IdP Configuration Guide
=======================

1. Required IdP Settings
-------------------------

Register a client/application in your IdP with the following settings:

- **Redirect URI**: must exactly match ``OIDC_REDIRECT_URI`` (e.g. ``https://app.example.eu/api/auth/callback``)
- **Allowed grant types**: ``authorization_code``, ``refresh_token``
- **PKCE**: required (``S256`` code challenge method)
- **Back-channel logout URL**: ``https://app.example.eu/api/auth/backchannel-logout``

2. Claim Configuration
----------------------

Ensure the following claims are included in the ID token:

+----------------+----------------------------------+
| Claim          | Description                      |
+================+==================================+
| ``sub``        | Unique subject identifier (required) |
+----------------+----------------------------------+
| ``email``      | User email address               |
+----------------+----------------------------------+
| ``given_name`` | User first name                  |
+----------------+----------------------------------+
| ``family_name``| User last name                  |
+----------------+----------------------------------+
| ``groups``     | List of group memberships (configurable via ``OIDC_GROUPS_CLAIM``) |
+----------------+----------------------------------+

3. Group/Role Mapping
----------------------

Create a group named ``ai4drpm-admins`` (or the value of ``OIDC_ADMIN_GROUP``) in the IdP.
Users in this group receive ``["user", "admin"]`` scopes; all other users receive ``["user"]``.

4. EULogin-Specific Notes
-------------------------

- Set ``OIDC_PROVIDER=eulogin``
- Back-channel logout is supported via the ``/api/auth/backchannel-logout`` endpoint
- EULogin issues a ``logout_token`` in the back-channel logout request; the app validates it and revokes all active refresh tokens for the affected user