X-Git-Url: http://source.bookstackapp.com/bookstack/blobdiff_plain/f32cfb4292f7e3b723b5f99aab17d0f3989c93b7..refs/pull/5676/head:/app/Config/oidc.php

diff --git a/app/Config/oidc.php b/app/Config/oidc.php
index ed9302d10..16bec873c 100644
--- a/app/Config/oidc.php
+++ b/app/Config/oidc.php
@@ -35,16 +35,24 @@ return [
     // OAuth2 endpoints.
     'authorization_endpoint' => env('OIDC_AUTH_ENDPOINT', null),
     'token_endpoint'         => env('OIDC_TOKEN_ENDPOINT', null),
+    'userinfo_endpoint'      => env('OIDC_USERINFO_ENDPOINT', null),
 
     // OIDC RP-Initiated Logout endpoint URL.
-    // A null value gets the URL from discovery, if active.
     // A false value force-disables RP-Initiated Logout.
-    'end_session_endpoint' => env('OIDC_END_SESSION_ENDPOINT', null),
+    // A true value gets the URL from discovery, if active.
+    // A string value is used as the URL.
+    'end_session_endpoint' => env('OIDC_END_SESSION_ENDPOINT', false),
 
     // Add extra scopes, upon those required, to the OIDC authentication request
     // Multiple values can be provided comma seperated.
     'additional_scopes' => env('OIDC_ADDITIONAL_SCOPES', null),
 
+    // Enable fetching of the user's avatar from the 'picture' claim on login.
+    // Will only be fetched if the user doesn't already have an avatar image assigned.
+    // This can be a security risk due to performing server-side fetching (with up to 3 redirects) of
+    // data from external URLs. Only enable if you trust the OIDC auth provider to provide safe URLs for user images.
+    'fetch_avatar' => env('OIDC_FETCH_AVATAR', false),
+
     // Group sync options
     // Enable syncing, upon login, of OIDC groups to BookStack roles
     'user_to_groups' => env('OIDC_USER_TO_GROUPS', false),