<![CDATA[OIDC customization settings not persistent]]>Hello,
I want to comment out the following entries in homeserver.yaml so that users can define their matrix usernames.

user_mapping_provider:
      config:
        #localpart_template: '{{ user.sub }}'
        #display_name_template: '{{ user.name }}'
        email_template: '{{ user.email }}'

But when restarting the app, the two lines are added again, uncommented, overwriting my changes.

]]>https://forum.cloudron.io/topic/14999/oidc-customization-settings-not-persistentRSS for NodeSun, 19 Apr 2026 08:46:04 GMTSun, 01 Feb 2026 20:34:57 GMT60<![CDATA[Reply to OIDC customization settings not persistent on Wed, 04 Feb 2026 10:35:03 GMT]]>The latest package will only set those now on installation, so it is possible to configure those and they will persists.

]]>https://forum.cloudron.io/post/119641https://forum.cloudron.io/post/119641Wed, 04 Feb 2026 10:35:03 GMT<![CDATA[Reply to OIDC customization settings not persistent on Mon, 02 Feb 2026 13:36:26 GMT]]>Yes, this makes perfect sense to me. That's also why I only want to change two specific parameters (localpart_template and display_name_template) and not the whole OIDC setup, which should be unmutable so to say. And in my case, I also wanted to ensure that email_template is kept in sync with the Cloudron account email, only giving freedom to set a desired handle and display name (although that one can be modified afterwards by the user).

P.S.: I did not test yet if other settings are persistent or not, as I intend to set a retention policy for synapse as well.

]]>https://forum.cloudron.io/post/119558https://forum.cloudron.io/post/119558Mon, 02 Feb 2026 13:36:26 GMT<![CDATA[Reply to OIDC customization settings not persistent on Mon, 02 Feb 2026 12:58:12 GMT]]>Since the OIDC settings like the endpoint origin may change, if an app was installed with OIDC through Cloudron enabled, we always have to ensure this.

If the user management should be left to the admin to configure, an app has to be installed without Cloudron usermanagement.

Unless we make this a post-install setting, reinstallation is the only way to persistently change those bits. Think of it similarily like the database setup of an app. Either Cloudron ensures the setup or it would require each admin to manually tweak those if changed by the platform or through an app update.

]]>https://forum.cloudron.io/post/119556https://forum.cloudron.io/post/119556Mon, 02 Feb 2026 12:58:12 GMT<![CDATA[Reply to OIDC customization settings not persistent on Mon, 02 Feb 2026 12:18:45 GMT]]>@james Yes, that would be perfect. The upper part of the start.sh script is checking if homeserver.yaml exists but the OIDC settings are not in that block.

]]>https://forum.cloudron.io/post/119555https://forum.cloudron.io/post/119555Mon, 02 Feb 2026 12:18:45 GMT<![CDATA[Reply to OIDC customization settings not persistent on Mon, 02 Feb 2026 10:00:38 GMT]]>Hello @mononym

When packaging a Cloudron app with OIDC support we make the app start up always handle the OIDC set up to ensure it is working.
You would like a change to the Matrix/Synapse app that if the /app/data/configs/homeserver.yaml was initially set up it should not be touched again to prevent reverting changes by the user.
Is that correct?

]]>https://forum.cloudron.io/post/119542https://forum.cloudron.io/post/119542Mon, 02 Feb 2026 10:00:38 GMT<![CDATA[Reply to OIDC customization settings not persistent on Mon, 02 Feb 2026 00:28:12 GMT]]>Guess it has something to do with app/pkg/start.sh

# oidc
if [[ -n "${CLOUDRON_OIDC_ISSUER:-}" ]]; then
    echo " ==> Configuring OIDC auth"
    yq eval -i ".oidc_providers[0].idp_id=\"cloudron\"" /app/data/configs/homeserver.yaml
    yq eval -i ".oidc_providers[0].idp_name=\"${CLOUDRON_OIDC_PROVIDER_NAME:-Cloudron}\"" /app/data/configs/homeserver.yaml
    yq eval -i ".oidc_providers[0].issuer=\"${CLOUDRON_OIDC_ISSUER}\"" /app/data/configs/homeserver.yaml
    yq eval -i ".oidc_providers[0].client_id=\"${CLOUDRON_OIDC_CLIENT_ID}\"" /app/data/configs/homeserver.yaml
    yq eval -i ".oidc_providers[0].client_secret=\"${CLOUDRON_OIDC_CLIENT_SECRET}\"" /app/data/configs/homeserver.yaml

    yq eval -i ".oidc_providers[0].scopes=[\"openid\", \"email\", \"profile\"]" /app/data/configs/homeserver.yaml
    yq eval -i ".oidc_providers[0].authorization_endpoint=\"${CLOUDRON_OIDC_AUTH_ENDPOINT}\"" /app/data/configs/homeserver.yaml
    yq eval -i ".oidc_providers[0].token_endpoint=\"${CLOUDRON_OIDC_TOKEN_ENDPOINT}\"" /app/data/configs/homeserver.yaml
    yq eval -i ".oidc_providers[0].userinfo_endpoint=\"${CLOUDRON_OIDC_PROFILE_ENDPOINT}\"" /app/data/configs/homeserver.yaml
    # https://s3lph.me/ldap-to-oidc-migration-3-matrix.html
    yq eval -i ".oidc_providers[0].allow_existing_users=true" /app/data/configs/homeserver.yaml
    yq eval -i ".oidc_providers[0].skip_verification=true" /app/data/configs/homeserver.yaml
    yq eval -i ".oidc_providers[0].user_mapping_provider.config.localpart_template=\"{{ user.sub }}\"" /app/data/configs/homeserver.yaml
    yq eval -i ".oidc_providers[0].user_mapping_provider.config.display_name_template=\"{{ user.name }}\"" /app/data/configs/homeserver.yaml
    yq eval -i ".oidc_providers[0].user_mapping_provider.config.email_template=\"{{ user.email }}\"" /app/data/configs/homeserver.yaml
else

Basically, the script should not update the homeserver.yaml localpart_template key, if its value was set (manually) to null (changing it to null is maybe easier to detect than just commenting it out).

]]>https://forum.cloudron.io/post/119526https://forum.cloudron.io/post/119526Mon, 02 Feb 2026 00:28:12 GMT