---
services:
  opencloud:
    environment:
      # enable opaque access tokens
      PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD: "none"
      PROXY_OIDC_SKIP_VERIFICATION: "false"

      # oidc assignment driver currently doesn't work with the desktop client: https://github.com/opencloud-eu/desktop/issues/217
      PROXY_ROLE_ASSIGNMENT_DRIVER: "default"
      GRAPH_ASSIGN_DEFAULT_USER_ROLE: "true"

      PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: "groups"
      WEB_OIDC_SCOPE: "openid profile email groups"