{{ nextcloud_oidc_allow_user_change_display_name | default('false') }}, 'lost_password_link' => '{{ nextcloud_oidc_lost_password_link | default('disabled') }}', // URL of provider. All other URLs are auto-discovered from .well-known 'oidc_login_provider_url' => '{{ nextcloud_oidc_provider_url }}', // Client ID and secret registered with the provider 'oidc_login_client_id' => '{{ nextcloud_oidc_client_id }}', 'oidc_login_client_secret' => '{{ nextcloud_oidc_client_secret }}', // Automatically redirect the login page to the provider 'oidc_login_auto_redirect' => {{ nextcloud_oidc_auto_redirect | default('false') }}, // Redirect to this page after logging out the user 'oidc_login_logout_url' => '{{ nextcloud_oidc_logout_url | default('') }}', // If set to true the user will be redirected to the logout endpoint of the OIDC provider after logout // in Nextcloud. After successfull logout the OIDC provider will redirect back to 'oidc_login_logout_url' (MUST be set). 'oidc_login_end_session_redirect' => {{ nextcloud_oidc_end_session_redirect | default('false') }}, // Login button text 'oidc_login_button_text' => '{{ nextcloud_oidc_button_text | default('Log in with Open ID') }}', // Hide the NextCloud password change form. 'oidc_login_hide_password_form' => {{ nextcloud_oidc_hide_password_form | default('false') }}, // Use ID Token instead of UserInfo 'oidc_login_use_id_token' => {{ nextcloud_oidc_use_id_token | default('false') }}, // Attribute map for OIDC response. Available keys are: // * id: Unique identifier for username // * name: Full name // If set to null, existing display name won't be overwritten // * mail: Email address // If set to null, existing email address won't be overwritten // * quota: Nextcloud storage quota // * home: Home directory location. A symlink or external storage to this location is used // * ldap_uid: LDAP uid to search for when running in proxy mode // * groups: Array or space separated string of Nextcloud groups for the user. // Note that the name here corresponds to the GID of the group and not the display name // In the admin panel, the GID may be obtained from the URL when editing a group // * login_filter: Array or space separated string. If 'oidc_login_filter_allowed_values' is // set, it is checked against these values. // * photoURL: The URL of the user avatar. The nextcloud server will download the picture // at user login. This may lead to security issues. Use with care. // This will only be effective if oidc_login_update_avatar is enabled. // * is_admin: If this value is truthy, the user is added to the admin group (optional) 'oidc_login_attributes' => array ( 'id' => 'sub', 'name' => 'name', 'mail' => 'email', 'groups' => 'groups', 'is_admin' => 'groups_{{ nextcloud_oidc_admin_group | default('cloud_admin') }}', ), // Allow only users in configured value(s) to access Nextcloud. In case the user // is not assigned to this value (read from oidc_login_attributes) the login // will not be allowed for this user. // // Must be specified as an array of values (e.g. roles) that are allowed to // access Nextcloud. e.g. 'oidc_login_filter_allowed_values' => array('role1', 'role2') 'oidc_login_filter_allowed_values' => null, // Set OpenID Connect scope 'oidc_login_scope' => '{{ nextcloud_oidc_scope | default('openid profile') }}', // Disable creation of users new to Nextcloud from OIDC login. // A user may be known to the IdP but not (yet) known to Nextcloud. // This setting controls what to do in this case. // - 'true' (default): if the user authenticates to the IdP but is not known to Nextcloud, // then they will be returned to the login screen and not allowed entry; // - 'false': if the user authenticates but is not yet known to Nextcloud, // then the user will be automatically created; note that with this setting, // you will be allowing (or relying on) a third-party (the IdP) to create new users 'oidc_login_disable_registration' => {{ nextcloud_oidc_disable_registration | default('true') }}, // For development, you may disable TLS verification. Default value is `true` // which should be kept in production 'oidc_login_tls_verify' => {{ nextcloud_oidc_tls_verify | default('true') }}, // If you get your groups from the oidc_login_attributes, you might want // to create them if they are not already existing, Default is `false`. 'oidc_create_groups' => {{ nextcloud_oidc_create_groups | default('false') }}, // Enable use of WebDAV via OIDC bearer token. 'oidc_login_webdav_enabled' => false, // Enable authentication with user/password for DAV clients that do not // support token authentication (e.g. DAVx⁵) 'oidc_login_password_authentication' => false, // The time in seconds used to cache public keys from provider. // The default value is 1 day. 'oidc_login_public_key_caching_time' => 86400, // The minimum time in seconds to wait between requests to the jwks_uri endpoint. // Avoids that the provider will be DoSed when someone requests with unknown kids. // The default is 10 seconds. 'oidc_login_min_time_between_jwks_requests' => 10, // The time in seconds used to cache the OIDC well-known configuration from the provider. // The default value is 1 day. 'oidc_login_well_known_caching_time' => 86400, // If true, nextcloud will download user avatars on login. // This may lead to security issues as the server does not control // which URLs will be requested. Use with care. 'oidc_login_update_avatar' => false, // If true, the default Nextcloud proxy won't be used to make internals OIDC call. // The default is false. 'oidc_login_skip_proxy' => false, // Code challenge method for PKCE flow. // Possible values are: // - 'S256' // - 'plain' // The default value is empty, which won't apply the PKCE flow. 'oidc_login_code_challenge_method' => '', );