From 8ff5baadbe210a83218cef3cd635bb2a3c361eba Mon Sep 17 00:00:00 2001
From: Florian Preinstorfer <site-github@nblock.org>
Date: Fri, 22 Aug 2025 14:14:26 +0200
Subject: [PATCH] Refresh OIDC docs

The UserInfo endpoint is always queried since 5d8a2c2.

This allows to use all OIDC related features without any extra
configuration on Authelia.

For Keycloak, its sufficient to add the groups mapper to the userinfo
endpoint.
---
 docs/ref/oidc.md | 17 ++---------------
 1 file changed, 2 insertions(+), 15 deletions(-)

diff --git a/docs/ref/oidc.md b/docs/ref/oidc.md
index 5de952a2..25845821 100644
--- a/docs/ref/oidc.md
+++ b/docs/ref/oidc.md
@@ -184,7 +184,7 @@ You may refer to users in the Headscale policy via:
 ## Supported OIDC claims
 
 Headscale uses [the standard OIDC claims](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) to
-populate and update its local user profile on each login. OIDC claims are read from the ID Token or from the UserInfo
+populate and update its local user profile on each login. OIDC claims are read from the ID Token and from the UserInfo
 endpoint.
 
 | Headscale profile   | OIDC claim           | Notes / examples                                                                                  |
@@ -230,19 +230,6 @@ are known to work:
 
 Authelia is fully supported by Headscale.
 
-#### Additional configuration to authorize users based on filters
-
-Authelia (4.39.0 or newer) no longer provides standard OIDC claims such as `email` or `groups` via the ID Token. The
-OIDC `email` and `groups` claims are used to [authorize users with filters](#authorize-users-with-filters). This extra
-configuration step is **only** needed if you need to authorize access based on one of the following user properties:
-
-- domain
-- email address
-- group membership
-
-Please follow the instructions from Authelia's documentation on how to [Restore Functionality Prior to Claims
-Parameter](https://www.authelia.com/integration/openid-connect/openid-connect-1.0-claims/#restore-functionality-prior-to-claims-parameter).
-
 ### Authentik
 
 - Authentik is fully supported by Headscale.
@@ -297,7 +284,7 @@ you need to [authorize access based on group membership](#authorize-users-with-f
 
 - Create a new client scope `groups` for OpenID Connect:
     - Configure a `Group Membership` mapper with name `groups` and the token claim name `groups`.
-    - Enable the mapper for the ID Token, Access Token and UserInfo endpoint.
+    - Add the mapper to at least the UserInfo endpoint.
 - Configure the new client scope for your Headscale client:
     - Edit the Headscale client.
     - Search for the client scope `group`.