From 4367fb2d078c52959aeca0fe6874539c53e8360d Mon Sep 17 00:00:00 2001
From: Max Kratz <maximilian.kratz@es.tu-darmstadt.de>
Date: Thu, 18 Sep 2025 15:05:41 +0100
Subject: [PATCH] OIDC doc: adds missing `jwt_config` values to authentik
 example (#18931)

Co-authored-by: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com>
---
 changelog.d/18931.doc | 2 ++
 docs/openid.md        | 7 +++++++
 2 files changed, 9 insertions(+)
 create mode 100644 changelog.d/18931.doc

diff --git a/changelog.d/18931.doc b/changelog.d/18931.doc
new file mode 100644
index 000000000..8a2dcb865
--- /dev/null
+++ b/changelog.d/18931.doc
@@ -0,0 +1,2 @@
+Clarify necessary `jwt_config` parameter in OIDC documentation for authentik.
+Contributed by @maxkratz.
diff --git a/docs/openid.md b/docs/openid.md
index f86ba189c..819f75439 100644
--- a/docs/openid.md
+++ b/docs/openid.md
@@ -186,6 +186,7 @@ oidc_providers:
 4. Note the slug of your application, Client ID and Client Secret.
 
 Note: RSA keys must be used for signing for Authentik, ECC keys do not work.
+Note: The provider must have a signing key set and must not use an encryption key.
 
 Synapse config:
 ```yaml
@@ -204,6 +205,12 @@ oidc_providers:
       config:
         localpart_template: "{{ user.preferred_username }}"
         display_name_template: "{{ user.preferred_username|capitalize }}" # TO BE FILLED: If your users have names in Authentik and you want those in Synapse, this should be replaced with user.name|capitalize.
+[...]
+jwt_config:
+    enabled: true
+    secret: "your client secret" # TO BE FILLED (same as `client_secret` above)
+    algorithm: "RS256"
+    # (...other fields)
 ```
 
 ### Dex