fix: add OIDC_SCOPE env var and document it across all config files

Fixes #306 — OIDC scopes were hardcoded to 'openid email profile', causing OIDC_ADMIN_CLAIM-based role mapping to fail when the required scope (e.g. 'groups') wasn't requested. The new OIDC_SCOPE variable defaults to 'openid email profile groups' so group-based admin mapping works out of the box. Variable is now documented in README, docker-compose, .env.example, and the Helm chart values.
2026-04-02 07:46:27 +02:00
parent b1cca15f6f
commit 32b63adc68
5 changed files with 11 additions and 1 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -31,6 +31,9 @@ services:
 #      - OIDC_CLIENT_SECRET=supersecret # OpenID Connect client secret
 #      - OIDC_DISPLAY_NAME=SSO # Label shown on the SSO login button
 #      - OIDC_ONLY=false # Set true to disable local password auth entirely (SSO only)
+#      - OIDC_ADMIN_CLAIM=groups # OIDC claim used to identify admin users
+#      - OIDC_ADMIN_VALUE=app-trek-admins # Value of the OIDC claim that grants admin role
+#      - OIDC_SCOPE=openid email profile groups # Space-separated OIDC scopes to request (must include scopes for any claim used by OIDC_ADMIN_CLAIM)
 #      - OIDC_DISCOVERY_URL= # Override the OIDC discovery endpoint for providers with non-standard paths (e.g. Authentik)
 #      - ADMIN_EMAIL=admin@trek.local # Initial admin e-mail — only used on first boot when no users exist
 #      - ADMIN_PASSWORD=changeme      # Initial admin password — only used on first boot when no users exist