From 68ddb4eb7923321b3d495c55225de97f63a8c423 Mon Sep 17 00:00:00 2001
From: MannixTT <timsilasherrmann@gmail.com>
Date: Wed, 8 Apr 2026 23:46:15 +0200
Subject: [PATCH 1/5] Update external-idp.yml

adapt docker compose for new variables regarding external idp
---
 idm/external-idp.yml | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/idm/external-idp.yml b/idm/external-idp.yml
index ff8a6a42..d044e93d 100644
--- a/idm/external-idp.yml
+++ b/idm/external-idp.yml
@@ -14,7 +14,17 @@ services:
       GRAPH_LDAP_REFINT_ENABLED: "true" # osixia has refint enabled.
       FRONTEND_READONLY_USER_ATTRIBUTES: "user.onPremisesSamAccountName,user.displayName,user.mail,user.passwordProfile,user.accountEnabled,user.appRoleAssignments"
       PROXY_OIDC_REWRITE_WELLKNOWN: "true"
-      WEB_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID:-web}
+      OC_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID:-web}
+      OC_OIDC_CLIENT_SCOPES: ${PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM:-openid profile email roles offline_access}
+      PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: ${PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM:-roles}
+      WEBFINGER_WEB_OIDC_CLIENT_ID: ${WEBFINGER_WEB_OIDC_CLIENT_ID:-web}
+      WEBFINGER_WEB_OIDC_CLIENT_SCOPES: ${WEBFINGER_WEB_OIDC_CLIENT_SCOPE:-openid profile email}
+      WEBFINGER_ANDROID_OIDC_CLIENT_ID: ${WEBFINGER_ANDROID_OIDC_CLIENT_ID:-OpenCloudAndroid}
+      WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES: ${WEBFINGER_ANDROID_OIDC_CLIENT_SCOPE:-openid profile email offline_access}
+      WEBFINGER_IOS_OIDC_CLIENT_ID: ${WEBFINGER_IOS_OIDC_CLIENT_ID:-OpenCloudIOS}
+      WEBFINGER_IOS_OIDC_CLIENT_SCOPES: ${WEBFINGER_IOS_OIDC_CLIENT_SCOPE:-openid profile email offline_access}
+      WEBFINGER_DESKTOP_OIDC_CLIENT_ID: ${WEBFINGER_DESKTOP_OIDC_CLIENT_ID:-OpenCloudDesktop}
+      WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPES: ${WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPE:-openid profile email offline_access}
       PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"
       OC_OIDC_ISSUER: ${IDP_ISSUER_URL:-https://keycloak.opencloud.test/realms/openCloud}
       # This specifies to start all services except idm and idp. These are replaced by external services.
@@ -45,6 +55,8 @@ services:
       WEB_OPTION_ACCOUNT_EDIT_LINK_HREF: ${IDP_ACCOUNT_URL}
   ldap-server:
     image: bitnamilegacy/openldap:2.6
+    # Bitnami images require GID 0 to write to internal socket and PID directories
+    user: ${LDAP_UID_GID:-1000:0}
     networks:
       opencloud-net:
     entrypoint: [ "/bin/sh", "/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh", "/opt/bitnami/scripts/openldap/run.sh" ]

From 212f87a89c45488c4802aeeb70eb698a6f37eae4 Mon Sep 17 00:00:00 2001
From: MannixTT <timsilasherrmann@gmail.com>
Date: Wed, 8 Apr 2026 23:49:37 +0200
Subject: [PATCH 2/5] Update .env.example

Update environment variables for new variables regarding external idp settings
---
 .env.example | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/.env.example b/.env.example
index 4f594547..515816ca 100644
--- a/.env.example
+++ b/.env.example
@@ -313,6 +313,25 @@ IDP_DOMAIN=
 IDP_ISSUER_URL=
 # Url of the account edit page from your Identity Provider.
 IDP_ACCOUNT_URL=
+# Global Client ID, you can overwrite it by defining a client specific client id
+OC_OIDC_CLIENT_ID="{{ item.oc_oidc_client_id }}"
+# Declares which property should be used for the oidc claim
+PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM="roles"
+# claim_role to opencloud mapping
+OC_OIDC_CLIENT_SCOPES="openid profile email roles offline_access"
+# Unfortunetely needed at the moment (be careful to set it to none in prod)
+# PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none
+# Allow OpenCloud, to show Authentik Login-Frame
+PROXY_CSP_CONFIG_FILE_LOCATION="/etc/ocis/csp.yaml"
+# Client specific environment vars
+#WEBFINGER_WEB_OIDC_CLIENT_ID=
+#WEBFINGER_WEB_OIDC_CLIENT_SCOPES=
+#WEBFINGER_IOS_OIDC_CLIENT_ID=
+#WEBFINGER_IOS_OIDC_CLIENT_SCOPES=
+#WEBFINGER_ANDROID_OIDC_CLIENT_ID=
+#WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES=
+#WEBFINGER_DESKTOP_OIDC_CLIENT_ID=
+#WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPES=
 
