feat(oidc): implement OIDC authentication flow and user management

.env.example

@@ -25,9 +25,6 @@ AUTH_ENABLED=false
 # Allow new user registrations (auto-enabled when no users exist)
 # REGISTRATION_ENABLED=false
 
-# Disable local auth (for SSO-only setups in Phase 2)
-# DISABLE_LOCAL_AUTH=false
-
 # JWT Secrets - REQUIRED when AUTH_ENABLED=true
 # Generate with: openssl rand -hex 32
 # JWT_SECRET=
@@ -38,6 +35,34 @@ AUTH_ENABLED=false
 # ACCESS_TOKEN_TTL_MINUTES=15
 # REFRESH_TOKEN_TTL_DAYS=7
 
+# =============================================================================
+# OIDC SSO (optional - for Pocket ID, Authelia, Authentik, etc.)
+# =============================================================================
+# Enable OIDC authentication
+# OIDC_ENABLED=false
+
+# OIDC Provider URL (discovery endpoint will be auto-detected)
+# OIDC_ISSUER_URL=https://auth.example.com
+
+# Client credentials (from your OIDC provider)
+# OIDC_CLIENT_ID=medassist
+# OIDC_CLIENT_SECRET=your-client-secret
+
+# Callback URL (must match what's configured in your OIDC provider)
+# OIDC_REDIRECT_URI=https://medassist.example.com/api/auth/oidc/callback
+
+# OIDC scopes to request (default: openid profile email)
+# OIDC_SCOPES=openid profile email
+
+# Claim to use as username (options: preferred_username, email, sub)
+# OIDC_USERNAME_CLAIM=preferred_username
+
+# Auto-create users on first SSO login (default: true)
+# OIDC_AUTO_CREATE_USERS=true
+
+# Provider name for login button (e.g., "Pocket ID", "Authelia", "SSO")
+# OIDC_PROVIDER_NAME=SSO
+
 # SMTP (optional - for email notifications and password reset)
 SMTP_HOST=
 SMTP_PORT=587