Update docs

docs/_static/env-vars/frontend_configvars.md

@@ -1,5 +1,5 @@
 
-2026-03-30-00-05-56
+2026-04-04-00-06-27
 
 # Deprecation Notice
 
@@ -88,13 +88,13 @@ Environment variables for the **frontend** service
 |`OCDAV_OCM_NAMESPACE`<br/>`FRONTENT_OCDAV_OCM_NAMESPACE`| 1.0.0 |string|`The human readable path prefix for the ocm shares.`|`/public`|
 |`OC_URL`<br/>`OCDAV_PUBLIC_URL`<br/>`FRONTENT_OCDAV_PUBLIC_URL`| 1.0.0 |string|`URL where OpenCloud is reachable for users.`|`https://localhost:9200`|
 |`OC_INSECURE`<br/>`OCDAV_INSECURE`<br/>`FRONTENT_OCDAV_INSECURE`| 1.0.0 |bool|`Allow insecure connections to the GATEWAY service.`|`false`|
-|`OCDAV_ENABLE_HTTP_TPC`<br/>`FRONTENT_OCDAV_ENABLE_HTTP_TPC`| next |bool|`Enable HTTP / WebDAV Third-Party-Copy support.`|`false`|
+|`OCDAV_ENABLE_HTTP_TPC`<br/>`FRONTENT_OCDAV_ENABLE_HTTP_TPC`| 6.0.0 |bool|`Enable HTTP / WebDAV Third-Party-Copy support.`|`false`|
 |`OCDAV_GATEWAY_REQUEST_TIME`<br/>`FRONTENT_OUTOCDAV_GATEWAY_REQUEST_TIMEOUT`| 1.0.0 |int64|`Request timeout in seconds for requests from the oCDAV service to the GATEWAY service.`|`84300`|
 |`OC_MACHINE_AUTH_API_KEY`<br/>`OCDAV_MACHINE_AUTH_API_KEY`<br/>`FRONTENT_OCDAV_MACHINE_AUTH_API_KEY`| 1.0.0 |string|`Machine auth API key used to validate internal requests necessary for the access to resources from other services.`|``|
 |`OCDAV_ALLOW_PROPFIND_DEPTH_INFINITY`<br/>`FRONTENT_OCDAV_ALLOW_PROPFIND_DEPTH_INFINITY`| 1.0.0 |bool|`Allow the use of depth infinity in PROPFINDS. When enabled, a propfind will traverse through all subfolders. If many subfolders are expected, depth infinity can cause heavy server load and/or delayed response times.`|`false`|
-|`OCDAV_NAME_VALIDATION_INVALID_CHARS`<br/>`FRONTENT_OCDAV_NAME_VALIDATION_INVALID_CHARS`| next |[]string|`List of characters that are not allowed in file or folder names.`|`[  
+|`OCDAV_NAME_VALIDATION_INVALID_CHARS`<br/>`FRONTENT_OCDAV_NAME_VALIDATION_INVALID_CHARS`| 6.0.0 |[]string|`List of characters that are not allowed in file or folder names.`|`[  
  \]`|
-|`OCDAV_NAME_VALIDATION_MAX_LENGTH`<br/>`FRONTENT_OCDAV_NAME_VALIDATION_MAX_LENGTH`| next |int|`Max length of file or folder names.`|`255`|
+|`OCDAV_NAME_VALIDATION_MAX_LENGTH`<br/>`FRONTENT_OCDAV_NAME_VALIDATION_MAX_LENGTH`| 6.0.0 |int|`Max length of file or folder names.`|`255`|
 |`FRONTEND_CHECKSUMS_SUPPORTED_TYPES`| 1.0.0 |[]string|`A list of checksum types that indicate to clients which hashes the server can use to verify upload integrity. Supported types are 'sha1', 'md5' and 'adler32'. See the Environment Variable Types description for more details.`|`[sha1 md5 adler32]`|
 |`FRONTEND_CHECKSUMS_PREFERRED_UPLOAD_TYPE`| 1.0.0 |string|`The supported checksum type for uploads that indicates to clients supporting multiple hash algorithms which one is preferred by the server. Must be one out of the defined list of SUPPORTED_TYPES.`|`sha1`|
 |`FRONTEND_READONLY_USER_ATTRIBUTES`| 1.0.0 |[]string|`A list of user attributes to indicate as read-only. Supported values: 'user.onPremisesSamAccountName' (username), 'user.displayName', 'user.mail', 'user.passwordProfile' (password), 'user.appRoleAssignments' (role), 'user.memberOf' (groups), 'user.accountEnabled' (login allowed), 'drive.quota' (quota). See the Environment Variable Types description for more details.`|`[]`|

