]> BookStack Code Mirror - website/blobdiff - content/docs/admin/oidc-auth.md
projects / website / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Completed first writing pass on blogpost and docs text
[website] / content / docs / admin / oidc-auth.md
diff --git a/content/docs/admin/oidc-auth.md b/content/docs/admin/oidc-auth.md
index a0ea0005ac879ce39b2330a2278606b0eaa15057..fa6fe7363cae3b1e4b5010ca7b771403ebb5114f 100644 (file)
--- a/content/docs/admin/oidc-auth.md
+++ b/content/docs/admin/oidc-auth.md
@@ -75,6 +75,14 @@ OIDC_ISSUER=https://instance.authsystem.example.com
 # Otherwise, this can be set as a specific URL endpoint.
 OIDC_END_SESSION_ENDPOINT=false
 
 # Otherwise, this can be set as a specific URL endpoint.
 OIDC_END_SESSION_ENDPOINT=false
 
+# Enable fetching of the user's avatar from the 'picture' claim on login.
+# Will only be fetched if the user doesn't already have an avatar image assigned.
+# By default this is false which disables avatar fetching. Set to 'true' to enable.
+# WARNING: This can be a security risk due to performing server-side fetching 
+# (with up to 3 redirects) of data from external URLs. Only enable if you
+# trust the OIDC auth provider to provide safe URLs for user images.
+OIDC_FETCH_AVATAR=false
+
 # Enable auto-discovery of endpoints and token keys.
 # As per the standard, expects the service to serve a 
 # `<issuer>/.well-known/openid-configuration` endpoint.
 # Enable auto-discovery of endpoints and token keys.
 # As per the standard, expects the service to serve a 
 # `<issuer>/.well-known/openid-configuration` endpoint.
The source for the BookStack website, docs and blog.