ansible-collection-nextcloud/roles/nextcloud/templates/oidc.config.php.j2

<?php
$CONFIG = array (
  // Some Nextcloud options that might make sense here
  'allow_user_to_change_display_name' => {{ nextcloud_oidc_allow_user_change_display_name | default('false') }},
  'lost_password_link' => '{{ nextcloud_oidc_lost_password_link | default('disabled') }}',

  // URL of provider. All other URLs are auto-discovered from .well-known
  'oidc_login_provider_url' => '{{ nextcloud_oidc_provider_url }}',

  // Client ID and secret registered with the provider
  'oidc_login_client_id' => '{{ nextcloud_oidc_client_id }}',
  'oidc_login_client_secret' => '{{ nextcloud_oidc_client_secret }}',

  // Automatically redirect the login page to the provider
  'oidc_login_auto_redirect' => {{ nextcloud_oidc_auto_redirect | default('false') }},

  // Redirect to this page after logging out the user
  'oidc_login_logout_url' => '{{ nextcloud_oidc_logout_url | default('') }}',

  // If set to true the user will be redirected to the logout endpoint of the OIDC provider after logout
  // in Nextcloud. After successfull logout the OIDC provider will redirect back to 'oidc_login_logout_url' (MUST be set).
  'oidc_login_end_session_redirect' => {{ nextcloud_oidc_end_session_redirect | default('false') }},

  // Login button text
  'oidc_login_button_text' => '{{ nextcloud_oidc_button_text | default('Log in with Open ID') }}',

  // Hide the NextCloud password change form.
  'oidc_login_hide_password_form' => {{ nextcloud_oidc_hide_password_form | default('false') }},

  // Use ID Token instead of UserInfo
  'oidc_login_use_id_token' => {{ nextcloud_oidc_use_id_token | default('false') }},

  // Attribute map for OIDC response. Available keys are:
  //   * id:           Unique identifier for username
  //   * name:         Full name
  //                      If set to null, existing display name won't be overwritten
  //   * mail:         Email address
  //                      If set to null, existing email address won't be overwritten
  //   * quota:        Nextcloud storage quota
  //   * home:         Home directory location. A symlink or external storage to this location is used
  //   * ldap_uid:     LDAP uid to search for when running in proxy mode
  //   * groups:       Array or space separated string of Nextcloud groups for the user.
  //                   Note that the name here corresponds to the GID of the group and not the display name
  //                   In the admin panel, the GID may be obtained from the URL when editing a group
  //   * login_filter: Array or space separated string. If 'oidc_login_filter_allowed_values' is
  //                      set, it is checked against these values.
  //   * photoURL:     The URL of the user avatar. The nextcloud server will download the picture
  //                      at user login. This may lead to security issues. Use with care.
  //                      This will only be effective if oidc_login_update_avatar is enabled.
  //   * is_admin:     If this value is truthy, the user is added to the admin group (optional)
  'oidc_login_attributes' => array (
    'id' => 'sub',
    'name' => 'name',
    'mail' => 'email',
    'groups' => 'groups',
    'is_admin' => 'groups_{{ nextcloud_oidc_admin_group | default('cloud_admin') }}',
  ),

  // Allow only users in configured value(s) to access Nextcloud. In case the user
  // is not assigned to this value (read from oidc_login_attributes) the login
  // will not be allowed for this user.
  //
  // Must be specified as an array of values (e.g. roles) that are allowed to
  // access Nextcloud. e.g. 'oidc_login_filter_allowed_values' => array('role1', 'role2')
  'oidc_login_filter_allowed_values' => null,

  // Set OpenID Connect scope
  'oidc_login_scope' => '{{ nextcloud_oidc_scope | default('openid profile') }}',

  // Disable creation of users new to Nextcloud from OIDC login.
  // A user may be known to the IdP but not (yet) known to Nextcloud.
  // This setting controls what to do in this case.
  // - 'true' (default): if the user authenticates to the IdP but is not known to Nextcloud,
  //     then they will be returned to the login screen and not allowed entry;
  // - 'false': if the user authenticates but is not yet known to Nextcloud,
  //     then the user will be automatically created; note that with this setting,
  //     you will be allowing (or relying on) a third-party (the IdP) to create new users
  'oidc_login_disable_registration' => {{ nextcloud_oidc_disable_registration | default('true') }},

  // For development, you may disable TLS verification. Default value is `true`
  // which should be kept in production
  'oidc_login_tls_verify' => {{ nextcloud_oidc_tls_verify | default('true') }},

  // If you get your groups from the oidc_login_attributes, you might want
  // to create them if they are not already existing, Default is `false`.
  'oidc_create_groups' => {{ nextcloud_oidc_create_groups | default('false') }},

  // Enable use of WebDAV via OIDC bearer token.
  'oidc_login_webdav_enabled' => false,

  // Enable authentication with user/password for DAV clients that do not
  // support token authentication (e.g. DAVx⁵)
  'oidc_login_password_authentication' => false,

  // The time in seconds used to cache public keys from provider.
  // The default value is 1 day.
  'oidc_login_public_key_caching_time' => 86400,

  // The minimum time in seconds to wait between requests to the jwks_uri endpoint.
  // Avoids that the provider will be DoSed when someone requests with unknown kids.
  // The default is 10 seconds.
  'oidc_login_min_time_between_jwks_requests' => 10,

  // The time in seconds used to cache the OIDC well-known configuration from the provider.
  // The default value is 1 day.
  'oidc_login_well_known_caching_time' => 86400,

  // If true, nextcloud will download user avatars on login.
  // This may lead to security issues as the server does not control
  // which URLs will be requested. Use with care.
  'oidc_login_update_avatar' => false,

  // If true, the default Nextcloud proxy won't be used to make internals OIDC call.
  // The default is false.
  'oidc_login_skip_proxy' => false,

  // Code challenge method for PKCE flow.
  // Possible values are:
  //	- 'S256'
  //	- 'plain'
  // The default value is empty, which won't apply the PKCE flow.
  'oidc_login_code_challenge_method' => '',
);