###############################################################################
# SSO (OIDC) Authentication
###############################################################################

# Enable SSO (Single Sign-On) authentication. Requires discovery URL and client credentials.
ENABLE_SSO=false

# Display name for the provider (shown in UI button)
SSO_PROVIDER_NAME=Keycloak

# OIDC client credentials
SSO_CLIENT_ID=speakr
SSO_CLIENT_SECRET=change-me

# OIDC discovery document URL (well-known endpoint)
SSO_DISCOVERY_URL=https://keycloak.example.com/realms/master/.well-known/openid-configuration

# Public redirect URI exposed by Speakr (must be registered in the IdP)
SSO_REDIRECT_URI=https://speakr.example.com/auth/sso/callback

# Auto-registration settings
# Allow automatic account creation for new users signing in via SSO.
SSO_AUTO_REGISTER=true

# Comma-separated list of allowed email domains for auto-registration.
# Leave empty to allow all domains (e.g., example.com,company.org).
SSO_ALLOWED_DOMAINS=

# Claims used to map user profile fields
SSO_DEFAULT_USERNAME_CLAIM=preferred_username
SSO_DEFAULT_NAME_CLAIM=name