# Story 8.1: OpenID Connect (OIDC) Support

## Metadata
- **Story ID**: 8.1
- **Title**: OpenID Connect (OIDC) Support
- **Epic**: 8 - Advanced Features & Polish
- **Status**: Pending
- **Priority**: Low
- **Estimated Time**: 6-8 hours
- **Dependencies**: 2.1

## Goal
Add OpenID Connect (OIDC) support for external identity providers and OIDC provider capabilities.

## Description
This story implements OIDC client support for validating tokens from external IdPs and optional OIDC provider functionality.

## Deliverables

### 1. OIDC Client Support
- Install `github.com/coreos/go-oidc`
- Validate tokens from external IdP
- Map claims to internal user
- Integration with authentication system

### 2. OIDC Provider (Optional)
- Discovery endpoint
- JWKS endpoint
- Token endpoint
- UserInfo endpoint

### 3. Documentation
- Document OIDC setup in `docs/auth.md`
- Configuration examples
- Integration guide

## Acceptance Criteria
- [ ] OIDC client validates external tokens
- [ ] Claims are mapped to internal users
- [ ] OIDC provider works (if implemented)
- [ ] Documentation is complete

## Files to Create/Modify
- `internal/auth/oidc_client.go` - OIDC client
- `internal/auth/oidc_provider.go` - OIDC provider (optional)
- `docs/auth.md` - OIDC documentation