From 69e86b10249280c3e92e565c634b9b4bbb8de447 Mon Sep 17 00:00:00 2001
From: Christian Elberfeld <6413499+elberfeld@users.noreply.github.com>
Date: Fri, 31 May 2024 22:23:32 +0200
Subject: [PATCH] vpnserver

---
 .../docker_vpnserver/templates/config.yaml       | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/testserver/docker_vpnserver/templates/config.yaml b/testserver/docker_vpnserver/templates/config.yaml
index 8f0a143d..d78d145f 100644
--- a/testserver/docker_vpnserver/templates/config.yaml
+++ b/testserver/docker_vpnserver/templates/config.yaml
@@ -26,3 +26,19 @@ auth:
       - openid
       - profile
       - email
+    # You can optionally restrict access to users with an email address
+    # that matches an allowed domain.
+    # If empty or omitted then all email domains will be allowed.
+    # This is an advanced feature that allows you to define OIDC claim mapping expressions.
+    # This feature is used to define wg-access-server admins based off a claim in your OIDC token.
+    # A JSON-like object of claimKey: claimValue pairs as returned by the issuer is passed to the evaluation function. 
+    # See https://github.com/Knetic/govaluate/blob/9aa49832a739dcd78a5542ff189fb82c3e423116/MANUAL.md for the syntax.
+    claimMapping:
+      # This example works if you have a custom group_membership claim which is a list of strings 
+      admin: "true"
+      access: "true"
+    # Let wg-access-server retrieve the claims from the ID Token instead of querying the UserInfo endpoint.
+    # Some OIDC authorization provider implementations (e.g. ADFS) only publish claims in the ID Token.
+    claimsFromIDToken: false
+    # require this claim to be "true" to allow access for the user
+    # accessClaim: "access"
\ No newline at end of file
-- 
GitLab