feat: backport LoginFlowV2 OIDC config into v30 (HDNEXT-1914)

[printminion-co]

Summary

Backports LoginFlowV2 bearer-auth configuration from master into ionos-dev-v30 as required by HDNEXT-1914 (original work: HDNEXT-1714).

• Cherry-pick e881b3c → configure-user-oidc.sh: add --check-bearer=1 to the occ user_oidc:provider call to enable bearer token checking
• Cherry-pick ecde9e2 → configs/oidc.config.php: add two permanent bearer-auth keys:
  • selfencoded_bearer_validation_audience_check => false — IONOS access tokens carry aud=ionos.com (not per-client); audience check must be off (permanent per CISOLOGIN-902)
  • userinfo_bearer_validation => true — enables UserInfo fallback for mappingUid claim resolution since IONOS access tokens don't carry that claim (permanent per AD-7)

Test plan

• Verify configs/oidc.config.php contains both new keys
• After image roll: sudo -u www-data php /var/www/html/occ config:system:get --output=json user_oidc | tail -1 should show 7 keys including selfencoded_bearer_validation_audience_check and userinfo_bearer_validation

[Copilot]

Pull request overview

Backports LoginFlowV2 bearer-auth related configuration into the v30 branch to align the user_oidc provider setup with the required OIDC bearer token validation behavior (HDNEXT-1914 / original HDNEXT-1714).

Changes:

• Extend the occ user_oidc:provider setup to enable bearer token checking via --check-bearer=1.
• Add permanent user_oidc config keys to disable bearer audience checking and enable UserInfo fallback for claim resolution.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
configure-user-oidc.sh	Adds --check-bearer=1 to the OIDC provider configuration call.
configs/oidc.config.php	Adds bearer-auth related user_oidc configuration keys and inline rationale comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.