
#-------------------------------------------------------------------------------------
# oidc Extension
#-------------------------------------------------------------------------------------


#-# The base URL of the OpenId Connect Provider to use as starting point to discover the provider configuration.
#-# See following endpoints properties if the provider is does not support OpenID Connect discovery.
#-# If not indicated and not custom endpoint is provided, it will be asked to the user.
oidc.provider=https://login.microsoftonline.com/xxxxxx/oauth2

#-# The generic OpenId Connect endpoints to use to communicate with the provider.xx
#-# Not needed in case of XWiki based provider.
 oidc.endpoint.authorization=https://login.microsoftonline.com/xxxxxx/oauth2/v2.0/authorize
 oidc.endpoint.token=https://login.microsoftonline.com/xxxxxx/oauth2/v2.0/token
# oidc.endpoint.userinfo=https://graph.microsoft.com/v1.0/me?$select=id,mailNickname,jobTitle,givenName
 # oidc.endpoint.logout=https://xwikiorg-node1.xwikisas.com/xwiki/oidc/logout

#-# It's possible to add custom HTTP headers to the endpoint (generally only needed for bad or non-oidc providers)
#-# by adding the suffix ".headers" to the endpoint property key and listing the custom headers using key:value format.
#-# Note that it's not taken into account for the oidc.endpoint.authorization endpoint because it's used as a redirect.
#-# Here is an example to send "Accept: application/json" and "SomeOtherHeader: header" HTTP headers with the userinfo request.
# oidc.endpoint.userinfo.headers=Accept:application/json
# oidc.endpoint.userinfo.headers="sub":"test"

#-# The scopes to use when redirecting to the provider
#-# The standard OpenID Connection scopes are:
#-# * openid: Informs the authorisation server that the client is making an OpenID Connect request (REQUIRED).
#-# * profile: Requests that access to the end-user's default profile claims at the UserInfo endpoint be granted by the issued access token.
#-# * email: Requests that access to the email and email_verified claims at the UserInfo endpoint be granted by the issued access token.
#-# * address: Requests that access to address claim at the UserInfo endpoint be granted by the issued access token.
#-# * phone: Requests that access to the {phone_number and phone_number_verified claims at the UserInfo endpoint be granted by the issued access token.
#-# * offline_access: Requests that an OAuth 2.0 refresh token be issued that can be used to obtain an access token that grants access the end-user's UserInfo endpoint even when the user is not present (not logged in).
#-# 
#-# But depending on the provider more can be listed.
#-# 
#-# The default is:
 oidc.scope=openid,profile,email
#,address,phone

#-# The method used to access the userinfo endpoint.
#-# 
#-# Supported values are:
#-# * GET: use GET HTTP method
#-# * POST: use POST HTTP method
#-# 
#-# The default is:
# oidc.endpoint.userinfo.method=GET

#-# The pattern to use to generate the XWiki user name.
#-# 
#-# The following variables are available:
#-# oidc.user.subject: the unique id of the user in the provider
#-# oidc.user.mail: the mail of the user
#-# oidc.user.familyName : the last name of the user
#-# oidc.user.givenName: the first name of the user
#-# oidc.user.preferredUsername: the recommended string to use as id for the user
#-# oidc.provider: the URL of the XWiki provider (only when a XWiki provider is used)
#-# oidc.provider.host: the host of the provider URL
#-# oidc.provider.path: the path of the provider URL
#-# oidc.provider.protocol: the protocol (usually https) of the provider URL
#-# oidc.provider.port: the port of the provider URL
#-# oidc.issuer: the issuer URI
#-# oidc.issuer.host: the host of the issuer URI
#-# oidc.issuer.path: the path of the issuer URI
#-# oidc.issuer.scheme: the scheme (usually https) of the issuer URI
#-# oidc.issuer.port: the port of the issuer URI
#-# 
#-# The entire userinfo JSON received from the provider is also available using prefix "oidc.user.".
#-# For example if the provider send the following JSON for the user info:
#-#{
#-#   "sub"                : "248289761001",
#-#   "name"               : "Jane Doe",
#-#   "given_name"         : "Jane",
#-#   "family_name"        : "Doe",
#-#   "preferred_username" : "j.doe",
#-#   "email"              : "janedoe@example.com",
#-#   "picture"            : "http://example.com/janedoe/me.jpg"
#-#   "customoject"        :
#-#   {
#-#     "customproperty"   :  "customvalue"
#-#   }
#-# }
#-# you can use the variable ${oidc.user.customoject.customproperty}.
#-#
#-# Same idea, since version 2.3.0, the entire ID Token JSON received from the provider is also available using prefix "oidc.idtoken.".
#-#
#-# The following suffixes can be added:
#-# * "._lowerCase": the lower case version of the string
#-# * "._upperCase": the upper case version of the string 
#-# * "._clean": a version of the string stripped from ".", ":", ",", "@", "^" characters and "\s" (all forms of white spaces).
#-#             It can itself be suffixed with "._lowerCase" and "._uperCase".
#-#
#-# The variable syntax also have other features (fallback value, etc.) detailed on https://commons.apache.org/proper/commons-text/apidocs/org/apache/commons/text/StringSubstitutor.html.
#-# 
#-# The default is: 
 oidc.user.nameFormater=${oidc.user.preferredUsername._clean}

#-# The pattern to use to generate the unique identifier of the user in the OpenId Connect provider.
#-# It is used to avoid collisions with user have similar name.
#-# 
#-# The syntax is the same than the one described for oidc.user.nameFormater property.
#-# 
#-# The default is: 
#oidc.user.subjectFormater=oidc.user.mail

