From 8e5f22a87e54be5d59e583cd65bbdd66311c90ee Mon Sep 17 00:00:00 2001
From: eyjhb <eyjhbb@gmail.com>
Date: Thu, 29 May 2025 16:22:28 +0200
Subject: [PATCH] authelia: update stopped providing claims in response

This adds the default claim policy, which can be used to provide the
past behaviour for this. Services that require this still needs to be identified.
---
 machines/gerd/services/authelia/authelia.nix | 14 ++++++++++++++
 machines/gerd/services/nextcloud.nix         |  1 +
 machines/gerd/services/rallly/default.nix    |  1 +
 3 files changed, 16 insertions(+)

diff --git a/machines/gerd/services/authelia/authelia.nix b/machines/gerd/services/authelia/authelia.nix
index 90e3cdb..a1bac9e 100644
--- a/machines/gerd/services/authelia/authelia.nix
+++ b/machines/gerd/services/authelia/authelia.nix
@@ -90,6 +90,20 @@ in {
           user = config.mine.shared.settings.ldap.bind_dn;
         };
       };
+
+      # authelia have changed how the by-default handles auth, so in theory everything
+      # should contact the `userinfo` endpoint. but not everything does, which leads to us
+      # having to create a default policy for this
+      # https://github.com/pulsejet/nextcloud-oidc-login/issues/311#issuecomment-2763239352
+      identity_providers.oidc.claims_policies.default.id_token = [
+        "rat"
+        "groups"
+        "email"
+        "email_verified"
+        "alt_emails"
+        "preferred_username"
+        "name"
+      ];
     };
   };
 
diff --git a/machines/gerd/services/nextcloud.nix b/machines/gerd/services/nextcloud.nix
index cbc0400..349c759 100644
--- a/machines/gerd/services/nextcloud.nix
+++ b/machines/gerd/services/nextcloud.nix
@@ -223,6 +223,7 @@ in {
     client_secret = "$pbkdf2-sha512$310000$kLNQ/1A.uasSN4g8q94jUQ$8OKNUNNumHCh8dVG5/QWys7u.y1guqFXlrL.bMm7/HKTsWhpib/W.8qlU6VU7V1Be/h14Y.fJi3RLvbkEdo2kA";
     consent_mode = "implicit";
     redirect_uris = [ "https://${svc_domain}/apps/oidc_login/oidc" ];
+    claims_policy = "default";
     scopes = [
       "openid"
       "profile"
diff --git a/machines/gerd/services/rallly/default.nix b/machines/gerd/services/rallly/default.nix
index d6f4710..e58df59 100644
--- a/machines/gerd/services/rallly/default.nix
+++ b/machines/gerd/services/rallly/default.nix
@@ -106,6 +106,7 @@ in {
     client_secret = "$pbkdf2-sha512$310000$KB4UqeuVr86lEOoISSE92w$i2YGpz3wRwceiRfYnMUhZ0MboutkDPPYVWnXqiw6tUt./mgZ5kfV1ES.kcdsHhMdavhCrJfWvVTPQRJKImuUrQ";
     consent_mode = "implicit";
     redirect_uris = [ "https://${svc_domain}/api/auth/callback/oidc" ];
+    claims_policy = "default";
     scopes = [
       "openid"
       "email"