# Example: IIIF Auth 2.0 — OIDC backend
#
# iiiris is a first-class OpenID Connect client. On login, iiiris
# redirects to the issuer's authorization endpoint, then exchanges
# the returned code for tokens, validates the ID token, and mints a
# session with the user identity drawn from a configured claim
# (default: `sub`).
#
# Use this with any OIDC-compliant issuer:
#   - Okta, Auth0, Keycloak, Authentik
#   - Google, Microsoft Entra ID, GitLab, GitHub (note: GitHub is OAuth, not OIDC)
#   - Your campus IdP (Shibboleth → OIDC bridge), if it speaks OIDC
#
# Issuer discovery (.well-known/openid-configuration) happens at
# startup so misconfiguration fails fast rather than at the first
# login attempt.

server:
  addr: ":8080"

sources:
  filesystem:
    root: /var/iiiris/images

auth:
  profiles:
    sso:
      pattern: external                 # OIDC ≈ external SSO from the spec's perspective
      label:
        en: ["Sign in with SSO"]
      access_service:
        backend: oidc
        issuer: https://idp.example.org
        client_id: iiiris
        # Env var holding the OIDC client secret. Required.
        client_secret_env: IIIRIS_OIDC_CLIENT_SECRET
        # Optional. Defaults to ["openid", "profile", "email"] when empty.
        scopes:
          - openid
          - profile
          - email
        # Optional. Which OIDC claim names the session user. Defaults
        # to "sub" (the spec-mandated stable identifier). Common
        # alternatives:
        #   email                  — easier to log/audit, but mutable
        #   preferred_username     — provider-specific display name
        user_claim: email
      session_ttl: 8h
      token_ttl: 10m

  rules:
    - match: "sso-only/*"
      profile: sso

  cors:
    token_origins:
      - https://viewer.example.org

# --- Notes ----------------------------------------------------------------
#
# * iiiris runs the authorization-code flow with PKCE (no implicit, no
#   hybrid). The callback URL the issuer must accept is:
#     {public-iiiris-base}/iiif/auth/callback/{profile}
#
# * Register that exact URL with your IdP as an allowed redirect.
#
# * iiiris doesn't currently expose a refresh_token flow. Sessions
#   are minted on a fresh login; when session_ttl expires the user
#   re-logs in via the issuer (typically a silent redirect if the
#   user still has an active IdP session). This trade-off keeps the
#   integration code small and the failure modes few.
