Merge pull request #11603 from owncloud/oidc_claims_checker

feat: add a way to check for specific OIDC claims

deployments/examples/ocis_keycloak/config/keycloak/ocis-realm.dist.json

@@ -1877,7 +1877,7 @@
       "description": "OpenID Connect scope for add acr (authentication context class reference) to the token",
       "protocol": "openid-connect",
       "attributes": {
-        "include.in.token.scope": "false",
+        "include.in.token.scope": "true",
         "display.on.consent.screen": "false"
       },
       "protocolMappers": [
@@ -2899,7 +2899,7 @@
       "config": {}
     }
   ],
-  "browserFlow": "browser",
+  "browserFlow": "step up flow",
   "registrationFlow": "registration",
   "directGrantFlow": "direct grant",
   "resetCredentialsFlow": "reset credentials",

deployments/examples/ocis_keycloak/docker-compose.yml

@@ -81,6 +81,8 @@ services:
       OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt"
       PROXY_CSP_CONFIG_FILE_LOCATION: /etc/ocis/csp.yaml
       KEYCLOAK_DOMAIN: ${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}
+      OCIS_MFA_ENABLED: ${OCIS_MFA_ENABLED:-false}
+      WEB_OIDC_SCOPE: "openid profile email acr"
     volumes:
       - ./config/ocis/banned-password-list.txt:/etc/ocis/banned-password-list.txt
       - ./config/ocis/csp.yaml:/etc/ocis/csp.yaml