feat(config): expose openid-connect via OWNCLOUD_OPENID_CONNECT#519
Conversation
The openidconnect app's 'openid-connect' config key had no corresponding env var, so OIDC could not be configured through the image's env-based config mechanism (only the unrelated OWNCLOUD_ENABLE_OIDC_REWRITE_URL Apache toggle existed). Add OWNCLOUD_OPENID_CONNECT, a JSON-encoded object decoded into $config['openid-connect']. The key is a deeply nested associative array (provider-url, client-id/secret, scopes, provider-params, auto-provision, ...) that the flat env-var idioms cannot represent, so it reuses the json_decode pattern already used for OWNCLOUD_LOG_CONDITIONS and OWNCLOUD_USER_BACKENDS. Invalid JSON is ignored, leaving the key unset. Added to v24.04 only, matching the convention that v20.04/v22.04 are frozen. Closes #492 Co-Authored-By: Claude Opus 4.8 <[email protected]> Signed-off-by: Thomas Müller <[email protected]>
Code ReviewOverviewAdds Correctness — verified against the appI traced the consuming code in
One nit for the PR description (not the code): "The app itself Conventions — clean
Security
Test coverage
VerdictCorrect, convention-aligned, and verified against the consuming app's actual read path. Approve. Only optional polish: tighten the two wording points above (app decode path; "frozen" v22.04) and optionally note the secret-handling caveat in the docs. |
Summary
Adds an environment variable for the
openidconnectapp'sopenid-connectconfig key, which had no env-var mapping — OIDC could only be configured by mounting a customconfig.phpor viaocc. (The pre-existingOWNCLOUD_ENABLE_OIDC_REWRITE_URLis an unrelated Apache rewrite toggle, not the app config.)Requested in #492 — reopened by @DeepDiver1975 confirming the mapping is still needed.
Details
OWNCLOUD_OPENID_CONNECT— a JSON-encoded object decoded into$config['openid-connect']:openid-connectis a deeply nested associative array (scopes,provider-params,auto-provision.update, ...) that the flat env-var idioms cannot represent. Decoding to an array here is required, not just convenient:Client::getOpenIdConfig()(lib/Client.php) reads the system-config value viagetSystemValue('openid-connect', null)and consumes it directly with array access (['auto-provision'],['mode'], ...) — the app onlyjson_decodes the app-value (DB) path, so a raw JSON string in system config would break it. We reuse thejson_decode+is_arrayguard pattern already established forOWNCLOUD_LOG_CONDITIONS/OWNCLOUD_USER_BACKENDS. Invalid JSON is ignored, leaving the key unset.owncloud/openidconnectapp source (lib/Client.php, app README) and the OIDC admin docs.OWNCLOUD_USER_BACKENDSMissing envvar for 'user_backends' #490,OWNCLOUD_LOGIN_POLICY_GROUP_FORBID_MAPMissing envvar for loginPolicy.groupLoginPolicy.forbidMap #493,OWNCLOUD_CUSTOMGROUPS_*Missing envvars for customgroups.xxx configurations #491) all landed inv24.04only;v20.04/v22.04retain their older vars but no longer receive new ones, and CI builds only22.04/24.04.Verification
php -lpasses.php -rdumping$CONFIG['openid-connect']: a nested payload (scopeslist,provider-params,auto-provision.update) round-trips intact; key is absent when the var is unset; invalid JSON safely falls back to unset.Closes #492
🤖 Generated with Claude Code