Merge branch 'master' into kamal/whitelist-redirects-with-ports

docs/2_auth.md

@@ -19,6 +19,7 @@ Valid providers are :
 - [GitLab](#gitlab-auth-provider)
 - [LinkedIn](#linkedin-auth-provider)
 - [login.gov](#logingov-provider)
+- [Nextcloud](#nextcloud-provider)
 
 The provider can be selected using the `provider` configuration value.
 
@@ -156,6 +157,7 @@ OpenID Connect is a spec for OAUTH 2.0 + identity that is implemented by many ma
 3.  Login with the fixture use in the dex guide and run the oauth2_proxy with the following args:
 
     -provider oidc
+    -provider-display-name "My OIDC Provider"
     -client-id oauth2_proxy
     -client-secret proxy
     -redirect-url http://127.0.0.1:4180/oauth2/callback
@@ -288,6 +290,32 @@ In this case, you can set the `-skip-oidc-discovery` option, and supply those re
     -email-domain example.com
 ```
 
+### Nextcloud Provider
+
+The Nextcloud provider allows you to authenticate against users in your
+Nextcloud instance.
+
+When you are using the Nextcloud provider, you must specify the urls via
+configuration, environment variable, or command line argument. Depending
+on whether your Nextcloud instance is using pretty urls your urls may be of the
+form `/index.php/apps/oauth2/*` or `/apps/oauth2/*`.
+
+Refer to the [OAuth2
+documentation](https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/oauth2.html)
+to setup the client id and client secret. Your "Redirection URI" will be
+`https://internalapp.yourcompany.com/oauth2/callback`.
+
+```
+    -provider nextcloud
+    -client-id <from nextcloud admin>
+    -client-secret <from nextcloud admin>
+    -login-url="<your nextcloud url>/index.php/apps/oauth2/authorize"
+    -redeem-url="<your nextcloud url>/index.php/apps/oauth2/api/v1/token"
+    -validate-url="<your nextcloud url>/ocs/v2.php/cloud/user?format=json"
+```
+
+Note: in *all* cases the validate-url will *not* have the `index.php`.
+
 ## Email Authentication
 
 To authorize by email domain use `--email-domain=yourcompany.com`. To authorize individual email addresses use `--authenticated-emails-file=/path/to/file` with one email per line. To authorize all email addresses use `--email-domain=*`.

docs/configuration/configuration.md

@@ -76,6 +76,7 @@ An example [oauth2_proxy.cfg]({{ site.gitweb }}/contrib/oauth2_proxy.cfg.example
 | `-pass-user-headers` | bool | pass X-Forwarded-User and X-Forwarded-Email information to upstream | true |
 | `-profile-url` | string | Profile access endpoint | |
 | `-provider` | string | OAuth provider | google |
+| `-provider-display-name` | string | Override the provider's name with the given string; used for the sign-in page | (depends on provider) |
 | `-ping-path` | string | the ping endpoint that can be used for basic health checks | `"/ping"` |
 | `-proxy-prefix` | string | the url root path that this proxy should be nested under (e.g. /`<oauth2>/sign_in`) | `"/oauth2"` |
 | `-proxy-websockets` | bool | enables WebSocket proxying | true |
@@ -106,7 +107,7 @@ An example [oauth2_proxy.cfg]({{ site.gitweb }}/contrib/oauth2_proxy.cfg.example
 | `-standard-logging-format` | string | Template for standard log lines | see [Logging Configuration](#logging-configuration) |
 | `-tls-cert-file` | string | path to certificate file | |
 | `-tls-key-file` | string | path to private key file | |
-| `-upstream` | string \| list | the http url(s) of the upstream endpoint or `file://` paths for static files. Routing is based on the path | |
+| `-upstream` | string \| list | the http url(s) of the upstream endpoint, file:// paths for static files or `static://<status_code>` for static response. Routing is based on the path | |
 | `-validate-url` | string | Access token validation endpoint | |
 | `-version` | n/a | print version string | |
 | `-whitelist-domain` | string \| list | allowed domains for redirection after authentication. Prefix domain with a `.` to allow subdomains (eg `.example.com`) | |