From f1a607a63d6e8aa357b2c396eb0824aade1c1c89 Mon Sep 17 00:00:00 2001
From: Cian Johnston <cian@coder.com>
Date: Mon, 17 Oct 2022 11:26:45 +0100
Subject: [PATCH] document scopes requested by Coder

---
 admin/access-control/manage.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/admin/access-control/manage.md b/admin/access-control/manage.md
index d3c7c6528..927509172 100644
--- a/admin/access-control/manage.md
+++ b/admin/access-control/manage.md
@@ -16,6 +16,9 @@ article.
 
 ## Coder's OIDC claims
 
+Coder will request the scopes `openid`, `email`, and `profile` from your OIDC
+provider.
+
 Coder expects the following
 [OIDC claims](https://developer.okta.com/blog/2017/07/25/oidc-primer-part-1#whats-a-claim)
 from your OIDC provider:
@@ -26,6 +29,11 @@ from your OIDC provider:
 
 - `preferred_username` (username for dev URLs)
 
+If the `name` or `email` claims are not present in the identity token returned
+from your OIDC provider, Coder will request these from the `user-info` endpoint
+of your OIDC provider. If hitting this endpoint is problematic, ensure that your
+OIDC provider returns these claims in the tokens it provides.
+
 You may need to map these to your existing claims within your OIDC provider's
 admin console. If `name` and `preferred_username` are not provided, Coder will
 derive both claims from the email address.