# Example: IIIF Auth 2.0 — external (HMAC-signed callback) backend
#
# iiiris hosts no login UI of its own. On login, iiiris redirects
# (303) to an operator-hosted authentication service; that service
# authenticates the user by whatever means it likes (LDAP, Shibboleth,
# a homegrown form, …) and redirects back to iiiris with an
# HMAC-signed query string. iiiris verifies the signature and mints a
# session for the named user.
#
# Use this when:
#   - You have an existing auth service iiiris can't call directly
#   - OIDC is too heavyweight, or the upstream doesn't speak OIDC
#   - You need to insert custom logic between "user clicked login"
#     and "iiiris has a session" (consent screens, terms checks, etc.)
#
# The shared secret is referenced by env var (never inlined in YAML).
# iiiris reads it at startup; the operator's service uses the same
# secret to compute the HMAC-SHA256 signature.

server:
  addr: ":8080"

sources:
  filesystem:
    root: /var/iiiris/images

auth:
  profiles:
    sso:
      pattern: external
      label:
        en: ["External sign-in"]
      access_service:
        backend: external
        # On GET /iiif/auth/login/{profile}, iiiris 303s to:
        #   {url}?callback={iiiris-callback}&return_to={original-viewer}
        url: https://auth.example.org/login
        # Env var holding the HMAC-SHA256 shared secret. iiiris reads
        # it at boot; missing/empty = build error at startup.
        callback_secret_env: IIIRIS_EXTERNAL_AUTH_SECRET
      session_ttl: 8h
      token_ttl: 10m

  rules:
    - match: "sso-only/*"
      profile: sso

  cors:
    token_origins:
      - https://viewer.example.org

# --- Callback contract ----------------------------------------------------
#
# Your auth service must redirect to:
#
#   {callback}?user={username}&expires={unix-seconds}&signature={hex-or-b64url}
#
# where:
#
#   signature = HMAC-SHA256(secret, user + "|" + expires)
#
# Both hex (lower or upper-case) and base64url encodings are accepted.
# `expires` caps how long a single callback URL is usable, preventing
# replay if the redirect leaks (browser history, logs). iiiris rejects
# callbacks past `expires` regardless of signature validity.
#
# Example callback URL:
#   /iiif/auth/callback/sso?user=alice&expires=1735689600&signature=abc123...
