Add optional OIDC avatar fetching from the “picture” claim

[bookstack] / app / Config / oidc.php

diff --git a/app/Config/oidc.php b/app/Config/oidc.php
index 7f8f40d419090af498907ee4bb2b8c59dee6e926..62f19a119c04bc222d30052a242e5adb2fbcc180 100644 (file)
--- a/app/Config/oidc.php
+++ b/app/Config/oidc.php
@@ -35,6 +35,7 @@ return [
     // OAuth2 endpoints.
     'authorization_endpoint' => env('OIDC_AUTH_ENDPOINT', null),
     'token_endpoint'         => env('OIDC_TOKEN_ENDPOINT', null),
+    'userinfo_endpoint'      => env('OIDC_USERINFO_ENDPOINT', null),
 
     // OIDC RP-Initiated Logout endpoint URL.
     // A false value force-disables RP-Initiated Logout.
@@ -53,4 +54,7 @@ return [
     'groups_claim' => env('OIDC_GROUPS_CLAIM', 'groups'),
     // When syncing groups, remove any groups that no longer match. Otherwise, sync only adds new groups.
     'remove_from_groups' => env('OIDC_REMOVE_FROM_GROUPS', false),
+
+    // When enabled, BookStack will fetch the user’s avatar from the 'picture' claim (SSRF risk if URLs are untrusted).
+    'fetch_avatars' => env('OIDC_FETCH_AVATARS', false),
 ];