From 722747c8161d602a2197918f6e15f952eb422c37 Mon Sep 17 00:00:00 2001
From: Thomas Skinner <thomas@atskinner.net>
Date: Sun, 23 Mar 2025 22:37:33 -0500
Subject: [PATCH] fix #4234: add docs for openid optional userinfo request

Signed-off-by: Thomas Skinner <thomas@atskinner.net>
Tested-by: Mira Limbeck <m.limbeck@proxmox.com>
---
 pveum.adoc | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/pveum.adoc b/pveum.adoc
index b586eaf..ebb8e17 100644
--- a/pveum.adoc
+++ b/pveum.adoc
@@ -513,6 +513,14 @@ In some cases, OpenID servers may send groups claims which include invalid
 characters for {pve} group IDs. Any groups that contain characters not allowed
 in a {pve} group name are not included and a warning will be sent to the logs.
 
+Advanced settings
+^^^^^^^^^^^^^^^^^
+
+* `Query userinfo endpoint` (`query-userinfo`): Enabling this option requires
+the OpenID Connect authenticator to query the "userinfo" endpoint for claim
+values. Disabling this option is useful for some identity providers that do not
+support the "userinfo" endpoint (e.g. ADFS).
+
 Examples
 ^^^^^^^^