feat(webfinger): add desktop-specific OIDC issuer support

services/webfinger/pkg/command/server.go

@@ -121,6 +121,11 @@ func getRelationProviders(cfg *config.Config) (map[string]service.RelationProvid
 		switch relationURI {
 		case relations.OpenIDConnectRel:
 			rels[relationURI] = relations.OpenIDDiscovery(cfg.IDP)
+		case relations.OpenIDConnectDesktopRel:
+			// Handled below - can also be auto-enabled via DesktopIDP config
+			if cfg.DesktopIDP != "" {
+				rels[relationURI] = relations.OpenIDDiscoveryDesktop(cfg.DesktopIDP)
+			}
 		case relations.OpenCloudInstanceRel:
 			var err error
 			rels[relationURI], err = relations.OpenCloudInstance(cfg.Instances, cfg.OpenCloudURL)
@@ -131,5 +136,16 @@ func getRelationProviders(cfg *config.Config) (map[string]service.RelationProvid
 			return nil, fmt.Errorf("unknown relation '%s'", relationURI)
 		}
 	}
+
+	// Auto-enable desktop OIDC issuer when DesktopIDP is configured,
+	// even if not explicitly listed in Relations. This provides a simpler
+	// configuration experience - just set WEBFINGER_OIDC_ISSUER_DESKTOP.
+	// See: https://github.com/opencloud-eu/desktop/issues/246
+	if cfg.DesktopIDP != "" {
+		if _, exists := rels[relations.OpenIDConnectDesktopRel]; !exists {
+			rels[relations.OpenIDConnectDesktopRel] = relations.OpenIDDiscoveryDesktop(cfg.DesktopIDP)
+		}
+	}
+
 	return rels, nil
 }

services/webfinger/pkg/config/config.go

@@ -20,6 +20,7 @@ type Config struct {
 	Instances    []Instance `yaml:"instances"`
 	Relations    []string   `yaml:"relations" env:"WEBFINGER_RELATIONS" desc:"A list of relation URIs or registered relation types to add to webfinger responses. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
 	IDP          string     `yaml:"idp" env:"OC_URL;OC_OIDC_ISSUER;WEBFINGER_OIDC_ISSUER" desc:"The identity provider href for the openid-discovery relation." introductionVersion:"1.0.0"`
+	DesktopIDP   string     `yaml:"desktop_idp" env:"WEBFINGER_OIDC_ISSUER_DESKTOP" desc:"The identity provider href for desktop clients. When set, desktop clients will use this issuer instead of the default IDP. This allows configuring separate OIDC clients for web and desktop applications." introductionVersion:"%%NEXT%%"`
 	OpenCloudURL string     `yaml:"opencloud_url" env:"OC_URL;WEBFINGER_OPENCLOUD_SERVER_INSTANCE_URL" desc:"The URL for the legacy OpenCloud server instance relation (not to be confused with the product OpenCloud Server). It defaults to the OC_URL but can be overridden to support some reverse proxy corner cases. To shard the deployment, multiple instances can be configured in the configuration file." introductionVersion:"1.0.0"`
 	Insecure     bool       `yaml:"insecure" env:"OC_INSECURE;WEBFINGER_INSECURE" desc:"Allow insecure connections to the WEBFINGER service." introductionVersion:"1.0.0"`
 

services/webfinger/pkg/relations/openid_discovery.go

@@ -8,7 +8,8 @@ import (
 )
 
 const (
-	OpenIDConnectRel = "http://openid.net/specs/connect/1.0/issuer"
+	OpenIDConnectRel        = "http://openid.net/specs/connect/1.0/issuer"
+	OpenIDConnectDesktopRel = "http://openid.net/specs/connect/1.0/issuer/desktop"
 )
 
 type openIDDiscovery struct {
@@ -31,3 +32,27 @@ func (l *openIDDiscovery) Add(_ context.Context, jrd *webfinger.JSONResourceDesc
 		Href: l.Href,
 	})
 }
+
+type openIDDiscoveryDesktop struct {
+	Href string
+}
+
+// OpenIDDiscoveryDesktop adds the OpenID Connect issuer relation for desktop clients.
+// This allows identity providers that require separate OIDC clients per application type
+// (like Authentik, Kanidm, Zitadel) to provide a distinct issuer URL for desktop clients.
+// See: https://github.com/opencloud-eu/desktop/issues/246
+func OpenIDDiscoveryDesktop(href string) service.RelationProvider {
+	return &openIDDiscoveryDesktop{
+		Href: href,
+	}
+}
+
+func (l *openIDDiscoveryDesktop) Add(_ context.Context, jrd *webfinger.JSONResourceDescriptor) {
+	if jrd == nil {
+		jrd = &webfinger.JSONResourceDescriptor{}
+	}
+	jrd.Links = append(jrd.Links, webfinger.Link{
+		Rel:  OpenIDConnectDesktopRel,
+		Href: l.Href,
+	})
+}