 ## Shared User Directory Mode ##
 # Use together with idm/ldap-keycloak.yml and traefik/ldap-keycloak.yml

From 86f1d6fb7ec2dc2c2943a597d2b3f509bbc9793b Mon Sep 17 00:00:00 2001
From: MannixTT <timsilasherrmann@gmail.com>
Date: Thu, 9 Apr 2026 00:20:46 +0200
Subject: [PATCH 3/5] Update external-idp.yml

adapt defaults - otherwise it will not behave as expected
---
 idm/external-idp.yml | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/idm/external-idp.yml b/idm/external-idp.yml
index d044e93d..60c84a24 100644
--- a/idm/external-idp.yml
+++ b/idm/external-idp.yml
@@ -17,14 +17,14 @@ services:
       OC_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID:-web}
       OC_OIDC_CLIENT_SCOPES: ${PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM:-openid profile email roles offline_access}
       PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: ${PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM:-roles}
-      WEBFINGER_WEB_OIDC_CLIENT_ID: ${WEBFINGER_WEB_OIDC_CLIENT_ID:-web}
-      WEBFINGER_WEB_OIDC_CLIENT_SCOPES: ${WEBFINGER_WEB_OIDC_CLIENT_SCOPE:-openid profile email}
-      WEBFINGER_ANDROID_OIDC_CLIENT_ID: ${WEBFINGER_ANDROID_OIDC_CLIENT_ID:-OpenCloudAndroid}
-      WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES: ${WEBFINGER_ANDROID_OIDC_CLIENT_SCOPE:-openid profile email offline_access}
-      WEBFINGER_IOS_OIDC_CLIENT_ID: ${WEBFINGER_IOS_OIDC_CLIENT_ID:-OpenCloudIOS}
-      WEBFINGER_IOS_OIDC_CLIENT_SCOPES: ${WEBFINGER_IOS_OIDC_CLIENT_SCOPE:-openid profile email offline_access}
-      WEBFINGER_DESKTOP_OIDC_CLIENT_ID: ${WEBFINGER_DESKTOP_OIDC_CLIENT_ID:-OpenCloudDesktop}
-      WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPES: ${WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPE:-openid profile email offline_access}
+      WEBFINGER_WEB_OIDC_CLIENT_ID: ${WEBFINGER_WEB_OIDC_CLIENT_ID:-${OC_OIDC_CLIENT_ID}}
+      WEBFINGER_WEB_OIDC_CLIENT_SCOPES: ${WEBFINGER_WEB_OIDC_CLIENT_SCOPES:-${OC_OIDC_CLIENT_SCOPES}}
+      WEBFINGER_ANDROID_OIDC_CLIENT_ID: ${WEBFINGER_ANDROID_OIDC_CLIENT_ID:-${OC_OIDC_CLIENT_ID}}
+      WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES: ${WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES:-${OC_OIDC_CLIENT_SCOPES}}
+      WEBFINGER_IOS_OIDC_CLIENT_ID: ${WEBFINGER_IOS_OIDC_CLIENT_ID:-${OC_OIDC_CLIENT_ID}}
+      WEBFINGER_IOS_OIDC_CLIENT_SCOPES: ${WEBFINGER_IOS_OIDC_CLIENT_SCOPES:-${OC_OIDC_CLIENT_SCOPES}}
+      WEBFINGER_DESKTOP_OIDC_CLIENT_ID: ${WEBFINGER_DESKTOP_OIDC_CLIENT_ID:-${OC_OIDC_CLIENT_ID}}
+      WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPES: ${WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPES:-${OC_OIDC_CLIENT_SCOPES}}
       PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"
       OC_OIDC_ISSUER: ${IDP_ISSUER_URL:-https://keycloak.opencloud.test/realms/openCloud}
       # This specifies to start all services except idm and idp. These are replaced by external services.

From 5998ffbc96099596f1819b30c2845a7157ee1b58 Mon Sep 17 00:00:00 2001
From: MannixTT <timsilasherrmann@gmail.com>
Date: Sun, 26 Apr 2026 20:52:38 +0200
Subject: [PATCH 4/5] Update external-idp.yml

