# SwissOID Configuration
# The SwissOID issuer URL (OpenID Provider)
SWISSOID_ISSUER=https://api.swissoid.com

# Your client ID registered with SwissOID
SWISSOID_CLIENT_ID=your-client-id

# Your client secret (for confidential clients)
SWISSOID_CLIENT_SECRET=your-client-secret-here

# SwissOID token endpoint for exchanging authorization codes
SWISSOID_TOKEN_ENDPOINT=https://api.swissoid.com/token

# SwissOID JWKS URI for JWT verification
SWISSOID_JWKS_URI=https://api.swissoid.com/.well-known/jwks.json

# SwissOID authorize endpoint (optional, defaults to SWISSOID_ISSUER/authorize)
SWISSOID_AUTHORIZE_ENDPOINT=https://api.swissoid.com/authorize

# Redis Configuration
# Redis connection URL (if provided, overrides host/port settings)
REDIS_URL=redis://localhost:6379

# Redis host (defaults to localhost if REDIS_URL not provided)
REDIS_HOST=localhost

# Redis port (defaults to 6379 if REDIS_URL not provided)
REDIS_PORT=6379

# Redis password (optional)
REDIS_PASSWORD=

# Redis database index (defaults to 0)
REDIS_DB=0

# RP (Relying Party) Configuration
# Frontend URL where users should be redirected after authentication
RP_FRONTEND_URL=http://localhost:3000

# Base URL for OIDC redirect (used to construct callback URL)
# The callback URL will be: OIDC_REDIRECT_BASE_URL/oidc/callback
OIDC_REDIRECT_BASE_URL=http://localhost:3668

# Alternative: Explicitly set the callback URL
# RP_CALLBACK_URL=http://localhost:3668/oidc/callback

# Cookie domain for session cookies (use leading dot for subdomains)
# Examples:
#   localhost (for local development)
#   .example.com (for all subdomains of example.com)
COOKIE_DOMAIN=localhost

# Alternative cookie domain variable name (either COOKIE_DOMAIN or RP_COOKIE_DOMAIN works)
# RP_COOKIE_DOMAIN=localhost

# Session Configuration
# Name of the session cookie
SESSION_COOKIE_NAME=connect.sid

# Secret key for signing sessions (use a strong random string in production)
SESSION_SECRET=your-session-secret-here-use-strong-random-string

# Secret for signing state parameters (optional, defaults to SESSION_SECRET + '-state-signing')
# STATE_SIGNING_SECRET=your-state-signing-secret

# Session TTL in seconds (optional, defaults to 7200 = 2 hours)
# SESSION_TTL=7200

# Refresh token TTL in seconds (optional, defaults to 604800 = 7 days)
# REFRESH_TTL=604800

# Refresh cookie name (optional, defaults to 'rid')
# REFRESH_COOKIE_NAME=rid