add oidc scopes

charts/ocis/docs/values-desc-table.adoc

@@ -678,12 +678,6 @@ a| [subs=-attributes]
 a| [subs=-attributes]
 `"userid"`
 | Attribute mapping of for the userIDClaim. Set to `userid` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in `...ldap.user.schema.id`. Set to `mail` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in  `...ldap.user.schema.mail`. Set to `username` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in `...ldap.user.schema.userName`.
-| features.externalUserManagement.oidc.webClientID
-a| [subs=-attributes]
-+string+
-a| [subs=-attributes]
-`"web"`
-| Specify the client ID which the web frontend will use
 | features.gdprReport.integrations.keycloak.basePath
 a| [subs=-attributes]
 +string+
@@ -4500,6 +4494,30 @@ a| [subs=-attributes]
 a| [subs=-attributes]
 `""`
 | URI where the feedback link points. Uses the ownCloud default href if empty.
+| services.web.config.oidc.loginURL
+a| [subs=-attributes]
++string+
+a| [subs=-attributes]
+`nil`
+| Specifies the target url valid for the logged out / access denied page.
+| services.web.config.oidc.postLogoutRedirectURI
+a| [subs=-attributes]
++string+
+a| [subs=-attributes]
+`""`
+| URI where to redirect the user after a logout was performed. Defaults to the URI of the login page.
+| services.web.config.oidc.webClientID
+a| [subs=-attributes]
++string+
+a| [subs=-attributes]
+`"web"`
+| Specify the client ID which the web frontend will use
+| services.web.config.oidc.webClientScope
+a| [subs=-attributes]
++string+
+a| [subs=-attributes]
+`"openid profile email"`
+| OIDC scopes to request during authentication to authorize access to user details. Defaults to ‘openid profile email’. Values are separated by blank. More example values but not limited to are ‘address’ or ‘phone’ etc.
 | services.web.config.previewFileMimeTypes
 a| [subs=-attributes]
 +list+

charts/ocis/docs/values.adoc.yaml

@@ -406,8 +406,6 @@ features:
       # -- Link to the OIDC provider's user accessible account editing page. This will be shown to the user on the personal account page.
       # When using Keycloak with the a realm named "ocis" this could point to eg. https://keycloak.owncloud.test/realms/ocis/account/
       editAccountLink: ""
-      # -- Specify the client ID which the web frontend will use
-      webClientID: web
       # -- Claim to take an unique user identifier from. It will be used to look up the user on the LDAP server.
       userIDClaim: ocis.user.uuid
       # -- Attribute mapping of for the userIDClaim.
@@ -2267,10 +2265,15 @@ services:
         # -- Name of the theme you provide via `configRefs.webThemeConfigRef` and `configRefs.webThemeAssetsConfigRef`.
         # If you change this when providing a custom theme, you must also change `theme.path`.
         themeNameConfigRefs: "owncloud"
-      # URI where to redirect the user after a logout was performed. Defaults to the URI of the login page.
-      postLogoutRedirectURI: ""
-      # Specifies the target url valid for the logged out / access denied page.
-      loginURL:
+      oidc:
+        # -- OIDC scopes to request during authentication to authorize access to user details. Defaults to ‘openid profile email’. Values are separated by blank. More example values but not limited to are ‘address’ or ‘phone’ etc.
+        webClientScope: "openid profile email"
+        # -- Specify the client ID which the web frontend will use
+        webClientID: web
+        # -- URI where to redirect the user after a logout was performed. Defaults to the URI of the login page.
+        postLogoutRedirectURI: ""
+        # -- Specifies the target url valid for the logged out / access denied page.
+        loginURL:
       # Defines whether one ore more filters must be set in order to list users in the Web admin settings.
       userListRequiresFilter: false
       # Embed mode settings

charts/ocis/templates/web/deployment.yaml

@@ -56,9 +56,10 @@ spec:
             {{- else }}
               value: {{ .Values.features.externalUserManagement.oidc.issuerURI | quote }}
             {{- end }}
-
             - name: WEB_OIDC_CLIENT_ID
-              value: {{ .Values.features.externalUserManagement.oidc.webClientID | quote }}
+              value: {{ .Values.services.web.config.oidc.webClientID | quote }}
+            - name: WEB_OIDC_SCOPE
+              value: {{ .Values.services.web.config.oidc.webClientScope | quote }}
 
             - name: WEB_UI_THEME_SERVER
             {{- if .Values.services.web.config.theme.server }}
@@ -132,12 +133,12 @@ spec:
               value: {{ . | quote }}
             {{- end }}
 
-            {{- with .Values.services.web.config.postLogoutRedirectURI }}
+            {{- with .Values.services.web.config.oidc.postLogoutRedirectURI }}
             - name: WEB_OIDC_POST_LOGOUT_REDIRECT_URI
               value: {{ . | quote }}
             {{- end }}
 
-            {{- with .Values.services.web.config.loginURL }}
+            {{- with .Values.services.web.config.oidc.loginURL }}
             - name: WEB_OPTION_LOGIN_URL
               value: {{ . | quote }}
             {{- end }}

charts/ocis/values.yaml

@@ -405,8 +405,6 @@ features:
       # -- Link to the OIDC provider's user accessible account editing page. This will be shown to the user on the personal account page.
       # When using Keycloak with the a realm named "ocis" this could point to eg. https://keycloak.owncloud.test/realms/ocis/account/
       editAccountLink: ""
-      # -- Specify the client ID which the web frontend will use
-      webClientID: web
       # -- Claim to take an unique user identifier from. It will be used to look up the user on the LDAP server.
       userIDClaim: ocis.user.uuid
       # -- Attribute mapping of for the userIDClaim.
@@ -2266,10 +2264,15 @@ services:
         # -- Name of the theme you provide via `configRefs.webThemeConfigRef` and `configRefs.webThemeAssetsConfigRef`.
         # If you change this when providing a custom theme, you must also change `theme.path`.
         themeNameConfigRefs: "owncloud"
-      # URI where to redirect the user after a logout was performed. Defaults to the URI of the login page.
-      postLogoutRedirectURI: ""
-      # Specifies the target url valid for the logged out / access denied page.
-      loginURL:
+      oidc:
+        # -- OIDC scopes to request during authentication to authorize access to user details. Defaults to ‘openid profile email’. Values are separated by blank. More example values but not limited to are ‘address’ or ‘phone’ etc.
+        webClientScope: "openid profile email"
+        # -- Specify the client ID which the web frontend will use
+        webClientID: web
+        # -- URI where to redirect the user after a logout was performed. Defaults to the URI of the login page.
+        postLogoutRedirectURI: ""
+        # -- Specifies the target url valid for the logged out / access denied page.
+        loginURL:
       # Defines whether one ore more filters must be set in order to list users in the Web admin settings.
       userListRequiresFilter: false
       # Embed mode settings

deployments/external-user-management/helmfile.yaml

@@ -352,7 +352,6 @@ releases:
             adminUUID: "ddc2004c-0977-11eb-9d3f-a793888cd0f8"
             oidc:
               issuerURI: https://keycloak.kube.owncloud.test/realms/oCIS
-              webClientID: web
               userIDClaim: ocis.user.uuid
               userIDClaimAttributeMapping: userid
 
@@ -392,6 +391,9 @@ releases:
           web:
             persistence:
               enabled: true
+            config:
+              oidc:
+                webClientID: web
 
       - extraResources:
           - |