# Base URL of the OIDC provider (e.g. Keycloak realm URL)
OIDC_PROVIDER_URL=http://localhost:8080

# OAuth2 client credentials (required)
OIDC_CLIENT_ID=your-client-id
OIDC_CLIENT_SECRET=your-client-secret

# Full callback URL — must match the redirect URI configured at the provider
OIDC_REDIRECT_URI=http://localhost:3000/auth/callback

# Secret key for encrypting session cookies (at least 32 bytes)
OIDC_COOKIE_KEY=change-me-to-a-random-64-char-string

# Maximum session age in minutes
OIDC_SESSION_MAX_AGE=3600

# Space-separated OAuth2 scopes to request
OIDC_SCOPES=openid profile

# URL to redirect to after logout
OIDC_POST_LOGOUT_REDIRECT_URI=/

# Path to the SQLite database file for session storage
OIDC_SQLITE_PATH=sessions.db

# Base path for auth routes (default: /auth)
OIDC_AUTH_BASE_PATH=/auth