options:
  debug:
    default: False
    type: boolean
    description: |
      Enable debug logging.
  remote-id-attribute:
    default: 'HTTP_OIDC_ISS'
    type: string
    description: |
      Attribute used to obtain the entity ID of the OpenID Connect Provider.
  oidc-client-id:
    default: ''
    type: string
    description: |
      Client identifier used to connect to the OpenID Connect Provider.
  oidc-client-secret:
    default: ''
    type: string
    description: |
      Password used to authenticate with the OpenID Connect Provider.
  oidc-provider-metadata-url:
    default: ''
    type: string
    description: |
      URL to discover the OpenID Connect Provider and obtain information
      needed to interact with it, including its OAuth 2.0 endpoint
      locations. Example: https://example.com/.well-known/openid-configuration
  oidc-provider-issuer:
    default: ''
    type: string
    description: |
      Open ID Connect Provider issuer identifier (e.g. https://example.com
      ). Used when oidc-provider-metadata-url is not set or the metadata
      obtained from that URL does not set it.
  oidc-provider-auth-endpoint:
    default: ''
    type: string
    description: |
      Open ID Connect Provider authorization endpoint
      (e.g. https://example.com/as/authorization.oauth2). Used when
      oidc-provider-metadata-url is not set or the metadata obtained from that
      URL does not set it.
  oidc-provider-token-endpoint:
    default: ''
    type: string
    description: |
      Open ID Connect Provider token endpoint
      (e.g. https://example.com/as/token.oauth2). Used when
      oidc-provider-metadata-url is not set or the metadata obtained from that
      URL does not set it.
  oidc-provider-token-endpoint-auth:
    default: ''
    type: string
    description: |
      Authentication method for the Open ID Connect Provider token endpoint,
      possible options are: client_secret_basic, client_secret_post,
      client_secret_jwt, private_key_jwt or none. Used when
      oidc-provider-metadata-url is not set or the metadata obtained from that
      URL does not set it.
  oidc-provider-user-info-endpoint:
    default: ''
    type: string
    description: |
      Open ID Connect Provider user info endpoint
      (e.g. https://example.com/idp/userinfo.openid). Used when
      oidc-provider-metadata-url is not set or the metadata obtained from that
      URL does not set it.
  auth-type:
    default: 'auth-openidc'
    type: string
    description: |
      To add support to Bearer Access Token authentication flow that is used
      by applications that do not adopt the browser flow, such the OpenStack
      CLI, the auth-type must be set to auth-openidc (the default) otherwise
      to openid-connect.
  protocol_id:
    default: 'openid'
    type: string
    description: |
      Federation protocol name.
  oidc-remote-user-claim:
    default: ''
    type: string
    description: |
      The claim that is used when setting the REMOTE_USER variable on OpenID
      Connect protected paths, for example: email.
  oidc-provider-jwks-uri:
    default: ''
    type: string
    description: |
      .
  enable-oauth:
    default: true
    type: boolean
    description: |
      Set to true to enable OAuth2 support.
  oidc-oauth-verify-jwks-uri:
    default: ''
    type: string
    description: |
      The JWKs URL on which the Authorization Server publishes the keys used
      to sign its JWT access tokens.
  oidc-oauth-introspection-endpoint:
    default: ''
    type: string
    description: |
      OAuth 2.0 Authorization Server token introspection endpoint. When
      `enable-oauth` is set to true and this option unset (the default), the
      introspection endpoint available in the metadata will be used.