadata_propagator_header_allow) configuration, ensure that the cases of these properties match.
* You may need to update **`QUARKUS_HTTP_CORS_EXPOSED_HEADERS`** to extend the list of [CORS-safelisted response headers](https://developer.mozilla.org/en-US/docs/Glossary/CORS-safelisted_response_header) .
  {% endhint %}

See:

* [Manage Application-Defined Metadata Propagation](https://docs.inrupt.com/ess/2.3/installation/customize-configurations/customization-logging/manage-app-defined-metadata) to configure.
* [Application-Defined Metadata](https://docs.inrupt.com/ess/2.3/administration/application-defined-metadata) for more information.

#### INRUPT\_REQUEST\_METADATA\_REFLECTOR\_HEADER\_DENY

A comma-separated list of application-defined properties to exclude from returning as response headers. This setting takes precedence over [**`INRUPT_REQUEST_METADATA_REFLECTOR_HEADER_ALLOW`**](#inrupt_request_metadata_reflector_header_allow).

This configuration is **case-sensitive** to the propagated properties in the baggage.

{% hint style="info" %}
**Tip**\
To exclude a propagated property that was added via the [**`INRUPT_REQUEST_METADATA_PROPAGATOR_HEADER_ALLOW`**](#inrupt_request_metadata_propagator_header_allow) configuration, ensure that the cases of these properties match.
{% endhint %}

See:

* [Manage Application-Defined Metadata Propagation](https://docs.inrupt.com/ess/2.3/installation/customize-configurations/customization-logging/manage-app-defined-metadata) to configure.
* [Application-Defined Metadata](https://docs.inrupt.com/ess/2.3/administration/application-defined-metadata) for more information.

### Additional Information

See also [Quarkus Configuration Options](https://quarkus.io/guides/all-config)