From 1c9a3feb8d2600ee1ca4bcca6f0537cd4ca80e72 Mon Sep 17 00:00:00 2001 From: Chris Kanich Date: Wed, 7 May 2025 13:39:49 -0500 Subject: [PATCH 1/2] `OAUTH_UPDATE_PICTURE_ON_LOGIN` documentation --- docs/features/sso.md | 1 + docs/getting-started/env-configuration.md | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/docs/features/sso.md b/docs/features/sso.md index 0c764e48..9f2a6746 100644 --- a/docs/features/sso.md +++ b/docs/features/sso.md @@ -21,6 +21,7 @@ There are several global configuration options for OAuth: 1. `ENABLE_OAUTH_SIGNUP` - if `true`, allows accounts to be created when logging in with OAuth. Distinct from `ENABLE_SIGNUP`. 1. `OAUTH_MERGE_ACCOUNTS_BY_EMAIL` - allows logging into an account that matches the email address provided by the OAuth provider. - This is considered insecure as not all OAuth providers verify email addresses, and may allow accounts to be hijacked. +1. `OAUTH_UPDATE_PICTURE_ON_LOGIN` - if `true`, users will have OAuth-provided profile pictures updated on login. ### Google diff --git a/docs/getting-started/env-configuration.md b/docs/getting-started/env-configuration.md index 961eb9d5..28064093 100644 --- a/docs/getting-started/env-configuration.md +++ b/docs/getting-started/env-configuration.md @@ -2354,6 +2354,13 @@ address. This is considered unsafe as not all OAuth providers will verify email potential account takeovers. - Persistence: This environment variable is a `PersistentConfig` variable. +#### `OAUTH_UPDATE_PICTURE_ON_LOGIN` + +- Type: `bool` +- Default: `False` +- Description: If enabled, updates the local user profile picture with the OAuth-provided picture on login. +- Persistence: This environment variable is a `PersistentConfig` variable. + #### `WEBUI_AUTH_TRUSTED_EMAIL_HEADER` - Type: `str` From cfe0f8a0e61b9fe90b743b9302cf6348bd1f41ce Mon Sep 17 00:00:00 2001 From: Chris Kanich Date: Wed, 7 May 2025 14:48:42 -0500 Subject: [PATCH 2/2] review changes --- docs/features/sso.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/features/sso.md b/docs/features/sso.md index 9f2a6746..42218bcd 100644 --- a/docs/features/sso.md +++ b/docs/features/sso.md @@ -22,6 +22,8 @@ There are several global configuration options for OAuth: 1. `OAUTH_MERGE_ACCOUNTS_BY_EMAIL` - allows logging into an account that matches the email address provided by the OAuth provider. - This is considered insecure as not all OAuth providers verify email addresses, and may allow accounts to be hijacked. 1. `OAUTH_UPDATE_PICTURE_ON_LOGIN` - if `true`, users will have OAuth-provided profile pictures updated on login. + - If the OAuth picture claim is disabled by setting `OAUTH_PICTURE_CLAIM` to the empty string, this configuration will be ignored. +1. `OAUTH_PICTURE_CLAIM` - can be used to customize or disable profile picture storage. The default, `picture`, will work for most providers; if set to the empty string, all users will receive the default person profile picture. ### Google