docs/_static/env-vars/ocm_configvars.md

@@ -35,7 +35,7 @@ Environment variables for the **ocm** service
 |`OCM_MESH_DIRECTORY_URL`| 1.0.0 |string|`URL of the mesh directory service.`|``|
 |`OCM_DIRECTORY_SERVICE_URLS`| 3.5.0 |string|`Space delimited URLs of the directory services.`|``|
 |`OCM_INVITE_ACCEPT_DIALOG`| 3.5.0 |string|`/open-cloud-mesh/accept-invite;The frontend URL where to land when receiving an invitation`|`/open-cloud-mesh/accept-invite`|
-|`OC_INSECURE`<br/>`OCM_CLIENT_INSECURE`| next |bool|`Dev-only. Disable TLS verification for the OCM discovery client (directory fetch and provider discovery). Does not affect OCM invite manager, storage provider, or share provider. Do not set in production.`|`false`|
+|`OC_INSECURE`<br/>`OCM_CLIENT_INSECURE`| 6.0.0 |bool|`Dev-only. Disable TLS verification for the OCM discovery client (directory fetch and provider discovery). Does not affect OCM invite manager, storage provider, or share provider. Do not set in production.`|`false`|
 |`OCM_OCM_INVITE_MANAGER_DRIVER`| 1.0.0 |string|`Driver to be used to persist OCM invites. Supported value is only 'json'.`|`json`|
 |`OCM_OCM_INVITE_MANAGER_JSON_FILE`| 1.0.0 |string|`Path to the JSON file where OCM invite data will be stored. This file is maintained by the instance and must not be changed manually. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage/ocm.`|`/root/.opencloud/storage/ocm/ocminvites.json`|
 |`OCM_OCM_INVITE_MANAGER_TOKEN_EXPIRATION`| 1.0.0 |Duration|`Expiry duration for invite tokens.`|`24h0m0s`|

docs/_static/env-vars/proxy.yaml

@@ -213,6 +213,7 @@ pre_signed_url:
 account_backend: cs3
 user_oidc_claim: preferred_username
 user_cs3_claim: username
+tenant_oidc_claim: ""
 machine_auth_api_key: ""
 auto_provision_accounts: false
 auto_provision_claims:

docs/_static/env-vars/proxy_configvars.md

@@ -46,6 +46,7 @@ Environment variables for the **proxy** service
 |`PROXY_ACCOUNT_BACKEND_TYPE`| 1.0.0 |string|`Account backend the PROXY service should use. Currently only 'cs3' is possible here.`|`cs3`|
 |`PROXY_USER_OIDC_CLAIM`| 1.0.0 |string|`The name of an OpenID Connect claim that is used for resolving users with the account backend. The value of the claim must hold a per user unique, stable and non re-assignable identifier. The availability of claims depends on your Identity Provider. There are common claims available for most Identity providers like 'email' or 'preferred_username' but you can also add your own claim.`|`preferred_username`|
 |`PROXY_USER_CS3_CLAIM`| 1.0.0 |string|`The name of a CS3 user attribute (claim) that should be mapped to the 'user_oidc_claim'. Supported values are 'username', 'mail' and 'userid'.`|`username`|
+|`PROXY_TENANT_OIDC_CLAIM`| next |string|`JMESPath expression to extract the tenant ID from the OIDC token claims. When set, the extracted value is verified against the tenant ID returned by the user backend, rejecting requests where they do not match. Only relevant when multi-tenancy is enabled.`|``|
 |`OC_MACHINE_AUTH_API_KEY`<br/>`PROXY_MACHINE_AUTH_API_KEY`| 1.0.0 |string|`Machine auth API key used to validate internal requests necessary to access resources from other services.`|``|
 |`PROXY_AUTOPROVISION_ACCOUNTS`| 1.0.0 |bool|`Set this to 'true' to automatically provision users that do not yet exist in the users service on-demand upon first sign-in. To use this a write-enabled libregraph user backend needs to be setup an running.`|`false`|
 |`PROXY_AUTOPROVISION_CLAIM_USERNAME`| 1.0.0 |string|`The name of the OIDC claim that holds the username.`|`preferred_username`|

