diff --git a/.env.example b/.env.example
index 4f594547..eadda8b7 100644
--- a/.env.example
+++ b/.env.example
@@ -313,6 +313,23 @@ IDP_DOMAIN=
 IDP_ISSUER_URL=
 # Url of the account edit page from your Identity Provider.
 IDP_ACCOUNT_URL=
+# Global Client ID: You can override this by specifying a custom client ID, or leave it blank to use the OC defaults, as described in the documentation
+#OC_OIDC_CLIENT_ID=
+# Declares which property should be used for the oidc claim
+# Example: "roles"
+PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM=
+# Defines the OIDC client scope
+# Example: "openid profile email roles"
+OC_OIDC_CLIENT_SCOPES=
+# Client specific environment vars
+#WEBFINGER_WEB_OIDC_CLIENT_ID=
+#WEBFINGER_WEB_OIDC_CLIENT_SCOPES=
+#WEBFINGER_IOS_OIDC_CLIENT_ID=
+#WEBFINGER_IOS_OIDC_CLIENT_SCOPES=
+#WEBFINGER_ANDROID_OIDC_CLIENT_ID=
+#WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES=
+#WEBFINGER_DESKTOP_OIDC_CLIENT_ID=
+#WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPES=
 
 ## Shared User Directory Mode ##
 # Use together with idm/ldap-keycloak.yml and traefik/ldap-keycloak.yml
diff --git a/idm/external-idp.yml b/idm/external-idp.yml
index ff8a6a42..fb668893 100644
--- a/idm/external-idp.yml
+++ b/idm/external-idp.yml
@@ -14,7 +14,17 @@ services:
       GRAPH_LDAP_REFINT_ENABLED: "true" # osixia has refint enabled.
       FRONTEND_READONLY_USER_ATTRIBUTES: "user.onPremisesSamAccountName,user.displayName,user.mail,user.passwordProfile,user.accountEnabled,user.appRoleAssignments"
       PROXY_OIDC_REWRITE_WELLKNOWN: "true"
-      WEB_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID:-web}
+      OC_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID}
+      OC_OIDC_CLIENT_SCOPES: ${OC_OIDC_CLIENT_SCOPES}
+      PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: ${PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM:-roles}
+      WEBFINGER_WEB_OIDC_CLIENT_ID: ${WEBFINGER_WEB_OIDC_CLIENT_ID}
+      WEBFINGER_WEB_OIDC_CLIENT_SCOPES: ${WEBFINGER_WEB_OIDC_CLIENT_SCOPES}
+      WEBFINGER_ANDROID_OIDC_CLIENT_ID: ${WEBFINGER_ANDROID_OIDC_CLIENT_ID}
+      WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES: ${WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES}
+      WEBFINGER_IOS_OIDC_CLIENT_ID: ${WEBFINGER_IOS_OIDC_CLIENT_ID}
+      WEBFINGER_IOS_OIDC_CLIENT_SCOPES: ${WEBFINGER_IOS_OIDC_CLIENT_SCOPES}
+      WEBFINGER_DESKTOP_OIDC_CLIENT_ID: ${WEBFINGER_DESKTOP_OIDC_CLIENT_ID}
+      WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPES: ${WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPES}
       PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"
       OC_OIDC_ISSUER: ${IDP_ISSUER_URL:-https://keycloak.opencloud.test/realms/openCloud}
       # This specifies to start all services except idm and idp. These are replaced by external services.
@@ -45,6 +55,7 @@ services:
       WEB_OPTION_ACCOUNT_EDIT_LINK_HREF: ${IDP_ACCOUNT_URL}
   ldap-server:
     image: bitnamilegacy/openldap:2.6
+    # Bitnami images require GID 0 to write to internal socket and PID directories
     networks:
       opencloud-net:
     entrypoint: [ "/bin/sh", "/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh", "/opt/bitnami/scripts/openldap/run.sh" ]