Authentication & Security
The application supports two authentication modes, controlled by OIDC_ENABLED.
OIDC Flow
When OIDC_ENABLED=true, authentication is delegated to an external OpenID Connect provider.
Browser → GET /api/auth/authorize → redirect to IdP
IdP → GET /api/auth/callback?code=…&state=…
App → exchanges code, provisions user, returns tokens
Client → Bearer <access_token> on all protected endpoints
Client → POST /api/auth/refresh (token refresh)
Client → POST /api/auth/logout (revoke + end session)
Claim mapping
groups claim → ["user"] or ["user", "admin"] (controlled by OIDC_ADMIN_GROUP).
Legacy JWT (fallback)
When OIDC_ENABLED=false, username/password login via POST /api/auth/login issues
a local HS256 JWT. See ai4drpm.auth.security for details.