docs/_static/env-vars/storage-users_configvars.md

@@ -1,5 +1,5 @@
 
-2026-03-30-00-05-56
+2026-04-04-00-06-27
 
 # Deprecation Notice
 

docs/_static/env-vars/webfinger_configvars.md

@@ -18,13 +18,13 @@ Environment variables for the **webfinger** service
 |`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`|``|
 |`WEBFINGER_RELATIONS`| 1.0.0 |[]string|`A list of relation URIs or registered relation types to add to webfinger responses. See the Environment Variable Types description for more details.`|`[http://openid.net/specs/connect/1.0/issuer http://webfinger.opencloud/rel/server-instance]`|
 |`OC_URL`<br/>`OC_OIDC_ISSUER`<br/>`WEBFINGER_OIDC_ISSUER`| 1.0.0 |string|`The identity provider href for the openid-discovery relation.`|`https://localhost:9200`|
-|`OC_OIDC_CLIENT_ID`<br/>`WEBFINGER_ANDROID_OIDC_CLIENT_ID`| next |string|`The OIDC client ID for Android app.`|`OpenCloudAndroid`|
-|`OC_OIDC_CLIENT_SCOPES`<br/>`WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES`| next |[]string|`The OIDC client scopes the Android app should request.`|`[openid profile email offline_access]`|
-|`OC_OIDC_CLIENT_ID`<br/>`WEBFINGER_DESKTOP_OIDC_CLIENT_ID`| next |string|`The OIDC client ID for the OpenCloud desktop application.`|`OpenCloudDesktop`|
-|`OC_OIDC_CLIENT_SCOPES`<br/>`WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPES`| next |[]string|`The OIDC client scopes the OpenCloud desktop application should request.`|`[openid profile email offline_access]`|
-|`OC_OIDC_CLIENT_ID`<br/>`WEBFINGER_IOS_OIDC_CLIENT_ID`| next |string|`The OIDC client ID for the IOS app.`|`OpenCloudIOS`|
-|`OC_OIDC_CLIENT_SCOPES`<br/>`WEBFINGER_IOS_OIDC_CLIENT_SCOPES`| next |[]string|`The OIDC client scopes the IOS app should request.`|`[openid profile email offline_access]`|
-|`OC_OIDC_CLIENT_ID`<br/>`WEB_OIDC_CLIENT_ID`<br/>`WEBFINGER_WEB_OIDC_CLIENT_ID`| next |string|`The OIDC client ID for the OpenCloud web client. The 'WEB_OIDC_CLIENT_ID' setting is only here for backwards compatibility and will be remove in a future release.`|`web`|
-|`OC_OIDC_CLIENT_SCOPES`<br/>`WEB_OIDC_SCOPE`<br/>`WEBFINGER_WEB_OIDC_CLIENT_SCOPES`| next |[]string|`The OIDC client scopes the OpenCloud web client should request. The 'WEB_OIDC_SCOPE' setting is only here for backwards compatibility and will be remove in a future release.`|`[openid profile email]`|
+|`OC_OIDC_CLIENT_ID`<br/>`WEBFINGER_ANDROID_OIDC_CLIENT_ID`| 6.0.0 |string|`The OIDC client ID for Android app.`|`OpenCloudAndroid`|
+|`OC_OIDC_CLIENT_SCOPES`<br/>`WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES`| 6.0.0 |[]string|`The OIDC client scopes the Android app should request.`|`[openid profile email offline_access]`|
+|`OC_OIDC_CLIENT_ID`<br/>`WEBFINGER_DESKTOP_OIDC_CLIENT_ID`| 6.0.0 |string|`The OIDC client ID for the OpenCloud desktop application.`|`OpenCloudDesktop`|
+|`OC_OIDC_CLIENT_SCOPES`<br/>`WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPES`| 6.0.0 |[]string|`The OIDC client scopes the OpenCloud desktop application should request.`|`[openid profile email offline_access]`|
+|`OC_OIDC_CLIENT_ID`<br/>`WEBFINGER_IOS_OIDC_CLIENT_ID`| 6.0.0 |string|`The OIDC client ID for the IOS app.`|`OpenCloudIOS`|
+|`OC_OIDC_CLIENT_SCOPES`<br/>`WEBFINGER_IOS_OIDC_CLIENT_SCOPES`| 6.0.0 |[]string|`The OIDC client scopes the IOS app should request.`|`[openid profile email offline_access]`|
+|`OC_OIDC_CLIENT_ID`<br/>`WEB_OIDC_CLIENT_ID`<br/>`WEBFINGER_WEB_OIDC_CLIENT_ID`| 6.0.0 |string|`The OIDC client ID for the OpenCloud web client. The 'WEB_OIDC_CLIENT_ID' setting is only here for backwards compatibility and will be remove in a future release.`|`web`|
+|`OC_OIDC_CLIENT_SCOPES`<br/>`WEB_OIDC_SCOPE`<br/>`WEBFINGER_WEB_OIDC_CLIENT_SCOPES`| 6.0.0 |[]string|`The OIDC client scopes the OpenCloud web client should request. The 'WEB_OIDC_SCOPE' setting is only here for backwards compatibility and will be remove in a future release.`|`[openid profile email]`|
 |`OC_URL`<br/>`WEBFINGER_OPENCLOUD_SERVER_INSTANCE_URL`| 1.0.0 |string|`The URL for the legacy OpenCloud server instance relation (not to be confused with the product OpenCloud Server). It defaults to the OC_URL but can be overridden to support some reverse proxy corner cases. To shard the deployment, multiple instances can be configured in the configuration file.`|`https://localhost:9200`|
 |`OC_INSECURE`<br/>`WEBFINGER_INSECURE`| 1.0.0 |bool|`Allow insecure connections to the WEBFINGER service.`|`false`|