#-# It's possible to associate non standard properties coming from the OpenID Connect provider with the XWiki user.
#-# It's a map with the name of the XWiki user property and a format similar to the one defined in oidc.user.nameFormater for the OpenID Connect side.
#-# 
# oidc.user.mapping=myxproperty1=${oidc.user.subject}
# oidc.user.mapping=myxproperty2=myprefix-${oidc.user.subject}

#-# The righs each new user should have on its own profile as a comma (only comma, no white space allowed) separated list. Setting a right also implies that all the others users don't have it.
#-# For example if you want that only users have view right on their profile but thay can modify their own profile you could use:
# oidc.user.oidc.user.ownProfileRights=view,edit
#-# 
#-# The default is (user profiles are viewable by all users by default and it's possible to edit one own's profile):
# oidc.user.oidc.user.ownProfileRights=edit

#-# The custom claims to request to the provider for id token.
#-#
#-# The default is:
# oidc.idtokenclaims=xwiki_instance_id

#-# The name of the claim used to get the list of groups the user belong to.
#-# This claim also need to be listed in oidc.userinfoclaims which control if group membership synchronization is enabled or not.
#-# 
#-# It's also possible to use a custom property from the userinfo JSON.
#-# For example if the provider send the following JSON for the user info:
#-# {
#-#   "sub"                : "248289761001",
#-#   "name"               : "Jane Doe",
#-#   "given_name"         : "Jane",
#-#   "family_name"        : "Doe",
#-#   "preferred_username" : "j.doe",
#-#   "email"              : "janedoe@example.com",
#-#   "picture"            : "http://example.com/janedoe/me.jpg"
#-#   "customoject"        :
#-#   {
#-#     "customgroups"   :  ["group1", "group2"]
#-#   }
#-# }
#-# you can use:
# oidc.groups.claim=customoject.customgroups
#-# 
#-# The default is:
# oidc.groups.claim=xwiki_groups

#-# Receiving a groups list is enough to enable group synchronization but you might need to configure XWiki groups names different from the remote groups names.
#-# It's also required to indicate what's the field containing the list of groups (that's not an OpenID Connect standard) using oidc.groups.claim property.
#-# 
# oidc.groups.mapping=MyXWikiGroup=my-oidc-group
# oidc.groups.mapping=MyXWikiGroup2=my-oidc-group2
# oidc.groups.mapping=MyXWikiGroup2=my-oidc-group3

#-# The groups the user need to belong to be allowed to authenticate.
#-# Not taken into account if not set or empty.
#-# 
# oidc.groups.allowed=

#-# If the user belong to one of these groups it won't be allowed to authenticate
#-# Not taken into account if not set or empty.
#-# 
# oidc.groups.forbidden=

#-# If set, only group names with this prefix will be provisioned
#-# Not taken into account if not set or empty.
#-# 
# oidc.groups.prefix=

#-# If the identity provider returns group memberships as a single value attribute delimited with a char, for example:
#-# {
#-#   "sub"                : "248289761001",
#-#   "name"               : "Jane Doe",
#-#   "given_name"         : "Jane",
#-#   "family_name"        : "Doe",
#-#   "preferred_username" : "j.doe",
#-#   "email"              : "janedoe@example.com",
#-#   "picture"            : "http://example.com/janedoe/me.jpg",
#-#   "groups"             : "group1,group2"
#-# }
#-# you can set here the separator char to get the list of groups the user belong to. 
#-# If not set, group memberships are evaluated as a multi valued attribute.
#-# 
# oidc.groups.separator=

#-# The custom claims to request to the provider for the UserInfo
#-# 
#-# The available custom claims are:
#-# xwiki_groups (or whatever you indicated in oidc.groups.claim): the groups a user belong to in the provider (see "Group synchronization" section for more details)
#-# xwiki_user_<fieldname>: the suffix to use to request any field in the user profile document (generally when the provider is XWiki) 
#-# The default is:
# oidc.userinfoclaims=xwiki_user_accessibility,xwiki_user_company,xwiki_user_displayHiddenDocuments,xwiki_user_editor,xwiki_user_usertype

#-# The time after which the user information should be refreshed (in milliseconds)
#-# 
#-# The default is:
# oidc.userinforefreshrate=600000

#-# The client identifier used by the authentication.
#-# The default is the identifier of the XWiki instance.
 oidc.clientid=xxxxxx

#-# The client secret (optionally) registered on the provider.
#-# By default nothing is sent to the provider.
 oidc.secret=xxxxxx

#-# How to send the client id and secret.
#-# 
#-# Supported values are:
#-# * client_secret_basic: the id and the secret are sent using BASIC auth header
#-# * client_secret_post: the id and the secret are sent in the the request body 
#-# 
#-# The default is:
# oidc.endpoint.token.auth_method=client_secret_basic

#-# The token to send along with the registration request to the provider.
#-# 
# oidc.endpoint.register.token=

#-# Configure the in-wiki OIDC configuration
#-# 
#-# Define the name of the default wiki OIDC configuration to be used for client authentication.
#-# If no configuration with such name is found, the authenticator will rely only on the configuration keys declared in
#-# this file.
#-#
#-# The default is:
#-# oidc.defaultClientConfiguration=default
#-#
#-# When using in-wiki OIDC configuration, it is possible to define multiple configurations that can be selected by
#-# the end user through a cookie indicating the name of the configuration to be used. You can control the name of
#-# this cookie with the following configuration.
#-#
#-# oidc.clientConfigurationCookie=oidcProvider

#-# Define if user accounts should be enabled (marked as active) on first login
#-#
# oidc.enableUser=true

#-# Disable the OpenId Connect authenticator
#-# 
#-# The default is:
# oidc.skipped=false