Changes made based on the comments in the pull request following the reviews
---
 idm/external-idp.yml | 21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/idm/external-idp.yml b/idm/external-idp.yml
index 60c84a24..fb668893 100644
--- a/idm/external-idp.yml
+++ b/idm/external-idp.yml
@@ -14,17 +14,17 @@ services:
       GRAPH_LDAP_REFINT_ENABLED: "true" # osixia has refint enabled.
       FRONTEND_READONLY_USER_ATTRIBUTES: "user.onPremisesSamAccountName,user.displayName,user.mail,user.passwordProfile,user.accountEnabled,user.appRoleAssignments"
       PROXY_OIDC_REWRITE_WELLKNOWN: "true"
-      OC_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID:-web}
-      OC_OIDC_CLIENT_SCOPES: ${PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM:-openid profile email roles offline_access}
+      OC_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID}
+      OC_OIDC_CLIENT_SCOPES: ${OC_OIDC_CLIENT_SCOPES}
       PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: ${PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM:-roles}
-      WEBFINGER_WEB_OIDC_CLIENT_ID: ${WEBFINGER_WEB_OIDC_CLIENT_ID:-${OC_OIDC_CLIENT_ID}}
-      WEBFINGER_WEB_OIDC_CLIENT_SCOPES: ${WEBFINGER_WEB_OIDC_CLIENT_SCOPES:-${OC_OIDC_CLIENT_SCOPES}}
-      WEBFINGER_ANDROID_OIDC_CLIENT_ID: ${WEBFINGER_ANDROID_OIDC_CLIENT_ID:-${OC_OIDC_CLIENT_ID}}
-      WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES: ${WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES:-${OC_OIDC_CLIENT_SCOPES}}
-      WEBFINGER_IOS_OIDC_CLIENT_ID: ${WEBFINGER_IOS_OIDC_CLIENT_ID:-${OC_OIDC_CLIENT_ID}}
-      WEBFINGER_IOS_OIDC_CLIENT_SCOPES: ${WEBFINGER_IOS_OIDC_CLIENT_SCOPES:-${OC_OIDC_CLIENT_SCOPES}}
-      WEBFINGER_DESKTOP_OIDC_CLIENT_ID: ${WEBFINGER_DESKTOP_OIDC_CLIENT_ID:-${OC_OIDC_CLIENT_ID}}
-      WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPES: ${WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPES:-${OC_OIDC_CLIENT_SCOPES}}
+      WEBFINGER_WEB_OIDC_CLIENT_ID: ${WEBFINGER_WEB_OIDC_CLIENT_ID}
+      WEBFINGER_WEB_OIDC_CLIENT_SCOPES: ${WEBFINGER_WEB_OIDC_CLIENT_SCOPES}
+      WEBFINGER_ANDROID_OIDC_CLIENT_ID: ${WEBFINGER_ANDROID_OIDC_CLIENT_ID}
+      WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES: ${WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES}
+      WEBFINGER_IOS_OIDC_CLIENT_ID: ${WEBFINGER_IOS_OIDC_CLIENT_ID}
+      WEBFINGER_IOS_OIDC_CLIENT_SCOPES: ${WEBFINGER_IOS_OIDC_CLIENT_SCOPES}
+      WEBFINGER_DESKTOP_OIDC_CLIENT_ID: ${WEBFINGER_DESKTOP_OIDC_CLIENT_ID}
+      WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPES: ${WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPES}
       PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"
       OC_OIDC_ISSUER: ${IDP_ISSUER_URL:-https://keycloak.opencloud.test/realms/openCloud}
       # This specifies to start all services except idm and idp. These are replaced by external services.
@@ -56,7 +56,6 @@ services:
   ldap-server:
     image: bitnamilegacy/openldap:2.6
     # Bitnami images require GID 0 to write to internal socket and PID directories
-    user: ${LDAP_UID_GID:-1000:0}
     networks:
       opencloud-net:
     entrypoint: [ "/bin/sh", "/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh", "/opt/bitnami/scripts/openldap/run.sh" ]

From c3caf7e65bfc4635e86287426a9e82fb436e0333 Mon Sep 17 00:00:00 2001
From: MannixTT <timsilasherrmann@gmail.com>
Date: Sun, 26 Apr 2026 20:53:30 +0200
Subject: [PATCH 5/5] Update .env.example

Changes made based on the comments in the pull request following the reviews
---
 .env.example | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/.env.example b/.env.example
index 515816ca..eadda8b7 100644
--- a/.env.example
+++ b/.env.example
@@ -313,16 +313,14 @@ IDP_DOMAIN=
 IDP_ISSUER_URL=
 # Url of the account edit page from your Identity Provider.
 IDP_ACCOUNT_URL=
-# Global Client ID, you can overwrite it by defining a client specific client id
-OC_OIDC_CLIENT_ID="{{ item.oc_oidc_client_id }}"
+# Global Client ID: You can override this by specifying a custom client ID, or leave it blank to use the OC defaults, as described in the documentation
+#OC_OIDC_CLIENT_ID=
 # Declares which property should be used for the oidc claim
-PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM="roles"
-# claim_role to opencloud mapping
-OC_OIDC_CLIENT_SCOPES="openid profile email roles offline_access"
-# Unfortunetely needed at the moment (be careful to set it to none in prod)
-# PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none
-# Allow OpenCloud, to show Authentik Login-Frame
-PROXY_CSP_CONFIG_FILE_LOCATION="/etc/ocis/csp.yaml"
+# Example: "roles"
+PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM=
+# Defines the OIDC client scope
+# Example: "openid profile email roles"
+OC_OIDC_CLIENT_SCOPES=
 # Client specific environment vars
 #WEBFINGER_WEB_OIDC_CLIENT_ID=
 #WEBFINGER_WEB_OIDC_CLIENT_SCOPES=